A quick thanks and appreciation for your help. The main gist is I am creating a microservice ecosystem and will be using Istio as my service mesh. For the services themselves, I am using Spring Boot. For auth I am using a JWT implementation.
Spring security is the staple for route protection and auth. However, Istio can use its sidecar to deny any request to the service API if the JWT validation fails.
Is there any value to including spring security as an authentication filter if the JWT has already been validated? The services will conduct their business logic based on the info taken from the validated JWT.
Thanks!
Related
We are building a suite of spring boot based microservices deployed in Kubernetes. APIs are authenticated using OIDC protocol and access to APIs is managed through Kong community edition.
There have been suggestion to centralize authentication at API Gateway level. I am all for centralizing the authentication, but I am not able to identify if it really helps simplify the APIs. Authentication is already externalized and APIs still have to validate the JWT token with OIDC provider.
Are there any other benefits of centralized authentication at API Gateway ?
You can delegate the JWT validation to the API Gateway through techniques like introspection. This way your APIs don't have to deal with authn/authz at all. You can also plug new service APIs with ease.
Here is the authorization service. It has endpoints to login and receive a JWT using either a custom username/password or social OAuth (Facebook, GitHub etc.).
I have a Eureka server setup and Zuul gateway service. From what I understand, there are two ways to go about implementing secure microservices. You either proxy requests through the auth service, or you send requests to the requested service (Ex. Service A) and service A authorizes using the auth service.
I would like to use the second way, however I'm having trouble implementing it. Is my understanding correct? Is there a way to setup service A somehow so that certain paths (configured using Ant matchers) will have to authorize using the auth service, which will set the SecurityContext appropriately and inject a UserPrincipal into the request. If anyone can point me to a good guide for this that would be much appreciated.
I want to use Keycloak in a microservices based environment, where authentication is based on OpenID endpoints REST calls ("/token", no redirection to keycloak login page), a flow that I thought of would be something like this:
1. Front-end SPA retrieves the tokens from the "/token" endpoint and stores in browser's localStorage, then sends it with every request.
2. Gateway-level authentication: Acess Token is passed from the front end to the gateway, gateway consults Keycloak server to check if the token is still valid (not invalidated by a logout end-point call).
3. Micro-service based authorization: Acess Token is passed from the Gateway to the microservices, using Spring Boot adapter the microservices check the signature of the token offline (bearer-only client?) then based on the role in the token do the authorization.
My questions are: Does this flow make sense or can you suggest another flow? What type of Keycloak clients to use? What's an ideal way to pass Tokens using Spring Boot Adapter, and should it be done like that in the first place? Please keep in mind that I am not a Keycloak expert, I've done my research but I still have doubts.
Your Front-end SPA should be public-client and springboot micro service should be Bearer only Client and Gateway could be Confidential Client.
You can check the Keycloak provided oidc adapters. For springboot you use the keycloak provided adapter
Similar solution using api gateway is discussed here
I'm trying to implement Google's Streamlined Identity Flows for authenticating users on Actioins on Google with Spring Boot and Spring Security (OAuth).
I already managed to implement Google-SignIn but the server side is missing. I could implement every endpoint myself but as with most security concerns I think that it's better to use tested and proved frameworks or components. Now I'm trying to figure out how to use Spring Security's OAuth authorization server functionality.
How to implement the authorization endpoint that lets users authenticate with their browser and respond an authentication token
How to implement the JWT token endpoint
Is it possible to leverage the possibilities of Spring OAuth for this or do I have to create a custom endpoint with #Controller / #RestController for example.
Are their any tutorials or documentations on how to implement such a service with Spring Security?
In Spring Security OAuth, can it consume/work with JWT tokens that were generated from a user authenticating with Keycloak? Keycloak's open-id far as that goes, but it all seems to be really similar. I'm still trying to understand the dividing line and also what's similar or same with this.
Basically I'd like to authenticate separately in a REST client then use the token in the Authorization header for REST calls to some web services. There seems to be some JWT stuff in in the Spring Security OAuth, so I'm wondering I can actually use that instead of the Keycloak Spring stuff? Are there any examples of this out there? (I'd love to use the Spring security checks on different methods in my controller)
You can use the Keycloak Spring adapter and still rely on Spring Security annotations for controller security. The main purpose of the Keycloak Spring adapter is simplify the integration with Keycloak for interactive login and also to correctly map JWT access token claims into the Spring Security authentication context.
Reading through the Spring Security OAuth2 documentation, I get the impression that it's not quite ready out of the box to handle OpenID Connect JWT access tokens. However, it's customizable so it could most likely be made to work.
My advice for now is to stick with the Keycloak Spring adapter if you're using Keycloak as your OIDC server. It will save you time and it's well tested with Keycloak.