I have a SpringBoot application with one Endpoint. It uses dependency to the library where custom Authentication Provider is implemented. I need to configure my application ( via application.yml properties ) to use an Authentication Provider.
When I am making an endpoint call I can see these output in Console :
c.b.c.f.c.s.WhiteListAuthFilter : Checking secure context token: null
c.b.c.f.c.s.WhiteListAuthFilter : Trusted IPs [null]
c.b.c.f.c.s.WhiteListAuthFilter : Attempting white list authentication 127.0.0.1
c.b.c.f.c.s.WhiteListAuthFilter : No pre-authenticated principal found in request
How can I do that?
Related
I use Keycloak and I configure it with my application.properties file.
# Keycloak config (instead of keycloak.json)
keycloak.auth-server-url=http://localhost:8080/auth
keycloak.realm=demo
keycloak.resource=DemoApplication
keycloak.principal-attribute=preferred_username
keycloak.bearer-only=true
This works just fine. The problem is that I expected to create a Client in my keycloak admin console for the raealm that is used as keycloak resource.
The docs say
resource
The client-id of the application. Each application has a client-id that is used to identify the application. This is REQUIRED.
But in this example DemoApplication is not registred in keycloak. As I understsand, every Application that includes the keycloak-adapter dependency exchanges the public key with keycloak on startup to be able to verify the signature of an incoming token. But why is this working if the client is not registered in keycloak?
We have problem with propagation of traceId in requests which are called by spring oauth2 module.
For instance consider authorization and resource server. In resource server we have spring security configuration to ensure get rsa public key from authorization server with following property:
security:
oauth2:
resource:
jwk:
key-set-uri: http://authorization-server:8080/key-set
When I call controller of resource server with jwt token, I can see in zipkin traces from resource server and authorization server as well, but there is no traceId propagation from resource server to authorization server.
First record is calling rest api to get resources, and second record is produced call to authorization server to find out public RSA key.
I have a spring boot v.5+ application which uses spring security saml.
When an idp initiated SingleLogout Request is called i get an error saying :
org.springframework.security.saml.SAMLStatusException: LogoutRequest is required to be signed by the entity policy
Is there an option to disable signing of LogoutRequest in my service provider?
I was facing the same issue. I tried to tweak the default value of requireLogoutRequestSigned property (from default true to false) in Table 7.2. Extended metadata settings of my SP and it worked for me. I'm using MetadataGenerator bean to configure this setting in spring-boot v2.1.1.RELEASE and spring-security-saml2-core v1.0.3.RELEASE.
How can I get details from the OAuth2 SSO Principal into my JWT? (instance of OAuth2Authentication getDetails as OAuth2AuthenticationDetails getDecodedDetails returns null)
I have...
Angular 6 client w/ implicit login as acme client (using angular-oauth2-oidc)
Spring Boot OAuth2 Authorization Server with JWT TokenService configuration w/ 3rd party SSO to GitHub
Auth server is configured with acme as implicit and GitHub client for SSO
Auth server exposes a /login/github
Auth server exposes a /me (protected by ResourceServer config)
When I login...
Angular app redirects to Auth service login
Auth service redirects to GitHub
[User Authenticates]
GitHub redirects to Auth Service
Auth Service initiates a session and issues a token
Auth Service redirects to Angular
The browser token is a proper JWT
Now, when I communicate with Auth Service /me:
Directly, I get a Principal that contains ALL of the details from GitHub (yay)
Indirectly from the Angular application passing the token via Authorization: Bearer ... header, I get a Principal that contains bare minimum OAuth client info for acme client (ugh)
I've tried a custom TokenEnhancer, but the OAuth2Authentication instance is already the bare minimum with no details. And, when the call is initiated from Angular, it doesn't have the same session cookie as when I call it directly (I don't want to share session - I want to put the details in the JWT).
[Update #1]
I tried a custom JwtAccessTokenConverter and used it in both of the #EnableAuthorizationServer and #EnableResourceServer (secures the /me endpoint) configuration classes. However it didn't work. I still get null details from OAuth2Authentication.
final JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
converter.setAccessTokenConverter(new CustomTokenConverter());
The way Spring Lemon does this is replacing the OAuth2 and OpenID connect user services (see spring security docs). See LemonOAuth2UserService and LemonOidcUserService for details. For statelessness, it passes the client a shortlived JWT token as a param to targetUrl, as you can see in its OAuth2AuthenticationSuccessHandler class. It uses some cookies mechanism for doing all this statelessly, which can be further understood by looking at its HttpCookieOAuth2AuthorizationRequestRepository and how it's configured.
Here is an article explaining this in more details: https://www.naturalprogrammer.com/blog/1681261/spring-security-5-oauth2-login-signup-stateless-restful-web-services .
I have implemented Spring Security Oauth in my project.
I have 2 different modules in my project :
Module A
Module B
I have implemented my Oauth configurations in Module A using the XML definitions. This is working successfully and I am able to generate access token and refresh token successfully when hitting the url : /oauth/token
Now module B is having dependency (defined in pom.xml) on module A. When I am trying to hit /oauth/token from module B : its giving me following exception :
InsufficientAuthenticationException:
There is no client authentication. Try adding an appropriate authentication filter.
This occurs in TokenEndpoint in line 74 when following condition is true :
!(principal instanceof Authentication)
Can someone guide me what can be the issue and how could I resolve this issue?
Thanks,
Jubin