Client endpoints are protected by Spring Security, therefore it redirects the
request to login endpoint
Browser tries to load login page
Client delegates the authorization to OAuth server
OAuth flow technically starts here. state is randomly
generated by Spring. client_id is configured in Client’s application
Since User is not authenticated yet Spring shows basic dialog asking for user
name and password.
User types dave:secret. These are credentials stored in Server database.
Authorization header here contains User credentials.
Server verifies User credentials and creates session.
The authorization page gives User a choice to authorize or deny Client.
User clicks Authorize button.
Server creates a new session, generates a random code, and redirects the
response to redirect_uri supplied on step 7.
Browser, with Client and Server sessions saved in cookies, gets the redirected Client URI.
Spring OAuth Client requests access token implementing
RFC6749 Section 4.1.3. Client authenticates itself through
Authorization header passing credentials configured in Client application
Server verifies Client credentials stored in the database and
exchanges authorization code for access token implementing
RFC6749 Section 4.1.4. scope is populated from the
corresponding database column.
Although it’s not a part of RFC6749, Client sends access token verification
request to Server. Once again Client authenticates itself through
Server verifies Client credentials and access token and responds with User/Client metadata.
Client redirects User browser to the URL requested initially on step 1. It also
resets the session.
This step is the same as step 1 but with valid Client and Server sessions.
As a part of business logic Client sends a request to Resource
server suppling bearer token as required by RFC6750 Section 2.
Resource server calls OAuth Server to verify the access token implementing
RFC7662 Section 2.1. Resource authenticates itself through
Authorization header suppling credentials configured in its application
Server verifies Resource credentials and access token and responds with
Since the access token is valid Resource server replies to Client