I have a Spring boot application in which users can log in and their credentials would then be used to perform an AWS ADFS login.
A preconfigured role will be assumed and we'll get an access key, secret key, and session token in return. These will then be used to create the S3 client to perform file upload/download operations.
My issue is how can we perform the AWS ADFS login from the java spring boot code? Is there a library that supports it out of the box?
Also, I understand the session obtained this way is short-lived. Is there a way to refresh the session so that these tokens do not expire? Or should the whole AWS authentication, s3 client creation be done every time an upload/download request comes in?
Related
We have a spring boot REST API which will be used by mobile client. Azure AD is used for auth. We need to generate access token for initial testing spring boot REST API. What is the recommended option for this?
Basically we need to to generate access token using client credentials and call the REST API end point using the access token. Then on the REST API, validate access token and print the app roles assigned in Azure AD.
To get the access token from Azure AD to authenticate and authorize users from Azure AD.
First, you need to register both the application mobile client and spring boot applications in your Azure AD. Refer register your application in the Azure AD.
To generate access token using client credentials flow, there would be no user involvement, so your server application needs to create an appRole, and then grant the app Role as an application permission to the client application.
The administrator must grant the correct application permissions via a consent process to access the application.
Configure the application's details registered in Azure AD to your spring boot application.properties file with application id, tenant id, client-secret and scope.
Refer guide to configure client application to access a web API using spring boot step by step.
I have a legacy desktop application that communicates with a Spring Boot server (latest version 2.2.2.RELEASE). I'm using OAuth2 for authentication (provided by spring-boot-starter-oauth2-client). I want to avoid changing the client because is a legacy application. It is capable of collecting the credentials and start the session via HTTP Basic Authentication, and then keep the cookies for the session in the following requests.
Given this scenario, I think best option is to make use the OAuth2 Resource Owner Password Credentials grant. With this, we can exchange the collected credentials by the OAuth2 Tokens. We have two options:
Option 1:
Modify the client application to use the access tokens via the Authorization header. This will require to make an initial call to the Authorization Provider to exchange the collected credentials by the tokens.
Option 2:
Keep using the Spring session and store the information about the OAuth client in the server.
I found this project ALMOST does that: https://github.com/jgrandja/spring-security-oauth-5-2-migrate. It has a client (messaging-client-password) defined with authorization-grant-type: password which will activate the OAuth2 Resource Owner Password Credentials grant in Spring Boot.
It creates an OAuth2 client and stores its information in the session, then Spring is able to use that client in further requests. The problem with this project is it seems to only work as when the OAuth client is used to make HTTP requests (e. g. an endpoint that makes a call to another service) and not provide authentication to the controller. You can find more information about this in here:
Spring Security 5.2 Password Flow
Github related issues: link1, link2, link3
Exception thrown when we try to use the password client as authentication
The natural idea to overcome this is to implement a proxy and use the OAuth2 client in the requests. Well, Spring already offers a proxy solution, the Spring Cloud Gateway. But I don't know to accomplish that with this setup.
Any insights? Am I thinking correctly or should I follow a different approach?
I would like to create a simple console spring boot application which should read an URL from terminal then print its data then again read another URL and print its data and so on till pressing CTRL + C. The grant type to be used should be client credentials; the client credentials should be the same for every URL and should be conveyed to the application at startup using the spring boot Externalized Configuration capabilities. After 1th URL read the access token used in the process should be reused for the subsequent URLs; when expired/invalidated the access token should be transparently renewed/re-generated (using the refresh token if provided by the authorisation server in the 1th place or again the client credentials grant type).
The 6.6 OAuth 2.0 Client with e.g. 12.5 WebClient for Servlet Environments seems to fit the need but require to configure HttpSecurity (see 6.6 OAuth 2.0 Client) which I don't need because I'm not creating a web application but kind of a curl utility.
How would one benefit the features provided by those without having to configure HttpSecurity?
you can consider postman is a console application without http security config. I think you need to create your own login to store the token and then put it into the header for each restful call.
I have gone through many posts and articles but didn't find a straightforward solution for the case below which I have to implement.
Platform: Spring Boot 2.x.x (Spring Security 5.x.x) with embed Tomcat
Solution: REST service that consume many client apps and many end users.
I have to implement a REST end point /api/search which accessible for many client application. As an example, web application APP-X (Angular), web application APP-Y(Jquery/Bootstrap) and mobile application APP-Z (IOS). All three clients are separate entities (both technical perspective and business perspective).
So I have to authenticate above application using onetime token. Therefore I planned to go for Spring OAuth2 by enabling #EnableAuthorizationServer and #EnableResourceServer. For each app client I’ll generate a token and they can use it when they connect with my REST service. Is this approach correct?
Apart from the app clients system has capability to register and login functionality for end users. Also my end point (/api/search) can access both anonymous users and users who registered under ROLE_REGUSER role. And through the security context, I need to access the user details as usual user authentication.
This is the place I got stuck. How can I handle the following points together using Spring Security 5.x.x (Spring Boot 2.x.x).
I. Both client apps and end users authentications.
II. Allow access for anonymous users and registered users for same end point.
I have attached small diagram to elaborate the above scenario.
Thanks
I found a solution when I upgraded my spring security version to 5.2. In version 5.2, they have depreciated #EnableAuthorizationServer and #EnableResourceServer. So I had to move with an external authorization provider who supports auth2. I chose AWS Cognito, and fulfill the above requirement, using the user pool option.
In AWS Cognito
I created a user pool.
Then created two app clients in the same user pool.
One app client configured as support to the client credentials flow.
The second app client configured as support to the user authentication flow.
In client applications
Retrieve access token directly from AWS Cognito using client credentials and used to secure all API calls.
If a user login at any stage, retrieve access token directly from AWS Cognito using the authorization code and replace any existing access token.
The advantage is, the resources server can validate any access token that generated related to the same user pool.
In resources server (backend API/Spring Boot)
Validate access token.
I have a spring cloud oauth #EnableAuthorizationServer that uses a jpa backend to store the accounts. I also have a couple of different clients, a website, an intranet and a ionic mobile app.
all the clients have separate client credentials inline in the oauth config block.
i have then tried to use the spring cloud sso to not have to login again.
my problem is that I want to remove the authorize step since all my clients are known to me and i simply want the user to be logged in across all my apps.
is this possible with spring cloud sso?
The authorization happens on the authorization server (so nothing to do with Spring Cloud). A UserApprovalHandler would do what you need, but the default one should work if you just set autoapprove=true (or a pattern matching te scopes you want to auto approve) in the client details. (Assuming your auth server is Spring OAuth.)