I need to secure a web-app, the backend will be Java Rest API, meanwhile I'll use Angular for my front.
I am using Keycloak to authenticate into my webapp, but I need to follow the standard flow of OAuth, that means I need to get first the auth code and then the access&refresh tokens.
I saw some configuration, but they're all related to Spring, like putting this code in application.properties
# keycloak properties
keycloak.realm = services
keycloak.auth-server-url = http://127.0.0.1:8080/auth
keycloak.ssl-required = external
keycloak.resource = todo-api
keycloak.use-resource-role-mappings = true
keycloak.security-constraints[0].authRoles[0]=users
keycloak.security-constraints[0].securityCollections[0].patterns[0]=/api/todo/*
The thing is in my project I don't have an application.properties file.
I've created a client in Keycloak, how do I have to configurate my JEE project to get the auth code?
Thanks a lot
You will need to log into Keycloak and select your realm and client "todo-api". Select the Installation tab and usually the Keycloak OIDC JSON format. This will create a configuration file that your frontend application will use for managing keycloak. To enforce the Auth code flow, disable the "Implicit Flow Enabled" and "Direct Access Grants Enabled" setting on the "todo-api" client.
Related
Spring 5.1+ should allow me to configure Auth0's login without a 3rd party jar, I've done similar things before. problem is I haven't figured out all the right properties. What do I need to set in order for this to work?
Create a new Application in Auth0 Dashboard, select Spring Boot as framework.
Set the following callback URL, when adding the settings of your application.
http://localhost:8080/login/oauth2/code/auth0
In dependencies
runtimeOnly("org.springframework.boot:spring-boot-starter-security")
runtimeOnly("org.springframework.boot:spring-boot-starter-web")
runtimeOnly("org.springframework.boot:spring-boot-starter-oauth2-client")
In application.properties is
spring.security.oauth2.client.registration.auth0.scope[0]=openid
spring.security.oauth2.client.registration.auth0.scope[1]=profile
spring.security.oauth2.client.registration.auth0.scope[2]=email
spring.security.oauth2.client.registration.auth0.client-id=<your client id in your application in Auth0 Dashboard>
spring.security.oauth2.client.registration.auth0.client-secret=<your secret in your application in Auth0 Dashboard>
# I haven't found general documentation for this but it's in format https://<your domain in dashboard
spring.security.oauth2.client.provider.auth0.issuer-uri=https://<your domain in your application in Auth0 Dashboard>
For more information a technology documentation page should have opened up when you created the application. Seems to be available via Applicaton -> QuickStart.
is possible create authorization server for PKCE authentication in current version of spring security?
I did research and I found out this authorization server project https://github.com/spring-projects-experimental/spring-authorization-server but there is no usable sample for that project.
I also find out that spring recommends Keycloak as authorization server, but it is not fit for my case.
We need be able fetch and verify user against remote service, and then use authorization server only for generating and verifying jwt tokens. In my knowledge Keycloak should holds also users right? So the best solution would be custom spring standalone authorization server. Is it possible in some way? Thank you!
You may have a look to this project: CloudFoundry User Account and Authentication (UAA) Server.
UAA is a (Spring MVC) component of Cloud Foundry but it could be used as a stand alone OAuth2 server. It can support external authentication service. And there is a Pull Request that implements PKCE: https://github.com/cloudfoundry/uaa/pull/939 (not yet merged, but under review).
You can find an example on how to use UAA on baeldung.com.
As far as I know, Spring framework has one more implementation of the authorization server. It is a part of spring-security-oauth project. But this project was moved into maintenance mode.
According to this migration guide, the new authorization server project (that you have already found) will be created to change the legacy solution.
From my point of view now there are several possible options:
Using old legacy spring-security-oauth. More examples with old auth server
Using external services like Keycloak, Auth0, Okta and etc
I have a legacy desktop application that communicates with a Spring Boot server (latest version 2.2.2.RELEASE). I'm using OAuth2 for authentication (provided by spring-boot-starter-oauth2-client). I want to avoid changing the client because is a legacy application. It is capable of collecting the credentials and start the session via HTTP Basic Authentication, and then keep the cookies for the session in the following requests.
Given this scenario, I think best option is to make use the OAuth2 Resource Owner Password Credentials grant. With this, we can exchange the collected credentials by the OAuth2 Tokens. We have two options:
Option 1:
Modify the client application to use the access tokens via the Authorization header. This will require to make an initial call to the Authorization Provider to exchange the collected credentials by the tokens.
Option 2:
Keep using the Spring session and store the information about the OAuth client in the server.
I found this project ALMOST does that: https://github.com/jgrandja/spring-security-oauth-5-2-migrate. It has a client (messaging-client-password) defined with authorization-grant-type: password which will activate the OAuth2 Resource Owner Password Credentials grant in Spring Boot.
It creates an OAuth2 client and stores its information in the session, then Spring is able to use that client in further requests. The problem with this project is it seems to only work as when the OAuth client is used to make HTTP requests (e. g. an endpoint that makes a call to another service) and not provide authentication to the controller. You can find more information about this in here:
Spring Security 5.2 Password Flow
Github related issues: link1, link2, link3
Exception thrown when we try to use the password client as authentication
The natural idea to overcome this is to implement a proxy and use the OAuth2 client in the requests. Well, Spring already offers a proxy solution, the Spring Cloud Gateway. But I don't know to accomplish that with this setup.
Any insights? Am I thinking correctly or should I follow a different approach?
How could I setup Spring Cloud Data Flow security (login page, user, pass,...)
I have tried to use these following properties in application.properties but it does not work:
security.basic.enabled = true
security.basic.realm = Spring Cloud Data Flow
security.user.name = admin
security.user.password = admin
security.user.role = VIEW,CREATE,MANAGE
Please review the security configuration section from the reference guide in entirety.
There's no true basic-auth as an option that is provided in SCDF. It used to be in 1.7.x, but that has been deprecated in favor of OAuth+OIDC standardization since SCDF 2.0.x. That means you will have to use an OAuth identity provider to set up your custom authentication and authorization workflows.
You could use the Password Grant Type supported by OAuth2+OIDC as the mechanism to mimic the username+password-based authentication workflow. UAA can be used as an identity provider, as well. We have a sample on this subject.
I'm trying to set up a sample application using spring boot admin (both server + client side) and have run into an issue with authentication.
When spring security is enabled on the management/actuator endpoints on the client side the spring-boot-admin server does not seem able to communicate with the client -- logging in to the Admin interface via a Web browser results in a continuous loop of authentication windows popping up and prompting for usernames/passwords. Hitting cancel will display an HTTP 401 error on the page.
Here's a configuration that works on the client side:
management.security.enabled=false
security.basic.enabled=true
security.user.name=test
security.user.password=test
spring.boot.admin.url=http://localhost:9081/admin
spring.boot.admin.username=admin
spring.boot.admin.password=admin
This will:
Disable security for spring-boot's management/actuator resource
Enable security for all other resources (HTTP basic auth - user: test, password: test)
Register the spring-admin client on startup using the url http://localhost:9081/admin (HTTP basic auth - user: admin, password:admin)
I'm guessing the spring boot admin app doesn't support communication with secured clients because I don't see any configuration properties that would allow the information to be passed in upon client registration.
Has anyone got around this limitation and if so, how? I'd rather not leave the actuator endpoints "open to the public" so-to-speak, even though they are actually just exposed on the company's internal network.
There is no security feature included since the various solutions look very different. But I've put up some examples: https://github.com/joshiste/spring-boot-admin-samples