I have an application using spring boot, angular and keycloak in version 18.0. In the application's keycloak I have all the users with the keycloak configured, however the keycloak only requires the code when logging into the system. I would like to know if there is any solution to request the OTP code in critical system screens.
Example of desired flow: I login to the system and provide the OTP code, access the critical screen X and request the OTP code again
Related
I am trying to implement Single LogOut from my Service Provider using Okta.
I have the app configured in Okta. The SSO is working fine. Just that when I am logging out of the application it is not logging me out of Okta as a result if I re login it is just logging me with the same user name without taking me to the log in page.
I have configured the SLO settings as seen in the picture.
Also I am using the Url from the IDP Metadata in the SP.
And I have updated the same Signature Certificate as provided by Okta as seen in the picture:
Requirements:
When I log out, it should log me out of the current application as well as Okta.
When I re log in, It should ask for credentials.
I tried looking into https://help.okta.com/en-us/Content/Topics/Apps/Apps_Single_Logout.htm
But could not understand what the actual issue was.
In the new spring-auhtozation-server is it possible to setup the authorization flow with PKCE, but to use my frontend app login screen instead of the spring default login screen and then to just continue the flow as it is?
I'm not able to find any kind of explanation or tutorial how to do that.
Does this even make sense to do in OAuth2 / OIDC standard?
I‘m not new in either Spring boot or Spring Security but I am in Spring Authentication‘s Server.
Description
I have tree apps:
a spring boot backend,
a flutter frontend and
a Keycloak for authentification.
The Backend has only one login method, that is oauth2 and is client of Keycloak. The login method for the Backend is already implemented and is working, using Authorization code.
The flutter should also log into the Backend using Authorization code, but this part is not yet implemented.
The Backend is the part I‘m responsible of and the workflow should be following:
The user on Flutter tries to login
The Flutter App then requests login from Backend App
Backend App, as an authorization server with only one login method which is Keycloak, redirects the user to Keycloak.
The first authentification and authorization happens on Keycloak.
The Keycloak redirect the user on the Backend.
The Backend finds out who the user is and authorizes him.
The Backend redirect the user to Flutter‘s scheme and then flutter open (or continue).
The Flutter calls the Backend to get tokens.
Now my question is how should I configure the Backend, so that it behaves as Authorization‘s server?
This I what I‘ve tried.
I‘ve used the newly created spring-authorization-server. So my SecurityFilterChain already contains:
…
http
.oauth2Login(withDefaults())
…
Now my backend is resource server for itself and client of itself (I can‘t dissociate it now). So I‘m thinking of
adding .oauth2ResourceServer with the configuration of this same server for verifying the tokens I will issue, and
adding .oauth2Client with again the configurations pointing to this server, for the Flutter app being able to login.
Now I don‘t know how to turn my backend into Autorization server, and to be more precise, how to turn on authorization code for user login.
Thanks for reading. Any help would be appreciated.
I have an existing JHipster application generated with the JWT authentication process. Which means that user accounts are handled by the application itself. And every user have to log in with his username and password directly into the application.
Now we are developping some microservices and mobile apps that will communicate with the first JHipster app. And for that, we want to use Keycloak to manage the authentication process for the microservices and mobile apps, while keeping the existing JWT authentication process.
What we want is that: users with username and password will log in directly to the application (they will not be redirected to Keycloak to authenticate), and the microservices and mobile apps will need tokens from Keycloak (by sending the client id and secret to Keycloak) to get access to the JHipster app resources.
All the tutorials that I saw are about replacing the JWT authentication process by Keycloak. With this, every user will be redirected to Keycloak, and we don't want that for now (maybe in the future we will upgrade all of that).
Please if you have any resource that can help me, it will be nice.
I am building a Spring-MVC-Hibernate back-end with dozens of RESTful web-services. The front-end will probably be an HTML5, CSS3, and JQuery web-app that utilizes back-end web-services I am developing.
We have an OpenAM 10.x SSO system on a Tomcat server, and we want to us that for authentication, no authorization rules are here or groups. All the documentation I have seen has been with an unknown version of OpenAM and Spring Security 3. We have OpenAM 10.x with no known time to upgrade to the latest OpenAM. We plan on using Spring Security 4.0.3, which is the latest at this time.
1) One way we can do this is to establish a Circle Of Trust, and then establish an IDP and a SP, and then we'll have a URL in order to do Federated SSO. I believe this is how our front-end will get authentication and get a token returned to the front-end and may be stored as a cookie.
2) Another way I have seen this done is to simply call the OpenAM restful api, pass in username and password and get a token. That token will then be used to pass into the back-end RESTful api's for security.
We will definitely be using Spring Security for Users, Roles, and Permissions (authorization), so can we do this? Use Spring Security 4.0.3 for users, roles, and permissions, but use OpenAM for authentication???
Any information would be very helpful. Thanks!
We've been doing something similar with one of our applications. We started by using OpenAM 12 and we're now using OpenAM 13 SNAPSHOT.
We've been integrating using OpenID Connect though, not SAML.
This was a good starting point for us: https://github.com/fromi/spring-google-openidconnect.
We used the default header/basic scheme in OAuth2ProtectedResourceDetails as opposed to form as in the sample.
On OpenAM, you'll have to configure OpenID Connect Provider.
Steps in OpenAM 13:
Login as amAdmin.
Select the realm.
The landing page (Dashboard/Realm Overview) will list common tasks.
Choose Configure 'OAuth Provider', then 'Configure OpenID Connect'.
Choose default values and click create.
Then you'll have to add an agent/client.
Steps in OpenAM 13:
From within the realm configuration page, choose agents.
Select OAuth 2.0/OpenID Connect Client.
Click on new button, enter client_id and client_secret values and create the agent.
Click on the newly created agent to further configure parameters such as redirect_uri, scopes etc.
If you cannot chose OpenAM 12 or 13 and are stuck with OpenAM 10, this information may not be useful.