Secure a rest webservice sprin application using OpenAM Oauth2

This topic has 8 replies, 4 voices, and was last updated 3 years, 6 months ago by [email protected].

  • Author
  • #6991

    I have an existing Spring based restful web service application which is protected by OAuth2.0 using sprinG security. Now, I am planning to migrate the users from current database to OpenAM. Once that is done, I want to protect the same sprint based restful web service using OpenAM’s OAuth2.0.
    Current flow is:
    1) Get oauth token from application oauth end point
    2) use this token for making rest api’s exposed by the application

    What I want is:
    1) Get oauth token from OpenAM
    2) use this toke for making rest api’s exposed by the application

    I have gone through the OpenAM Oauth docs and I am not sure whether this is possible. Is this integration possible? If so, is there any documentation or sample link?

    • This topic was modified 6 years, 8 months ago by nkarthik82.
     Scott Heger

    Absolutely. OpenAM is written to comply with the OAuth 2.0 specification. If you are using OAuth 2.0 now it will be just a matter of setting up the OAuth2 Provider in OpenAM, creating your OAuth 2.0/OpenID Connect Client profile, and then building the appropriate REST calls to OpenAM from within your existing application.

    What grant flow are you currently using to obtain you access token?

    The OpenAM documentation around OAuth (!/docs/openam/12.0.0/dev-guide/chap-rest-oauth2-oidc) should be used in conjunction with the OAuth 2.0 specification documentation ( to get the full picture.


    We use Client Credentials (client_credentials), Resource Owner Password Credentials Grant (password)

    Right now, we use the spring security OAuth implementation to generate the access token. Then, we pass this token in the header for making rest api calls.
    I don’t get how Spring will be able to validate the access token passed in the request header with OpenAM server.


    I forgot to mention. Our application is a spring rest service which gets data from a DB which is outside OpenAM. So, we can say it is a service provider.
    Different Clients use this rest service for doing CRUD operations on the database and right now, it is protected using Spring OAuth which generates and validates access token.
    Now, we are planning to move the user details alone to OpenAM from the current DB so that client’s can directly generate an access token using OpenAM. But, once they get the token, they will pass it in request header to the Spring rest service for doing CRUD operations.
    What I want to know is how can Spring validate the token? Should I write some custom module in Spring to do this or can I directly remove the Spring security and trust OpenAM for validating the token?
    If OpenAM can validate the token, how will it handle the communication between the web services and OpenAM?


    OpenAM provides the following three OAuth 2.0 endpoints with the last one, tokeninfo, used for validating tokens:

    Authorization endpoint defined in RFC 6749, used to obtain an authorization grant from the resource owner


    Token endpoint defined in RFC 6749, used to obtain an access token from the authorization server


    Endpoint not defined in RFC 6749, used to validate tokens, and to retrieve information such as scopes

    Given an access token, a resource server can perform an HTTP GET on /oauth2/tokeninfo?access_token=token-id to retrieve a JSON object indicating token_type, expires_in, scope, and the access_token ID.


     Scott Heger

    Posted the previous comment from the wrong account. :)


    So, the only option that I could think of is to write a custom module in my application which can get tokens from OpenAM and validate the token using /oauth2/tokeninfo for every request.
    Am I right?
    I thought we can directly protect the web services using OpenAM OAuth similar to how we protect web applications with login pages.

     Scott Heger

    You are correct, you will either have to build your own module or find some other library that you could use that would handle this for you. ForgeRock doesn’t provide any sort of “agent” for OAuth based web services like they do for web applications.


    Hi Scott,

    I am doing a POC with OpenAM and wanted to protect some sample rest API endpoints as below.

    1. Spring boot Client application with features(Login, Logout, Authorization*) in which user can successfully authenticate to Open AM using http://…/authenticate endpoint and received SSO token. I am stuck at authorization part.

    2. Open AM as authorization server where we have enabled OAuth2.0 with client id & secret. Also resource owner/user information are present there. Do I need to add java agent to resources ( sample rest endpoints) or have to use some filter to accept JWT token). Appreciate your help and guidance here.


    3. Spring Boot application exposing sample rest endpoints which will act as Resource server.

    I am asked to use JWT +JWKS to access these sample rest endpoints protected with different user. I am stuck how to get the access token to access the protected rest endpoints.

    • This reply was modified 3 years, 6 months ago by [email protected]. Reason: content was blank
Viewing 9 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?