I have a spring application, I would like to be able to access a remote resource, the remote resource supports oath2 authentication
from the resource I have
username, password, grant_type, client_id
Can you please tell me what can I use for this?
Related
I have a legacy desktop application that communicates with a Spring Boot server (latest version 2.2.2.RELEASE). I'm using OAuth2 for authentication (provided by spring-boot-starter-oauth2-client). I want to avoid changing the client because is a legacy application. It is capable of collecting the credentials and start the session via HTTP Basic Authentication, and then keep the cookies for the session in the following requests.
Given this scenario, I think best option is to make use the OAuth2 Resource Owner Password Credentials grant. With this, we can exchange the collected credentials by the OAuth2 Tokens. We have two options:
Option 1:
Modify the client application to use the access tokens via the Authorization header. This will require to make an initial call to the Authorization Provider to exchange the collected credentials by the tokens.
Option 2:
Keep using the Spring session and store the information about the OAuth client in the server.
I found this project ALMOST does that: https://github.com/jgrandja/spring-security-oauth-5-2-migrate. It has a client (messaging-client-password) defined with authorization-grant-type: password which will activate the OAuth2 Resource Owner Password Credentials grant in Spring Boot.
It creates an OAuth2 client and stores its information in the session, then Spring is able to use that client in further requests. The problem with this project is it seems to only work as when the OAuth client is used to make HTTP requests (e. g. an endpoint that makes a call to another service) and not provide authentication to the controller. You can find more information about this in here:
Spring Security 5.2 Password Flow
Github related issues: link1, link2, link3
Exception thrown when we try to use the password client as authentication
The natural idea to overcome this is to implement a proxy and use the OAuth2 client in the requests. Well, Spring already offers a proxy solution, the Spring Cloud Gateway. But I don't know to accomplish that with this setup.
Any insights? Am I thinking correctly or should I follow a different approach?
I have read some articles for Keycloak spring implementation (eg: easily-secure-your-spring-boot-applications-with-keycloak) but no one mention how to use with JWT.
I have created zuul api gateway and add Keycloak adapter as described in the previously linked article. That's ok, but I want to use JWT with keycloak.
Mentioned elsewhere set the client access type to bearer-only and the session strategy to NullAuthenticatedSessionStrategy. That's enough or need something else for JWT?
So my questions:
How do I configure client on Keycloak admin for JWT?
How do I configure Keycloak in backend config file for JWT?
How do I configure Keycloak adapter for JWT?
How do I pass user info to microservice? Create filter in gateway? But how I get user info from request?
Keycloak access token is a JWT. It is a JSON and each field in that JSON is called a claim. By default, logged in username is returned in a claim named “preferred_username” in access token. Spring Security OAuth2 Resource Server expects username in a claim named “user_name”. So, you need to create mapper to map logged in username to a new claim named user_name.
In order to provide access to client (micro-service), respective role needs to be assigned/mapped to user.
In your spring boot application, then you need to configure connection to keycloak server, providing, auth url, token url, scope, grant-type, client-id and client-secret.
Afterthat, your app be able to parse JWT token, you need to create some JwtAccessTokenCustomizer. This class should extend DefaultAccessTokenConverter and implement JwtAccessTokenConverterConfigurer classes. The main logic lays in public OAuth2Authentication extractAuthentication(Map<String, ?> tokenMap) method.
Then you need to configure OAuth2 Resource Server to provide access for other micro services. For that you define here - Oauth2RestTemplate Bean.
And in the end, secure your REST API, via the standard configuration Component.
So, you can see that, it is a large work, and couldn't be described with code, show some of your work, divide it to the chunk, and ask interesting your questions.
I'm trying to figure out how to have my Spring OAuth2Client use the resource own password scheme when authenticating to my Authorization server using Spring OAuth2. I don't get what the documentation states:
If you desparately need password grants to work from a Java client, then use the same mechanism to configure your OAuth2RestTemplate and add the credentials to the AccessTokenRequest (which is a Map and is ephemeral) not the ResourceOwnerPasswordResourceDetails (which is shared between all access tokens).
How do I do this? Since I'm building both the authorization server and the client my client is a trusted source and I do not need to go through the auth code flow.
I saw this answer: Spring Security Oauth2 - Adding credentials to the AccessTokenRequest
But, I'm not exactly clear how to achieve this so that I don't have to go through the redirect. Can you do this through a basic auth header?
Update:
I think I got it working
I create a ResourceOwnerPasswordResourceDetails and create a new ResourceOwnerPasswordAccessTokenProvider
Then get a token using the credentials and set the token in the injected oauth rest template.
OAuth2AccessToken token = accessTokenProvider.obtainAccessToken(details, request);
restTemplate.getOAuth2ClientContext().setAccessToken(token);
Is this correct?
I'm working with the Spring OAuth2 sparklr and toner examples. I've broken up sparklr into two applications to separate the Resource server and Authentication server. They're both running on Spring Boot and Java Config.
The Resource server (API) has a /account resource I would like to expose to the Authentication server (MVC) so that the Auth server can create accounts, but of course the resource is protected.
How can I grant the Authentication server access to the /account on the Resource server?
If your /account resource is an oauth protected resource then your auth server is now a client. I don't see any in principle problem with that (copy the client side config from tonr and use an OAuth2RestTemplate like it was a vanilla RestTemplate). You haven't really provided enough information to know what kind of client and grant type should be used (maybe client_credentials?).
I have configured spring security using ldap authentication.
I have also configured the remember me service for this.
But the LdapUserDetail returned by the LdapService doesnt contain
the password . Hence the rememberme service (TokenBasedRememberMeServices )is not able to generate the token.
Could some one help me out here as to what could be the issue .
1.Should we do any CustomUserAttributingMapping or
2.The password is restricted read at the ldap server
or any other thing