I have developed a Spring security SAML based SSO application.I wanted to redirect the user to the page he is using before the saml token expires.After refreshing the page it is redirecting to home page.i have used HttpSessionRequestCache, but it does not have any value after it reaches the LoginSuccessHandler.
Related
How to redirect okta login after session expired in spring oauth2
I am trying to configure an authentication flow in Spring Boot using OneLogin SSO. I can successfully authenticate, create a JWT token, and redirect to my frontend app.
However, I am not certain of the next steps. When my JWT token expires, is the appropriate course to clear my security context and then to redirect to OneLogin again and reconfirm my authentication? Right now, as far as I can tell, Spring's security context represents one moment in time and I can't figure out how to refresh it against my SSO provider to ensure the user is still authenticated.
I understand the initial basic authentication used by Spring security but how does spring security
handle subsequent request to server after user has been authenticated? I mean where does spring looks up to check user credentials and not to ask the user to enter its password after each request to secure resource on server?
As for the classic session id authentication after the server sent session id to browser how spring security interacts with it and not asking for password for each request?
I have created MicroService(Spring Boot) App with Jhipster(having gateway + microservice + keycloak) , also configured KeyCloak.
everything is working fine , but i have problem in logout application , When i hit logout API from UI it will only logout from gateway (Not Destroying KeyCloak Session)
Note : Server Not saving any cookies on browser except JSESSIONID
I Need to logout user session from keyCloak.for that i go through below links
Logout user via Keycloak REST API doesn't work
https://www.keycloak.org/docs/3.3/securing_apps/topics/oidc/java/logout.html
As per above links , I need to make POST request to KeyCloak which destroy user active Sessions.for that i call following API
POST http://localhost:8080/auth/realms/<my_realm>/protocol/openid-connect/logout
refer link (LINK answer of #Manh Ha)
I need to add Access Token and Refresh Token in request body , I found Access token from Principal object , But I am struggling to found Refresh Token
Questions :
1) Where i found Refresh token (in spring Boot) ?
Support for OIDC Logout was added in JHipster 5.8.0. You can upgrade your JHipster app or copy the code from this PR into your code.
I want to integrate spring security in REST web services but when the url is hit default login page displayed by the Spring Security. How I can authenticate REST web service without any displaying any login page or any JSP page.
You can configure Spring security in your application, using preAuthorization in #EnableGlobalSecurityMEthod ~, I think is this annotation. In your restservice, using #PreAuthorization("<role>"), I think is this annotation. This works very good.
If you have basic authentication, then you can simply post username/password encoded in Authorization http header from client.
Or you can have PreAuthenticatedAuthenticationProvider configured with a pre-authentication RequestHeaderAuthenticationFilter