If a JWT is missing an issuer field, I'd like to fallback to a jwk-uri or jwk-key-set, what would I need to override in Spring oauth2 libs because failing on missing issuer is a Spring default behavior.
An alternative would be to detect missing issuer field and inject that field with a string such as emptyIssuer... then I can define the appropriate issuer in application properties.
With Spring Boot, define just spring.security.oauth2.resourceserver.jwt.jwk-set-uri property (and not spring.security.oauth2.resourceserver.jwt.issuer-uri).
The JWK set is enough for the decoder to validate JWT signature.
If spring.security.oauth2.resourceserver.jwt.issuer-uri is set, then
JWT decoder is configured to check iss claim against the value in the conf
boot does its best to infer jwk-set-uri from the issuer-uri (and succeeds when the authorization-server is OIDC complient)
Related
Sorry folks, this may be a newb question. I'm a little lost.
My Spring-boot environment provides me with keycloak for client authorization, it gives me these.
spring.security.oauth2.resourceserver.jwt.issuer-uri
spring.security.oauth2.client.provider.keycloak.issuer-uri
spring.security.oauth2.client.registration.keycloak.* # client-id, secret, provider, grant-type
I noticed on the ClientRegistration that .issuerUri(String uri) is not avaialbe until Spring-Security v5.4.x. I am using 5.3.5, although I could bump up. I am confused what the difference is. As I would expect, I get an error when I do .tokenUri(issuerUri). I believe they are different modes/API, but I am at a loss as to what I should set in the 5.3.5 API.
Caused by: org.springframework.security.oauth2.client.ClientAuthorizationException: [invalid_token_response] An error occurred while attempting to retrieve the OAuth 2.0 Access Token Response: 405 Method Not Allowed: [{"error":"RESTEASY003650: No resource method found for POST, return 405 with Allow header"}]
So as a newb, I don't get why I have 4 choices of URI and what they do. Google and javadoc haven't been much help, so I figure I just don't know the right place to look to learn it. The only way I know how to fix this is to manual make my own HTTP call to the URI and get my Authentication token, but that would defeat the purpose of the Oauth2 library.
tokenUri represents the URI for the token endpoint. For example:
https://authz.example.org/auth/realms/myrealms/protocol/openid-connect/token
Whereas issuerUri is the URI that identifies the Authorization Server:
https://authz.example.org/auth
It's quite common for the issuer URI to be the root for more specific URIs like the token URI.
Regarding your specific error, I'd imagine that Keycloak is stating that you cannot POST to https://authz.example.org/auth, which is true. You should be POSTing to the token endpoint.
The issuer-uri Spring Boot property should cause Spring Security to look up the other endpoints and add them to a default ClientRegistration. Because of that, I'm not sure why you are also trying to programmatically configure ClientRegistration. That said, if you do need to programmatically create a ClientRegistration, you can use the issuer URI like so, and Spring Security will do the rest:
#Bean
ClientRegistrationRepository registrations() {
ClientRegistration registration = ClientRegistrations
.forIssuerLocation("https://authz.example.org/auth")
.build();
return new InMemoryClientRegistrationRepository(registration);
}
With a Spring Boot client configured in the DMZ and Spring Security OAuth configured using:
issuer-uri: https://authentication_server/auth/realms/my-realm
I get this error from Spring Security:
The Issuer "https://external_url/auth/realms/my-realm" provided in the configuration metadata did not match the requested issuer "https://authentication_server/auth/realms/my-realm
From this post I have learned that I need to specify authorization-uri, token-uri and jwk-set-uri instead of issuer-uri, and then it also works.
authorization-uri: https://external_url/auth/realms/my-realm/protocol/openid-connect/auth
token-uri: https://authentication_server/auth/realms/my-realm/protocol/openid-connect/token
jwk-set-uri: https://authentication_server/auth/realms/my-realm/protocol/openid-connect/certs
(I do not get why Spring Security cannot auto-configure with the same values from the issuer-uri when it works setting the values individually)
Now the problem is that logout stops working. When using issuer-uri the OAuth is auto-configured and end_session_endpoint is fetched from the answer, but when specifying each setting there is no way to specify the end_session_endpoint.
Is this an outstanding issue in Spring Security OAuth, or do I need to configure it differently?
I had to make a work around for this. With little time I started by copying the existing OidcClientInitiatedLogoutSuccessHandler which I already were using in configuring LogoutRedirectUri.
I simply copied the class and changed the implementation of the method endSessionEndpoint() to return the URI which is returned by our OAuth server as end_session_endpoint.
This issue is tracked in spring-security GitHub.
Probable fix will be allowing to add "Additional attributes for ClientRegistration and ProviderDetails".
I have a spring boot v.5+ application which uses spring security saml.
When an idp initiated SingleLogout Request is called i get an error saying :
org.springframework.security.saml.SAMLStatusException: LogoutRequest is required to be signed by the entity policy
Is there an option to disable signing of LogoutRequest in my service provider?
I was facing the same issue. I tried to tweak the default value of requireLogoutRequestSigned property (from default true to false) in Table 7.2. Extended metadata settings of my SP and it worked for me. I'm using MetadataGenerator bean to configure this setting in spring-boot v2.1.1.RELEASE and spring-security-saml2-core v1.0.3.RELEASE.
I try to implement a simple OAuth2 "Client Authentication with Signed JWT" Demo App using Spring Boot and Keycloak as AuthService.
The idea is:
one secured REST service "The Producer"
offering an endpoint GET /person for all users/principals with the role "read_person"
offering an endpoint POST /person for all users/principals with the role "write_person"
another (unsecured) REST service "The Consumer"
offering an enpoint /api open for everybody
calling internal the "producer" viaFeignclient using an RequestInterceptor to pass the AccessToken (signed JWT / JWS)
I read about the docs:
http://www.keycloak.org/docs/latest/securing_apps/topics/oidc/java/client-authentication.html
saying:
Once the client application is started, it allows to download its public >key in JWKS format using a URL such as http://myhost.com/myapp/k_jwks, >assuming that http://myhost.com/myapp is the base URL of your client >application. This URL can be used by Keycloak (see below).
During authentication, the client generates a JWT token and signs it with >its private key and sends it to Keycloak in the particular backchannel >request (for example, code-to-token request) in the client_assertion >parameter.
I googled a lot to find tutorials/demos or docs about this topic but failed so far.
So here my questions:
How do I implement this "k_jwk" endpoint? Do I simple build a #RestController by myself in "the Producer"? How do I configure Keycloak to get aware of this URL?
How do I implement my "Consumer" to get fresh signed JWT from Keycloak?
Update
Removed irritating PS statement.
You don't need to implement the k_jwk endpoint, this is handled by the adapter. Keycloak will by default look at http:///your.app.com/k_jwk(but if needed you can override that in the console).
Then you need to configure your Spring Boot client, just use the same properties as the keycloak.json but in the application.properties format:
...
keycloak.credentials.jwt.client-keystore-file=classpath:keystore-client.jks
keycloak.credentials.jwt.client-keystore-type=JKS
etc ...
You need a token to call the producerbut as you said the entry point will be an insecured endpoint so you might want to use a Service Account for this.
I hope this will help.
Update
I couldnt solve this issue but learned some things about singned JWT in the mean time:
create a so called "Bearer Token" by creating a Json Structure with all necessary claims (sub, nbf, exp ...) by yourself and sign/certificate it with your JKS/Private Key from Keycloak. There are some nice third party libs beside Keycloak to do this.
To get a real AccessToken (JWE/JWS) from Keycloak: send this static final Bearer Token to Keycloak at /auth/realms/$realm/protocol/openid-connect/token/introspect
with QueryParams:
grant_type=client_credentials&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=$BEARER_TOKEN
Use the received real AccessToken to access the ResourceServer...
I have an OAuth resource server secured with Spring cloud security.
The OAuth tokens that are used are JWT tokens, so the resource server needs a verifier key to be able to check the signature of the tokens.
In order to simplify configuration I would like the resource server to get the verifier key from the authorization provider (also a spring boot service, with an #EnableAuthorizationServer).
This works fine if I give the direct url of the authorization provider (using spring.oauth2.resource.jwt.keyUri), for example http://ip_of_authorization_provider/oauth/token_key.
The problem is when I want to give a service-id instead of an IP or DNS in that value, eg. http://authorization-provider/oauth/token_key.
It seems to me the problem is in JwtTokenServicesConfiguration, on line 225 of this file, specifically :
private RestTemplate keyUriRestTemplate = new RestTemplate();
If the keyUriRestTemplate was Autowired I could provide my own load balanced rest template, or if there was a #ConditionalOnMissingBean(JwtAccessTokenConverter.class) on the jwtAccessTokenConverter method below I could also provide my own load balanced logic.
Is there a way to do what I want without the ugly hack of recreating the whole ResourceServerTokenServicesConfiguration class in my app just to put only this small modification ?
There is a simpler and cleaner solution :
Just ditch the autoconfiguration made by spring-cloud-security and provide your own implementation of tokenServices that provide a JwtAccessTokenConverter whose key you have provided with a LoadBalanced RestTemplate. Chances are you'll eventually want to provide other specifics in your configuration anyways ...