I have an API gateway in front of my Spring Boot app. This API gateway performs the oauth2 authentication and validation of the JWT token for me. My app receives the valid JWT token as HTTP header.
How can I combine this JWT token with the standard Spring security? I want to use the user groups passed in the JWT token for access control to my REST endpoints. And how can I avoid double validation of the JWT (on API gateway and service side)?
Configure Spring REST APIs secured with OAuth2 as resource-servers. Tutorials here.
This can be as simple as:
<dependency>
<groupId>com.c4-soft.springaddons</groupId>
<!-- replace "webmvc" with "weblux" if your app is reactive -->
<!-- replace "jwt" with "introspecting" to use token introspection instead of JWT decoding -->
<artifactId>spring-addons-webmvc-jwt-resource-server</artifactId>
<!-- this version is to be used with spring-boot 3.0.0-RC1, use 5.x for spring-boot 2.6.x or before -->
<version>6.0.4</version>
</dependency>
#EnableMethodSecurity
public static class WebSecurityConfig { }
com.c4-soft.springaddons.security.issuers[0].location=https://localhost:8443/realms/master
com.c4-soft.springaddons.security.issuers[0].authorities.claims=realm_access.roles,ressource_access.some-client.roles
com.c4-soft.springaddons.security.cors[0].path=/some-api
If you can absolutely control that all interactions to your microservice will always be routed through API Gateway and if Gatway is the sole entity responsible for validation and verification of the JWT token,
you can simply disable Oauth2 resource server configuration in your
microservice app's security config and instead accept the verified JWT via an
HTTP header.
Possibly a custom security filter plugged into the security filter chain can then take the responsibilty of building an Authentication Token with it's authorities (GrantedAuthority) mapped to user groups in JWT.
The authentication token can also be customized to include all the other relevant information extracted from JWT that your service will need to make any further authorization decisions.
Related
I'm developing an app.
Front/bff/api.
I'm using an open id provider that allows to check token remotely.
The bff intercepts the front requests and sends them to the API with the jwt token in the header.
The api should ask the open ip provider if the token is correct (but remotely, not using the offline mode with the public key ).
The api is a spring boot 3.0.1 project.
How to configure security in spring boot 3.0.1 to do that check?
Thank you in advance.
You do that with access-token introspection. In spring-security conf, that means using opaqueToken() instead of jwt() (the first configures a resource-server with introspection and the second with a JWT decoder).
Be aware that token introspection is far less efficient than using a JWT decoder as a request is sent to the authorization-server for each and every request to a resource-server. Tutorial there.
Currently, I am Using Spring Security with LDAP authentication. But I want to Create one Rest API which will do LDAP authentication and will then I will generate JWT token so for upcoming request I can valid JWT tokens.
Any suggestions to achieve this ?
I have JWT token which is RSA256 signed. I need to validate this token in my my microservice.
Can anyone give a example of how to implement this using Spring Security.
You can setup a springboot resource server to handle the JWT token and security. Check spring document for resource server
We are using the #EnableResourceServer annotation to apply the security filter for all our APIs. We are using Spring OAuth2 and JWT tokens. We use both client credentials token (obtained using client-id and client secret) and User token (using name/password)
We want to protect certain endpoints (**/clientTokenAllowed/myapi) using the client JWT token, whereas all others would need a user JWT token.
Where should I put this validation check in the filter? Could not find the right example to do this.
In Spring Security OAuth you can make use of expressions like #oauth2.hasScope(), #oauth2.isUser(), #oauth2.isClient() and the likes in your ResourceServer HTTPSecurity configuration. More like these expressions can be found here
So in your case you might want to use #oauth2.isUser() and #oauth2.isClient().
I run my app with Spring Boot using JWT token for authentication. I have a filter checks a token. Also my app provide rest API documentation with Swagger 2. I don't want my rest api will be public
So my question is, how i can provide a security for Swagger access? and can provide basic security for it?