Securing API requests with OAuth2 using Java 11’s HttpClient
involves obtaining an access token from the OAuth2 provider and including it in the header of your HTTP requests. Here’s a step-by-step guide:
1. Understand OAuth2 Flow
OAuth2 involves several flows (e.g., Authorization Code, Client Credentials, etc.). For simplicity, we’ll focus on the Client Credentials Grant flow where your application (client) authenticates with the OAuth2 provider and retrieves an access token for API calls.
2. Dependencies
You don’t need external dependencies unless you choose to use a library (like Spring Security). Java 11’s HttpClient
can directly process token requests.
3. Steps to Secure API Requests
Obtain Access Token
To obtain an access token, make a POST request to the OAuth2 token endpoint with the required parameters:
client_id
: Your application’s client ID.client_secret
: Your application’s secret key.grant_type
: For example,client_credentials
.
Use the Access Token in API Requests
Once you have the access token, include it in the Authorization
header of your requests.
4. Sample Code
Here’s an example of how to secure API requests with OAuth2 using Java 11’s HttpClient
:
package org.kodejava.net.http;
import java.net.URI;
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
public class OAuth2HttpClient {
public static void main(String[] args) throws Exception {
// OAuth2 Token Endpoint and Client Details
String tokenEndpoint = "https://your-oauth2-provider.com/token";
String clientId = "your-client-id";
String clientSecret = "your-client-secret";
String scope = "your-api-scope";
// Step 1: Obtain Access Token
String accessToken = getAccessToken(tokenEndpoint, clientId, clientSecret, scope);
// Step 2: Use Access Token for API Request
String apiEndpoint = "https://api.example.com/secure-resource";
sendSecureApiRequest(apiEndpoint, accessToken);
}
private static String getAccessToken(String tokenEndpoint, String clientId, String clientSecret, String scope) throws Exception {
// Create request body
String requestBody = "grant_type=client_credentials" +
"&client_id=" + URLEncoder.encode(clientId, StandardCharsets.UTF_8) +
"&client_secret=" + URLEncoder.encode(clientSecret, StandardCharsets.UTF_8) +
"&scope=" + URLEncoder.encode(scope, StandardCharsets.UTF_8);
// Create HttpClient and HttpRequest
HttpClient client = HttpClient.newHttpClient();
HttpRequest request = HttpRequest.newBuilder()
.uri(URI.create(tokenEndpoint))
.header("Content-Type", "application/x-www-form-urlencoded")
.POST(HttpRequest.BodyPublishers.ofString(requestBody))
.build();
// Send request and parse response
HttpResponse<String> response = client.send(request, HttpResponse.BodyHandlers.ofString());
if (response.statusCode() == 200) {
// Extract access token from JSON response
String responseBody = response.body();
return extractAccessToken(responseBody);
} else {
throw new RuntimeException("Failed to get access token. Status: " + response.statusCode() + ", Body: " + response.body());
}
}
private static String extractAccessToken(String responseBody) {
// Parse JSON response to extract the "access_token" (you can use a library like Jackson or Gson)
// For simplicity, assume the response contains: {"access_token":"your-token"}
int startIndex = responseBody.indexOf("\"access_token\":\"") + 16;
int endIndex = responseBody.indexOf("\"", startIndex);
return responseBody.substring(startIndex, endIndex);
}
private static void sendSecureApiRequest(String apiEndpoint, String accessToken) throws Exception {
// Create HttpClient and HttpRequest
HttpClient client = HttpClient.newHttpClient();
HttpRequest request = HttpRequest.newBuilder()
.uri(URI.create(apiEndpoint))
.header("Authorization", "Bearer " + accessToken)
.GET()
.build();
// Send request and print response
HttpResponse<String> response = client.send(request, HttpResponse.BodyHandlers.ofString());
System.out.println("API Response Status: " + response.statusCode());
System.out.println("API Response Body: " + response.body());
}
}
5. Explanation
- Obtaining Access Token:
- A POST request is sent to the token endpoint with appropriate parameters in the body.
- The response typically returns an access token in JSON format.
- Secure API Request:
- Include the token in the
Authorization
header asBearer <token>
in subsequent requests to the secured API.
- Include the token in the
- Error Handling:
- If the token request or API request fails, handle the error gracefully (e.g., retry or log).
6. Security Tip
- Never hardcode
client_id
orclient_secret
in your code. Store them securely (e.g., environment variables or a secrets manager). - If you handle sensitive data, ensure your OAuth2 provider supports HTTPS.