We are building an OIDC Identity Provider in java which can be integrated into Keycloak and perform authentication .We are looking at Spring Authorization server or Apache Shiro as our options to build the custom service in java and register it as an IDP in Keycloak.Any help /documentation/leads welcome.
We have looked at any implementation logic within Spring Authorization Server for the integration with keycloak as an authentication mechanism,but not quite sure if its the right approach
Related
The old spring security oauth can do this by spring-security-oauth2-autoconfigure
How can it be implemented using the latest spring security 5.7.x?
It seems that you have to create separate authorization server, resource server, and client...unlike the previous, you just have to enable configuration for authorization and resource server
But I am curious if there is a way to do libe the old way?
I discover this on my own.
Both the authorization and resource server can be in 1 springboot app and both can use same port.
It is the security configuration filter chain that you have to restrict both the "/login", "/oauth2/authorize"
Authorization server configuration is configured the basic way and so is the Resource server.
I'm trying to extend my home made OAuth2 Authorization Server with the OpenID Connect. At the moment, the Server works fine and successfully issues an access token.
What I need is that the token endpoint returns an id_token along with the access_token.
The Authorization Server is a Spring boot (2.5) app, which implements the authorization code flow using following oauth dependencies.
spring-security-oauth2
spring-security-oauth2-autoconfigure
spring-security-jwt
spring-security-oauth2-jose
Is there some standard way to configure an OAuth2 Spring Server so it provides the OpenID Connect features?
Thanks in advance for an example code and/or useful documenation.
The Spring team are working on a new OAuth server, that provides OIDC capability. It's still very early days, but it is useable.
See here for the code, that includes a set of samples:
https://github.com/spring-projects/spring-authorization-server
Our stack includes the following services, each service runs in a docker container:
Front-end in React
Backend service based on Spring boot "resource-service"
Keycloak
Other backend service (consumer)
Both the front-end and the consumer services communicate with the backend using REST API.
We use Keycloak as our user management and authentication service.
We would like to integrate our Spring based service "resource-service" with Keycloak by serving both web application and a service flows:
Web application - React based front-send that should get a redirect 302 from the "resource-service" and send the user / browser to login in the Keycloak site and then return to get the requested resource.
Server 2 Server coomunication - A server that need to use the "resource-service" API's should get 401 in case of authentication issues and not a redirection / login page.
There are few options to integrate Spring with Keycloak:
Keycloak Spring Boot Adapter
Keycloak Spring Security Adapter
Spring Security and OAuth2
I noticed that there is a "autodetect-bearer-only" in Keycloak documentation, that seems to support exactly that case. But -
There are a lot of integration options and I'm not sure what is the best way to go, for a new Spring boot service.
In addition, I didn't find where to configure that property.
I've used approaches one and two and in my opinion, if you are using Spring Boot, use the corresponding adapter, use the Spring Security adapter if you're still using plain Spring MVC. I've never seen the necessity for the third approach as you basically have to do everything on your own, why would anyone not use the first two methods?
As for using the Spring Bood adapter, the only configuration necessary is the following:
keycloak:
bearer-only: true
auth-server-url: your-url
realm: your-realm
resource: your-resource
And you're done. The bearer-only is so that you return 401 if a client arrives without a bearer token and isn't redirected to a login page, as you wanted. At least that's what's working for us :-)
After that, you can either use the configuration for securing endpoints but it's a bit more flexible to either use httpSecurity or #EnableGlobalMethodSecurity which we're doing with e. g. #Secured({"ROLE_whatever_role"}).
If you're using the newest Spring Boot version combined with Spring Cloud, you might run into this issue.
I configure my resource-servers to always return 401 when Authorization header is missing or invalid (and never 302), whatever the client.
The client handles authentication when it is required, token refreshing, etc.: Some of certified OpenID client libs even propose features to ensure user has a valid access-token before issuing requests to protected resources. My favorite for Angular is angular-auth-oidc-client, but I don't know which React lib has same features.
Keycloak adapters for Spring are now deprecated. You can refer to this tutorials for various resource-server security configuration options. It covers uses cases from most simple RBAC to building DSL like: #PreAuthorize("is(#username) or isNice() or onBehalfOf(#username).can('greet')")
I have couple of spring boot applications which constitute a micro service architecture and need to use WSO2 IS(which is hosted on CLOUD) authentication for authenticating the services(service to service authentication).
I could not find any sample program with Spring oauth2 client crdential grant with WSO2 Identity server combination yet.
Any direction would be of help.
Check the link below. It guides you to achieve your requirement step-by-step.
https://medium.com/#balaajanthan/oauth2-login-for-spring-boot-application-with-wso2-identity-server-da0a88893987
I have an existing Spring MVC/RESTful web application. Right now all of my REST endpoints secured with OAuth2.
Now, I need to reimplement security of my REST endpoints from OAuth2 to Jasig CAS.
I have already created my own CAS server and looking for an example how to secure Spring REST endpoints with CAS. Unfortunately I can't find any examples right now.
Could you please show me an example how to use Spring Security with CAS client in order to secure my Spring RESTful webservices.