Currently, I’m using a slef-made oauth2 server using oltu project. Nevertheless, seems that oltu is destinated to shrink.
I’m thinking about using Auth0 and I’ve read a bit about it. It’s running in my head use this platform in order to get authentication and authorization into my web apis.
I’ve created several JAXRS API. Currently, into my JAXRS services I’ve created a Filter that checks whether the access token is valid.
@WebFilter(dispatcherTypes = {DispatcherType.REQUEST },...)
public class BearerFilter implements Filter
{
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException
{
HttpServletRequest req = (HttpServletRequest)request;
HttpServletResponse res = (HttpServletResponse)response;
OAuthAccessResourceRequest oauthResourceRequest;
//check access token here...
}
}
However, using Auth0, how should I get current access tokens from?
The Auth0 service among others, supports the OAuth 2.0 protocol so it can act as the authorization server that client applications that want to call into your API’s will use to obtain the necessary access tokens.
The four core grants (implicit, authorization code, resource owner password credentials and client credentials) in OAuth 2.0 are supported so if client applications are already using any of those grants the migration should be simple. There’s also support for PKCE version of authorization code grant in case you have native client applications.
At this time, for API’s (resource servers) you register, the service supports issuing JWT access tokens using either HS256 or RS256 so again if your API’s were already accepting bearer access tokens in a JWT format and using one of those signing algorithms the migration will be straightforward. Have in mind that the recommended approach to send an access token to the associated API is to make use of the HTTP Authorization header so the OAuthAccessResourceRequest in Oltu probably just gets it from there, however, if you have access to the headers it should be simple to obtain the access token withou Oltu helpers either manually or using other more generic helpers.
Have in mind that in addition to OAuth 2.0 the OpenID Connect protocol is also supported so client application can perform an end-user authentication and authorization request in one go and get both end-user profile information and the access token to call the relevant API.