I want to build web application in Spring Boot and React as frontend.
This application must have user authorization with roles and this is my question.
Are the Basic Spring Eecurity allow to share roles into frontend or I should use JWT?
If you use js framework (React etc.) so you need to generate and provide jwt (access & refresh token) from backend. Also you can use keycloak for implementing authorization functionality.
Related
i am currently working on a project where my backend uses Spring Boot, Spring security + keycloak and runs on localhost:8081.
My frontend (svelte) runs on http://127.0.0.1:5173/ and the url http://127.0.0.1:5173/products needs to access data from localhost:8081/products (which needs a login) but the login page from keycloak doesnt appear.
In other words, what i am trying to achieve:
I want that the url http://127.0.0.1:5173/products redirects to localhost:8081/products which redirects to keycloak login page and after a successfull login i want to return to http://127.0.0.1:5173/products where i will be able to see the data.
is there an elegant solution to this problem? Im really stuck on this problem and this is one of my first projects.
Thanks in advance!!
Some OAuth2 wording:
Keycloak is an authorization-server (OIDC complient)
Svelte app is a client
Spring REST API is a resource-server
Ensure that a "public" client is declared in Keycloak.
Configure your Svelte client with an existing OIDC lib (component) of your choice to:
use the "public" client deckared in Keycloak
authenticate users against Keycloak (socket is not the same as spring API)
add an authorization header with a JWT access-token retrieved from Keycloak (when issuing requests to your secured REST endpoints)
Configure Spring API as a secured resource-server with a JWT decoder.
You can refer to this article for configuring Keycloak and resource-server with JWT access-tokens.
I have a spring based application which does authentication and authorization(oauth2 based) for a client app.I want to now use keycloak to manage my authorizations, but i want to keep my spring code. Basically i want to use my existing auth code as an external identity provider in keycloak.
I am thinking of adding changes in client app such that it receives token from my existing oauth code(which does the authentication) and then exchange this token with keycloak(for session and authorization management). How can i do this? What configurations need to be done in keycloak?
I read about token exchange in keycloak here, but i am not clear about the kind of token i need to send from my existing auth code.
https://www.keycloak.org/docs/latest/securing_apps/
Here is how OAuth2 roles are usually spread:
Keycloak is authorization-server
Spring service is resource-server
front-end is client
user is resource-owner
I have a doubt of you wanting your Spring service to be "authorization-server" as well (serve user identity). If so, I think you should not.
Keycloak (or any other OpenID provider) should be the only authorization-server. Both Spring and client(s) should be configured to use it as so.
To write it differently, Keycloak is responsible for users login and emitting tokens with user ID (subject) and rights (roles or whatever). Other tiers in the architecture (clients & resource servers) get user info from the token and apply relevant security checks (spring security annotations, Angular guards, etc.).
I published a mono-repo for a meetup with minimal sample involving a Spring resource-server and Angular (with Ionic) client talking to a Keycloak OpenID authorization-server. You might find some inspiration browsing it.
I have existing REST API's built into multiple springboot projects. Now would want to enabled JWT for all REST services. I have a separate project which does JWT for a test service. Can that JWT project be linked like a library or associated as a springboot parent to enable spring JWT auth for all REST services which are present in multiple projects.
There are not enough details within your question but we also have multiple spring boot services which share common authentication and authorization mechanism (OAuth2.0 authorization token flow + Keycloak + JWT). The implementation of this mehanism is realized as a custom spring boot starter which is the approach I would recommend to you. You can start reading about that, for example, here.
I have two spring boot application. One is Rest and the other one is Spring boot web MVC app which consumes the Rest. The Rest has spring security configured and I want to login/logout from the client app. The client app has nothing but view and controllers to interact with the rest api.
I am using rest template to interact with the api now.
If the client app is not secured so any other anonymous app may do the same, and this is not security, it's a sieve ...
If you want to create a custom authorization/authentication, you can create own protocol and use tokens/JWT (possibly, OpenID or other global technology) and exchange information between applications.
But there is technology to do it all centrally and reliably - OAuth2, and Spring has it 'from the box' - authorization server, resource server, client. The most advantage - multiple applications (clients), one authorization - you create one user and can authenticate it on any client with the same credentials. You can customize it with JWT, and use any data in the access token and as a consequence get any information about principle/authorization.
I'm trying to secure my single page Angular 5 application that has a spring boot backend with firebase authentication.
Is the following a good way to implement this.
All requests that do not start with /api are forwarded to index.html with forward:/index.html. The AuthGuard in my Angular app will then handle whether the user has access or needs to login.
All requests going to /api/** have to be authenticated. Here the firebase user token will be set in the header of the request by Angular and my custom Spring authentication filter and authentication provider vill handle it.
Are there any tutorials, specifically for the spring part of the implementation, that I can look at. I haven't found any thing similar and I want to be sure that the security implementation is done correctly.