I have a mobile app in react native that uses expo-auth-session to be able to log in with its google account.
I have spring boot application that has oauth2 configuration as you can see below:
spring:
security:
oauth2:
client:
registration:
google:
clientId: clientIdValue
clientSecret: clientSecretValue
redirectUri: "https://localhost/oauth2/callback/{registrationId}"
scope:
- email
- profile
How can i integrate this react-native app to works with spring boot application in signin/signup?
I need to be able to authenticate the user on my backend to get a jwt token so I can access the rest of my endpoints.
The problem I find is that if I use the oauth2 library of my spring boot using these urls:
https://localhost/oauth2/authorize/google? redirect_uri=https://localhost/oauth2/redirect.
i can't redirect to my mobile app and if I use expo-auth-session to login the user from my mobile app, i don't have the necessary information to authenticate with oauth2 in my backend.
What is the best way to do this?
Is there a way to redirect back to my mobile app after authentication in my backend? I know that I can know if the call was from mobile using userAgentInfo
Your Spring app is most probably a REST API, and as so, a resource-server, not a client, which means your Spring conf is most probably wrong. Tutorials for configuring resource-servers on this repo of mine
Regarding your React-Native app, you could consider make it an OAuth2 client with the help of react-native-app-auth. I have no direct experience with React Native, but with Cordova apps, it required me to setup "deep links" for redirection back from authorization server.
Related
i am currently working on a project where my backend uses Spring Boot, Spring security + keycloak and runs on localhost:8081.
My frontend (svelte) runs on http://127.0.0.1:5173/ and the url http://127.0.0.1:5173/products needs to access data from localhost:8081/products (which needs a login) but the login page from keycloak doesnt appear.
In other words, what i am trying to achieve:
I want that the url http://127.0.0.1:5173/products redirects to localhost:8081/products which redirects to keycloak login page and after a successfull login i want to return to http://127.0.0.1:5173/products where i will be able to see the data.
is there an elegant solution to this problem? Im really stuck on this problem and this is one of my first projects.
Thanks in advance!!
Some OAuth2 wording:
Keycloak is an authorization-server (OIDC complient)
Svelte app is a client
Spring REST API is a resource-server
Ensure that a "public" client is declared in Keycloak.
Configure your Svelte client with an existing OIDC lib (component) of your choice to:
use the "public" client deckared in Keycloak
authenticate users against Keycloak (socket is not the same as spring API)
add an authorization header with a JWT access-token retrieved from Keycloak (when issuing requests to your secured REST endpoints)
Configure Spring API as a secured resource-server with a JWT decoder.
You can refer to this article for configuring Keycloak and resource-server with JWT access-tokens.
I'm trying to extend my home made OAuth2 Authorization Server with the OpenID Connect. At the moment, the Server works fine and successfully issues an access token.
What I need is that the token endpoint returns an id_token along with the access_token.
The Authorization Server is a Spring boot (2.5) app, which implements the authorization code flow using following oauth dependencies.
spring-security-oauth2
spring-security-oauth2-autoconfigure
spring-security-jwt
spring-security-oauth2-jose
Is there some standard way to configure an OAuth2 Spring Server so it provides the OpenID Connect features?
Thanks in advance for an example code and/or useful documenation.
The Spring team are working on a new OAuth server, that provides OIDC capability. It's still very early days, but it is useable.
See here for the code, that includes a set of samples:
https://github.com/spring-projects/spring-authorization-server
Sorry if this is a VERY stupid question...
I'm new to Spring Security and I have a basic SpringBoot Rest API which I now want to learn how to secure.
Now what I really want to do is have separate webpage that does the "Login in with Facebook" view. But how do I secure some of the endpoints in my rest api using the token from facebook?
Imagine:
Endpoint /profile -- only the user who has logged in should be able to see their profile. Endpoint /welcome -- Everyone can access Endpoint /messages -- only the user who has logged in should be able to see their messages.
What frameworks should I be using here or how do i even go about doing this
Thanks!
Welcome to OAuth (Open Authorization). There was a problem called "Access Delegation Problem"
at past, and OAuth was created to fix it. If you are able to access "Microservice Security In Action" book, it tells you exactly you want on Facebook example. (at appendix D)
In your scenario, here is the OAuth components.
Resource Server: Your Spring Boot Project
Authorization Server: Facebook
Resource Owner: The end-user
First of all, import spring-security-oauth2 module to your project. Then configure spring security.
delegate your authentication to Facebook by OpenID Connect / OIDC (basically, authentication by OAuth 2.0)
http.oaut2Login()
Provide authorization code flow grant type details like client_id, redirect_uri, token_uri, authorize_uri.
spring:
security:
oauth2:
...
permit some urls to be public.
http.authorizeRequests().antMatchers(preparePermittedUrls()).permitAll()
Our stack includes the following services, each service runs in a docker container:
Front-end in React
Backend service based on Spring boot "resource-service"
Keycloak
Other backend service (consumer)
Both the front-end and the consumer services communicate with the backend using REST API.
We use Keycloak as our user management and authentication service.
We would like to integrate our Spring based service "resource-service" with Keycloak by serving both web application and a service flows:
Web application - React based front-send that should get a redirect 302 from the "resource-service" and send the user / browser to login in the Keycloak site and then return to get the requested resource.
Server 2 Server coomunication - A server that need to use the "resource-service" API's should get 401 in case of authentication issues and not a redirection / login page.
There are few options to integrate Spring with Keycloak:
Keycloak Spring Boot Adapter
Keycloak Spring Security Adapter
Spring Security and OAuth2
I noticed that there is a "autodetect-bearer-only" in Keycloak documentation, that seems to support exactly that case. But -
There are a lot of integration options and I'm not sure what is the best way to go, for a new Spring boot service.
In addition, I didn't find where to configure that property.
I've used approaches one and two and in my opinion, if you are using Spring Boot, use the corresponding adapter, use the Spring Security adapter if you're still using plain Spring MVC. I've never seen the necessity for the third approach as you basically have to do everything on your own, why would anyone not use the first two methods?
As for using the Spring Bood adapter, the only configuration necessary is the following:
keycloak:
bearer-only: true
auth-server-url: your-url
realm: your-realm
resource: your-resource
And you're done. The bearer-only is so that you return 401 if a client arrives without a bearer token and isn't redirected to a login page, as you wanted. At least that's what's working for us :-)
After that, you can either use the configuration for securing endpoints but it's a bit more flexible to either use httpSecurity or #EnableGlobalMethodSecurity which we're doing with e. g. #Secured({"ROLE_whatever_role"}).
If you're using the newest Spring Boot version combined with Spring Cloud, you might run into this issue.
I configure my resource-servers to always return 401 when Authorization header is missing or invalid (and never 302), whatever the client.
The client handles authentication when it is required, token refreshing, etc.: Some of certified OpenID client libs even propose features to ensure user has a valid access-token before issuing requests to protected resources. My favorite for Angular is angular-auth-oidc-client, but I don't know which React lib has same features.
Keycloak adapters for Spring are now deprecated. You can refer to this tutorials for various resource-server security configuration options. It covers uses cases from most simple RBAC to building DSL like: #PreAuthorize("is(#username) or isNice() or onBehalfOf(#username).can('greet')")
I have an app (A) exposing REST services secured with oauth2. (spring security oauth2/spring-web)
I want to create a second app (B) (spring-boot or normal spring), from where I can login then call the REST services from A.
How can I configure security in app B so I can use both social login (facebook, twitter, google) and call REST services from app A? Is there an example using spring security/oauth/social integration?
I've found some examples but none sais how to integrate them
Have you tries the Spring oAuth2 tutorial with FB and Google login? This also includes a local login. All code is available in git from the link in the right column of the tutorial.