In the open API V3 in the security scheme, spring doesn't accept the oauth2 in lowercase and that cause a problem in swagger editor
SecurityScheme ss = new SecurityScheme();
ss.setDescription(project.getAuthMSRuntimeURL());
ss.type(SecurityScheme.Type.OAUTH2);
Here is the error in swagger editor
Related
I am securing my application with OpenID Connect and Keycloak.
My API documentation is OpenAPI 3 which I generate from code.
#Bean
public OpenAPI customOpenAPI() {
OAuthFlows flows = new OAuthFlows();
OAuthFlow flow = new OAuthFlow();
String authUrl = authServerUrl + "/realms/" + realm + "/protocol/openid-connect/auth";
flow.setAuthorizationUrl(authUrl);
Scopes scopes = new Scopes();
flow.setScopes(scopes);
flows = flows.implicit(flow);
return new OpenAPI()
.components(new Components().addSecuritySchemes("keycloak",
new SecurityScheme().type(SecurityScheme.Type.OAUTH2).in(SecurityScheme.In.HEADER).flows(flows)))
.info(new Info().title(appName)
.version(appVersion))
.addSecurityItem(new SecurityRequirement().addList("keycloak",
Arrays.asList("read", "write")));
}
This works fine as I can authenticate via Keycloak's implicit flow. Now I want to secure only some endpoints and not all in my API.
I tried to annotate the desired endpoint with
#SecurityRequirement(name = "keycloak")
This seems to work. When I look in the JSON api-docs of my Swagger UI HTML, I can see that this entity is added to the endpoint configuration.
The problem seems to be that it is also placed as a global statement in the docs, so it is used for every endpoint.
QUESTION:
Is there a way to define the security scheme as non-global so I can place it to specific endpoints?
I could not find much documentation on configuring OpenAPI 3 by code. I've seen a way to add it via Annotation to the main class of the object via #OpenAPIDefinition( but I could not find a documentation for it and I did not figure out how to define the openid connect specifics within this annotation.
I keep seeing the following block of code for registering SAML identity providers:
spring:
security:
saml2:
relyingparty:
registration:
adfs:
identityprovider:
entity-id: https://idp.example.com/issuer
verification.credentials:
- certificate-location: "classpath:idp.crt"
singlesignon.url: https://idp.example.com/issuer/sso
singlesignon.sign-request: false
However, I have an older project that I need to implement multiple SAML identity providers that is NOT built on Spring Boot, and converting it is not an option (if we were starting the same project today, of course we would use Spring Boot).
How does the above code translate to doing this manually?
You can do that by exposing a bean of type RelyingPartyRegistrationRepository:
#Value("${verification.key}")
File verificationKey;
#Bean
public RelyingPartyRegistrationRepository relyingPartyRegistrations() throws Exception {
X509Certificate certificate = X509Support.decodeCertificate(this.verificationKey);
Saml2X509Credential credential = Saml2X509Credential.verification(certificate);
RelyingPartyRegistration registration = RelyingPartyRegistration
.withRegistrationId("example")
.assertingPartyDetails(party -> party
.entityId("https://idp.example.com/issuer")
.singleSignOnServiceLocation("https://idp.example.com/SSO.saml2")
.wantAuthnRequestsSigned(false)
.verificationX509Credentials(c -> c.add(credential))
)
.build();
return new InMemoryRelyingPartyRegistrationRepository(registration);
}
The application.yml properties that you mentioned, are just a shortcut to declare this bean from Spring Boot. There is a complete sample not using Spring Boot in the Spring Security samples repository.
Also, there is an entire section in Spring Security documentation teaching how to override Spring Boot auto-configuration (where I took the code block above).
I found an odd behavior with JWT parsing and JwtValidators.
Scenario:
Spring Boot OIDC client (for now a tiny web app, only displaying logged in user and some OIDC objects provided by Spring)
Custom JwtDecoderFacotry<ClientRegistration> for ID-Token validation
JwtValidatorFactory based on JwtValidators.createDefaultWithIssuer(String)
This worked well with Spring Boot version <= 2.2.10.
Debugging:
NimbusJwtDecoder (JAR spring-security-oauth2-jose) uses claim set converters. The 'iss' (issuer) claim is handled as URL.
JwtIssuerValidator (internally created by JwtValidators.createDefaultWithIssuer(String)) wraps a JwtClaimValidator<String>.
this one finally calls equals() that is always false - it compares String with URL.
My current workaround is not calling JwtValidators.createDefaultWithIssuer() but just using the validators new JwtTimestampValidator() and an own implementation of OAuth2TokenValidator<Jwt> (with wrapping JwtClaimValidator<URL>).
Anyone else having trouble with this?
--Christian
It's a bug. Pull Request is created.
Currently I am using Spring Security Oauth2 2.3.2 Release. I want to set up a Authorization Code Grant Type Based Authentication.
I debugged the Spring Security "/oauth/authorize" EndPoint. I found below code
private AuthorizationCodeServices authorizationCodeServices = new InMemoryAuthorizationCodeServices();
I debugged more into the code and I found out that AuthorizationCodeServices is implementented by 3 Classes .
1) InMemoryAuthorizationCodeServices
2) JdbcAuthorizationCodeServices
3) RandomValueAuthorizationCodeServices
Default Implementation of Spring provides the InMemoryAuthorizationCodeServices. I want to configure it based on the JdbcAuthorizationCodeServices. Now, for that do I need to write my own endpoint and code or could it be done using any configuration?
I'm documenting my API with Swagger and I'm applying the following annotation to all of my REST Controllers:
#Api(value = "Some value", description = "Some Description", tags = {"Tag Tag Tag"})
However, I also want to include the endpoints provided by Spring Boot Actuator (/health, /info) on Swagger (and they are being included), however I can't seem to find a way to change their default description, tags, and title, among other swagger properties.
Is there a way to do this? Thanks in advance.