Java — OAuth

A project at work, required me to develop code which would allow us to send http requests to an external gateway, in order to validate a product before we received and dispatched it.

Previously, this functionality was implemented, however due to Brexit, the gateway changed from the European gateway, to a UK only gateway ( truly patriotic ).

In order to do this, I had to switch to OAuth 2.

I ran into some difficulty achieving this. My current implementation used HttpPost objects back from Java 1.6. Methods to add headers and bodies were deprecated and things were more difficult than they needed to be.

The OAuth implementation was much simpler to use and had an intuitive API.
The jar files needed for this are :

• org.apache.oltu.oauth2.client
• org.apache.oltu.oauth2.common

What is OAuth2

OAuth2 is an authorization framework for HTTP requests.
There are HTTP Services, such as Facebook or Github. These services have user accounts, and quite often third party applications want to access limited data on these user accounts. In order to access this data, we would need the user to give provide their security credentials for that account so we can access that data.

OAuth2 does this by delegating the authorisation to the service which hosts the user account. Once the authorisation has taken place, the service will return an access token to the third party application, enabling them limited access to their API, thus giving them access to the protected resources the application needs.

Below shows the basic workflow for an OAuth2 request. Usually the application server and the resource server are the same service.

Application Registration

If you are developing a third party application and you want to consume a service which uses OAuth2 as its authorisation mechanism, then you must first register your application with that service. They will require some details, such as:

• Application Name
• Application Website
• Redirect URL — Where to redirect the user once the successful / failed authorisation attempt has completed ( e.g. back to your home page / another piece of logic in your application to verify the returned access token )

After your application is registered, the service represents your application with a Client ID and a Client Secret. These credentials should be used when making requests to the server, so the server can validate that the request is coming from a trusted source.

Grant Types

There are 4 grant types supported by OAuth2. Each are useful in certain circumstances.

• Authorisation Code — Used with server side applications
• Client Credentials — Used in applications API access
• Resource Owner Password Credentials — Used with trusted applications e.g. owned by the service itself
• Implicit — Used with mobile apps or web apps ( applications that run on the users device )

Refresh Token

When an access token expires, we need to create a new token. This is done by making a similar HTTP request.

More information on the topic can be found here