import ballerina/http;
import ballerina/config;
import ballerina/log;
import ballerina/oauth2;
oauth2:InboundOAuth2Provider oauth2Provider = new ({
    url: "https://localhost:9095/oauth2/token/introspect"
});
http:BearerAuthHandler oauth2Handler = new (oauth2Provider);
listener http:Listener ep = new (9090, {
    auth: {
        authHandlers: [oauth2Handler]
    },
    secureSocket: {
        keyStore: {
            path: config:getAsString("b7a.home") +
                  "/bre/security/ballerinaTruststore.p12",
            password: "ballerina"
        }
    }
});service hello on ep {
    resource function sayHello(http:Caller caller, http:Request req) {
        error? result = caller->respond("Hello, World!!!");
        if (result is error) {
            log:printError("Error in responding to caller", result);
        }
    }
}# To run the service, execute the below command by passing Ballerina home path
# as a system property.
ballerina run secured_service_with_oauth2.bal --b7a.home=<ballerina_home_path>
[ballerina/http] started HTTPS/WSS listener 0.0.0.0:9090
curl -k -H "Authorization: Bearer YWRtaW46MTIz" \
https://localhost:9090/hello/sayHello
Hello, World!!!

Secured Service with OAuth2

A service can be secured using OAuth2 and optionally by enforcing authorization. The OAuth2 auth provider verifies the token against the configured introspection server. The result returned from the introspection server is used for token expiration, authorization etc. Ballerina uses the concept of scopes for authorization. A resource declared in a service can be bound to one/more scope(s). The scopes are included in the introspection response and the scopes of the resource are compared against those for at least one match between the two sets.

import ballerina/http;
import ballerina/config;
import ballerina/log;
import ballerina/oauth2;
oauth2:InboundOAuth2Provider oauth2Provider = new ({
    url: "https://localhost:9095/oauth2/token/introspect"
});

Creates an inbound OAuth2 authentication provider with the relevant configurations of the introspection server.

http:BearerAuthHandler oauth2Handler = new (oauth2Provider);

Creates a Bearer Auth handler with the created OAuth2 provider.

listener http:Listener ep = new (9090, {
    auth: {
        authHandlers: [oauth2Handler]
    },

The endpoint used here is the http:Listener. The OAuth2 handler is set to this endpoint using the authHandlers attribute. It is optional to override the authentication and authorization at the service and resource levels.

    secureSocket: {
        keyStore: {
            path: config:getAsString("b7a.home") +
                  "/bre/security/ballerinaTruststore.p12",
            password: "ballerina"
        }
    }
});

The secure hello world sample uses HTTPS.

service hello on ep {
    resource function sayHello(http:Caller caller, http:Request req) {
        error? result = caller->respond("Hello, World!!!");
        if (result is error) {
            log:printError("Error in responding to caller", result);
        }
    }
}
# To run the service, execute the below command by passing Ballerina home path
# as a system property.
ballerina run secured_service_with_oauth2.bal --b7a.home=<ballerina_home_path>
[ballerina/http] started HTTPS/WSS listener 0.0.0.0:9090
curl -k -H "Authorization: Bearer YWRtaW46MTIz" \
https://localhost:9090/hello/sayHello
Hello, World!!!

Start the introspection server on 9095 with the /oauth2/token/introspect resource path and invoke the service using cURL. Note that it is required to provide the correct bearer authentication header with the cURL command. It will get validated against the introspection server.