The platform uses the OAuth2 Authorization Code grant (with refresh token support) via Spring Authorization Server. All tokens are signed JWTs using a 2048-bit RSA keypair generated at startup.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/Miguel-Rodriguez15/msvc/llms.txt
Use this file to discover all available pages before exploring further.
msvc-auth (port 9000) acts as the centralized authorization server; msvc-usuarios and msvc-cursos are OAuth2 resource servers that validate every inbound Bearer token.
Grant Type and Client
The registered client is configured inSecurityConfig inside msvc-auth using an in-memory RegisteredClientRepository.
| Property | Value |
|---|---|
| Grant types | authorization_code, refresh_token |
| Client ID | usuarios-client |
| Client Secret | 12345 (BCrypt-encoded at registration) |
| Auth method | CLIENT_SECRET_BASIC (HTTP Basic) |
| Requires consent | Yes |
| Scopes | openid, read, write |
LB_AUTH_REDIRECT_URI, appended with /authorized. In a standard local Kubernetes setup this resolves to http://192.168.49.2:31415/authorized (the NodePort value set in configmap.yaml).
Scopes and Permissions
| Scope | Purpose |
|---|---|
openid | Issues an OIDC identity token alongside the access token |
read | Access GET endpoints on msvc-usuarios and msvc-cursos |
write | Access POST, PUT, and DELETE endpoints on msvc-usuarios |
Scopes map directly to Spring Security authorities. msvc-usuarios enforces them as
SCOPE_read and SCOPE_write in its SecurityFilterChain.Authorization Flow
Redirect the user to the authorization endpoint
Send the browser or HTTP client to
msvc-auth on port 9000:User authenticates via form login
Spring Security presents the default form-login page. On submission,
msvc-auth delegates credential validation to msvc-usuarios via reactive WebClient — it calls GET /login?email=<email> and compares the BCrypt-hashed password returned by that endpoint.User consents to the requested scopes
Because
requireAuthorizationConsent(true) is set on the client, Spring Authorization Server shows a consent screen listing openid, read, and write. The user must approve before a code is issued.Authorization code returned to the redirect URI
After consent, The
msvc-auth redirects to:UsuarioController /authorized endpoint simply echoes the code back so it can be exchanged manually or by the client application.Exchange the code for tokens
Make a The
POST to /oauth2/token using HTTP Basic auth with the client credentials:Authorization header value dXN1YXJpb3MtY2xpZW50OjEyMzQ1 is the Base64 encoding of usuarios-client:12345.Token Endpoint curl Examples
Refresh Token
Access tokens expire after a short window (expires_in seconds). Use the refresh_token from the initial response to obtain a new access token without re-authenticating the user:
access_token and, depending on server policy, a new refresh_token.
RSA Key
ThejwkSource bean in SecurityConfig generates a 2048-bit RSA keypair in memory at startup using KeyPairGenerator. Spring Authorization Server uses the private key to sign every JWT and publishes the corresponding public key in the JWK Set endpoint so resource servers can verify signatures:
msvc-auth. Any token signed by a previous key will fail verification after a restart.
User Authentication Backend
msvc-auth does not maintain its own user store. Instead, the UsuarioService bean implements Spring Security’s UserDetailsService and delegates all user lookups to msvc-usuarios via a reactive WebClient:
GET /login?email=<email> endpoint on msvc-usuarios is publicly accessible (no Bearer token required) and returns the matching Usuario entity including the BCrypt-hashed password. msvc-auth then lets Spring Security’s DaoAuthenticationProvider compare the submitted password against the hash.