I am creating a login mechanism to use AWS IAM SAML IdP and ADFS.
I am looking for a way on how to start using Spring Boot to login to the application through the IdP? is there any example on this?
Related
I have been exploring APIgee and okta configuration using https://github.com/tom-smith-okta/okta-api-center repo. Here APIgee edge acts as a gateway to https://okta-solar-system.herokuapp.com/ api’s and the token for authentication is generated via okta. My understanding is that https://okta-solar-system.herokuapp.com/ doesnt have any okta authentication enforcement. The check is via apigee.
If I were to replace https://okta-solar-system.herokuapp.com/ with a spring boot application hosted publicly should the application have okta security enabled (eg : https://github.com/oktadeveloper/okta-spring-boot-oauth-example) or should i follow same procedure as above and delegate enforcement of token to apigee, without any security enforcement on the spring boot application?
Can someone tell me what is the standard way of implementation I should follow?
If the spring boot application has no enforcement of security, what is to prevent someone from bypassing the Apigee API gateway and calling it directly?
If you have successfully managed to secure the spring boot application so that only the API gateway can communicate with it (via mutual TLS connection, IP allow listing, etc), you might be able to forego any enforement at the service level, but I would recommend doing some authorization checks in the service itself.
I'm tring SSO Login with Spring Boot and OAuth2.
I have an oauth2 client running on http://localhost:8001/demo and an oauth2 authorization server running on http://localhost:9001/uaa
In result, after approval page it direct to the approval page again and again.I'm getting back "org.springframework.security.authentication.BadCredentialsException: Could not obtain access token" from the client.
I have no idea what's going on. I did this with Spring Boot1.5 everything seems to be find
Code
I am using Keycloak with my Spring Boot application. I want to use Okta as Identity Provider without success, this configuration:
Spring configuration:
security.oauth2.resource.userInfoUri=https://dev-XXXXXX.oktapreview.com/oauth2/default/v1/userinfo
security.oauth2.resource.tokenInfoUri=https://dev-XXXXXX.oktapreview.com/oauth2/default/v1/introspect
security.oauth2.resource.preferTokenInfo=false
security.oauth2.client.accessTokenUri=https://dev-XXXXXX.oktapreview.com/oauth2/default/v1/token
security.oauth2.client.userAuthorizationUri=https://dev-XXXXXX.oktapreview.com/oauth2/default/v1/authorize
security.oauth2.client.clientId=CLIENT_ID
security.oauth2.client.scope=openid profile email
Okta Identity Provider configuration:
But this configuration is always leading me to HTTP 400:
What I am missing?
You should configure your Spring Boot to work with Keycloak and then Keycloak to work with Okta.
The following article describes how to configure Keycloak with Okta SAML Provider
https://ultimatesecurity.pro/post/okta-saml/
I cannot answer it with surety, but have you added redirect-url to the trusted origins of Okta dashboard?
https://developer.okta.com/code/javascript/okta_sign-in_widget?_ga=2.16453941.2053718723.1521541302-1766190875.1521541302
In Spring Security OAuth, can it consume/work with JWT tokens that were generated from a user authenticating with Keycloak? Keycloak's open-id far as that goes, but it all seems to be really similar. I'm still trying to understand the dividing line and also what's similar or same with this.
Basically I'd like to authenticate separately in a REST client then use the token in the Authorization header for REST calls to some web services. There seems to be some JWT stuff in in the Spring Security OAuth, so I'm wondering I can actually use that instead of the Keycloak Spring stuff? Are there any examples of this out there? (I'd love to use the Spring security checks on different methods in my controller)
You can use the Keycloak Spring adapter and still rely on Spring Security annotations for controller security. The main purpose of the Keycloak Spring adapter is simplify the integration with Keycloak for interactive login and also to correctly map JWT access token claims into the Spring Security authentication context.
Reading through the Spring Security OAuth2 documentation, I get the impression that it's not quite ready out of the box to handle OpenID Connect JWT access tokens. However, it's customizable so it could most likely be made to work.
My advice for now is to stick with the Keycloak Spring adapter if you're using Keycloak as your OIDC server. It will save you time and it's well tested with Keycloak.
I have impleneted SSO solution using Spring SAML extension now i would like test IDP initiated SSO
Could any one please give me the URL for IDP initiated SSO for Spring SAML Extension with respect to idp.ssocircle.com
Use the following URL and replace spEntityID with your own unique identifier:
https://idp.ssocircle.com:443/sso/saml2/jsp/idpSSOInit.jsp?metaAlias=/ssocircle&spEntityID=saml-federation.appspot.com