How do I secure API requests with OAuth2 using Java 11 HttpClient?

By Wayan in HttpClient, Java 11 0 Comment

Securing API requests with OAuth2 using Java 11’s HttpClient involves obtaining an access token from the OAuth2 provider and including it in the header of your HTTP requests. Here’s a step-by-step guide:

1. Understand OAuth2 Flow

OAuth2 involves several flows (e.g., Authorization Code, Client Credentials, etc.). For simplicity, we’ll focus on the Client Credentials Grant flow where your application (client) authenticates with the OAuth2 provider and retrieves an access token for API calls.

2. Dependencies

You don’t need external dependencies unless you choose to use a library (like Spring Security). Java 11’s HttpClient can directly process token requests.

3. Steps to Secure API Requests

Obtain Access Token

To obtain an access token, make a POST request to the OAuth2 token endpoint with the required parameters:

  • client_id: Your application’s client ID.
  • client_secret: Your application’s secret key.
  • grant_type: For example, client_credentials.

Use the Access Token in API Requests

Once you have the access token, include it in the Authorization header of your requests.

4. Sample Code

Here’s an example of how to secure API requests with OAuth2 using Java 11’s HttpClient:

package org.kodejava.net.http;

import java.net.URI;
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;

public class OAuth2HttpClient {

   public static void main(String[] args) throws Exception {
      // OAuth2 Token Endpoint and Client Details
      String tokenEndpoint = "https://your-oauth2-provider.com/token";
      String clientId = "your-client-id";
      String clientSecret = "your-client-secret";
      String scope = "your-api-scope";

      // Step 1: Obtain Access Token
      String accessToken = getAccessToken(tokenEndpoint, clientId, clientSecret, scope);

      // Step 2: Use Access Token for API Request
      String apiEndpoint = "https://api.example.com/secure-resource";
      sendSecureApiRequest(apiEndpoint, accessToken);
   }

   private static String getAccessToken(String tokenEndpoint, String clientId, String clientSecret, String scope) throws Exception {
      // Create request body
      String requestBody = "grant_type=client_credentials" +
                           "&client_id=" + URLEncoder.encode(clientId, StandardCharsets.UTF_8) +
                           "&client_secret=" + URLEncoder.encode(clientSecret, StandardCharsets.UTF_8) +
                           "&scope=" + URLEncoder.encode(scope, StandardCharsets.UTF_8);

      // Create HttpClient and HttpRequest
      HttpClient client = HttpClient.newHttpClient();
      HttpRequest request = HttpRequest.newBuilder()
              .uri(URI.create(tokenEndpoint))
              .header("Content-Type", "application/x-www-form-urlencoded")
              .POST(HttpRequest.BodyPublishers.ofString(requestBody))
              .build();

      // Send request and parse response
      HttpResponse<String> response = client.send(request, HttpResponse.BodyHandlers.ofString());
      if (response.statusCode() == 200) {
         // Extract access token from JSON response
         String responseBody = response.body();
         return extractAccessToken(responseBody);
      } else {
         throw new RuntimeException("Failed to get access token. Status: " + response.statusCode() + ", Body: " + response.body());
      }
   }

   private static String extractAccessToken(String responseBody) {
      // Parse JSON response to extract the "access_token" (you can use a library like Jackson or Gson)
      // For simplicity, assume the response contains: {"access_token":"your-token"}
      int startIndex = responseBody.indexOf("\"access_token\":\"") + 16;
      int endIndex = responseBody.indexOf("\"", startIndex);
      return responseBody.substring(startIndex, endIndex);
   }

   private static void sendSecureApiRequest(String apiEndpoint, String accessToken) throws Exception {
      // Create HttpClient and HttpRequest
      HttpClient client = HttpClient.newHttpClient();
      HttpRequest request = HttpRequest.newBuilder()
              .uri(URI.create(apiEndpoint))
              .header("Authorization", "Bearer " + accessToken)
              .GET()
              .build();

      // Send request and print response
      HttpResponse<String> response = client.send(request, HttpResponse.BodyHandlers.ofString());
      System.out.println("API Response Status: " + response.statusCode());
      System.out.println("API Response Body: " + response.body());
   }
}

5. Explanation

  1. Obtaining Access Token:
    • A POST request is sent to the token endpoint with appropriate parameters in the body.
    • The response typically returns an access token in JSON format.
  2. Secure API Request:
    • Include the token in the Authorization header as Bearer <token> in subsequent requests to the secured API.
  3. Error Handling:
    • If the token request or API request fails, handle the error gracefully (e.g., retry or log).

6. Security Tip

  • Never hardcode client_id or client_secret in your code. Store them securely (e.g., environment variables or a secrets manager).
  • If you handle sensitive data, ensure your OAuth2 provider supports HTTPS.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.