import ballerina/http;

listener http:Listener securedEP = new(9090,
    secureSocket = {
        key: {
            certFile: "../resource/path/to/public.crt",
            keyFile: "../resource/path/to/private.key"
        }
    }
);

// The service can be secured with OAuth2 authentication and can be authorized
// optionally. OAuth2 authentication can be enabled by setting the
// `http:OAuth2IntrospectionConfig` configurations.
// Authorization is based on scopes. A scope maps to one or more groups.
// Authorization can be enabled by setting the `string|string[]` type
// configurations.
@http:ServiceConfig {
    auth: [
        {
            oauth2IntrospectionConfig: {
                url: "https://localhost:9445/oauth2/introspect",
                tokenTypeHint: "access_token",
                scopeKey: "scp",
                clientConfig: {
                    customHeaders: {"Authorization": "Basic YWRtaW46YWRtaW4="},
                    secureSocket: {
                        cert: "../resource/path/to/public.crt"
                    }
                }
            },
            scopes: ["admin"]
        }
    ]
}
service /foo on securedEP {

    // It is optional to override the authentication and authorization
    // configurations at the resource levels. Otherwise, the service auth
    // configurations will be applied automatically to the resources as well.
    resource function get bar() returns string {
        return "Hello, World!";
    }
}

Service - OAuth2

An HTTP service/resource can be secured using OAuth2 and by enforcing authorization optionally. Then, it validates the OAuth2 token sent in the Authorization header against the provided configurations. This calls the configured introspection endpoint to validate.
Ballerina uses the concept of scopes for authorization. A resource declared in a service can be bound to one/more scope(s). The scope can be included in the introspection response using a custom claim attribute. That custom claim attribute is also can be configured as the scopeKey.
In the authorization phase, the scopes of the service/resource are compared against the scope included in the introspection response for at least one match between the two sets.

For more information on the underlying module, see the OAuth2 module.

import ballerina/http;
listener http:Listener securedEP = new(9090,
    secureSocket = {
        key: {
            certFile: "../resource/path/to/public.crt",
            keyFile: "../resource/path/to/private.key"
        }
    }
);
@http:ServiceConfig {
    auth: [
        {
            oauth2IntrospectionConfig: {
                url: "https://localhost:9445/oauth2/introspect",
                tokenTypeHint: "access_token",
                scopeKey: "scp",
                clientConfig: {
                    customHeaders: {"Authorization": "Basic YWRtaW46YWRtaW4="},
                    secureSocket: {
                        cert: "../resource/path/to/public.crt"
                    }
                }
            },
            scopes: ["admin"]
        }
    ]
}
service /foo on securedEP {

The service can be secured with OAuth2 authentication and can be authorized optionally. OAuth2 authentication can be enabled by setting the http:OAuth2IntrospectionConfig configurations. Authorization is based on scopes. A scope maps to one or more groups. Authorization can be enabled by setting the string|string[] type configurations.

    resource function get bar() returns string {
        return "Hello, World!";
    }
}

It is optional to override the authentication and authorization configurations at the resource levels. Otherwise, the service auth configurations will be applied automatically to the resources as well.

# You may need to change the certificate file path, private key file path, and
# trusted certificate file path.
bal run http_service_oauth2.bal
[ballerina/http] started HTTPS/WSS listener 0.0.0.0:9090