OAuthClientRequest request = OAuthClientRequest
.tokenLocation("url")
.setGrantType(GrantType.CLIENT_CREDENTIALS)
.setClientId(CLIENT_ID)
.setClientSecret(CLIENT_SECRET)
.buildBodyMessage();
//create OAuth client that uses custom http client under the hood
OAuthClient oAuthClient = new OAuthClient(new URLConnectionClient());
OAuthJSONAccessTokenResponse oAuthResponse = oAuthClient.accessToken(request, OAuthJSONAccessTokenResponse.class);
This is a solution to generate OAuth 2 Access Token easily. Can Any one suggest a an equivalent solution using org.springframework.security.oauth2? Since our's is Bank side application, it won't support apche.oltu. Thank u in advance.
Can Any one suggest a similar solution using org.springframework.security.oauth2? Since our's is Bank side application, it won't support apche.oltu. Thank u in advance.
Related
I need to create a REST API (with Springboot) that is consumed by a web client written with vue.js. The authentication must be made with OpenId Connect and the authorization code flow. My company has its own OIDC provider and my question is how can I implements this flow.
I first saw the oidc-client-js library that perfoms everything i need except that it is fully client side and the security of my company does not allow it.
Secondly I saw this tutorial (source code availlable here), what i understand is that spring handles everything for you as long as the configuration is ok. But what I do not understand is how the token is provided to the client ?
Does someone has any further explaination on this mechanism ? Or am I simply misleaded ?
Thanx for your answer.
I'm working on Hyper Ledger Composer and integrating the REST API in a nodejs web app "using js client side to call the API "
and I'm wondering how can I keep some interface private and prevent from show and post to it .
Should I simply call the api server side before or is there an elegant way ?
To protect access to the REST APIS, you can implement an authentication strategy - see here https://hyperledger.github.io/composer/integrating/enabling-rest-authentication.html and https://hyperledger.github.io/composer/integrating/enabling-multiuser.html (the latter requires that authentication is enabled).
A tutorial on using one such strategy - eg using Google OAUTH2 as an auth provider - is shown here -> https://hyperledger.github.io/composer/next/tutorials/google_oauth2_rest
There is another way to develop your own rest api using NodeJs sdk.
You can connect to the network using Cards and perform any action using BusinessNetworkConnection class and factory object.
Read [https://hyperledger.github.io/composer/v0.16/applications/node][1]
I'm trying to implement Spring OAuth. I'm new to it and I'm trying to understand how it works.
My Questions:
OAuth generates token after authentication and this token must be used for every request the user makes. We need to append this access_token to each REST API call for accessing the resources. Did I sound correct?
Do we need to store this token on client side (using cookies)? or is there anyway so that we do not need to store this token at client side and can be handled on the server side?
If we have to store the token on client side what's the best way to do it? I have gone through this link
If endpoint on your server is protected by oauth, then yes, you have to pass token with each request - probably in "Authorization: Bearer {token}" header. In spring its solved by using different restTemplate - OAuth2RestTemplate which automatically fetch it and add to request.
You just store just JSESSIONID in a cookie. Then spring read session from store ( disc where tomcat is installed / redis if you use spring session project/ etc )
Access token should be relatively short living. There should also be revoke endpoint available so you can invalidate specific token when there are reasons to believe it was compromised.
3.a) there is another issue with storing some data on client side. Its about storing clientId, clientSecret on mobile native apps. Android apps code can be reverse engineered quite easily, so anyone can then try to use your oauth app to get token. In those situations its recomennded to use different grant type "password" - check https://aaronparecki.com/2012/07/29/2/oauth2-simplified#other-app-types
I've a question about how to design a security problem.
Actually, we have an API secured by Spring Security.
It's based on the simple UserDetails security pattern.
Now, we are developing another API, deployed on(in a near future) another domain, against another database but the authentication information will be the same as the first API.
So, I would like to know how to design the authentication in the model. Actually I was thinking of something like:
Can I have your advice on that design?
Another question is how to implement that in Spring Security, especially the store & validate token on 2nd API?
I'd extract the authentifaction part into an own api, which handles only the login and token generation. The token would be stored in TokenStore (i.e. ad atabase) and with it along i'd store the userdetails and whcih api he can use.
The browser sends the token with each request to your api 1 and api 2. They can the check the token against the TokenStore and then validate if the user has the right to access this api.
You could use spring-security-oauth2 for this, but had to tweak the tokengeneration workflow a bit. In this case your UI app will be the authorizaion server and generate the tokens transparently for a logged in user and give it to the part running in the browser. Your App in the browser would ne to send this token on each call to api 1 or 2. Api 1 and 2 would be different resourceserver, but check against the same tokenstore.
I had originally posted a question about what API to use in regards to making a SharePoint 2010 timer job able to access the twitter API and chose the Spring Social .NET api and have run into another roadblock.
I cannot get the OAuth handshake or 'dance' to work.
I have the consumer key and secret linked to my account, as well as an access token and secret, but any time I try to initialize a TwitterServiceProvider object, any time I attempt to query I get a 401 error.
The console/mvc and wp7.1 examples provided dont give much insight how I can get this code (which should run with no human involvement) to work.
Does anyone have any good resources regarding this?
Thanks in advance
If you already have access token value and secret, you can do something like that:
ITwitter twitter = new TwitterTemplate("consumerKey", "consumerSecret", "accessTokenValue", "accessTokenSecret");
// twitterApi.UserOperations.GetUserProfile();
that is equivalent to :
TwitterServiceProvider serviceProvider = new TwitterServiceProvider("consumerKey", "consumerSecret");
ITwitter twitterApi = serviceProvider.GetApi("accessTokenValue", "accessTokenSecret");
// twitterApi.UserOperations.GetUserProfile();
How do you get the access token secret and value?