I am new to OAuth2 concept but trying to setup a simple system that will consist of 2 separate microservices (no UI yet, will use REST client for test purpose):
Authorization Server with own database which will own User entity, credentials, all other information needed for MFA for example.
Resource Server with its own database, which will have a User Projection entity. I want my Resource server to drive UserManagement flow, which will save on its side non-auth user information, like address, titles, logos etc and will just call Auth Server to store auth information.
If I understood the oauth2 flow propertly i will have to:
call Authorization Server first with user/password to obtain access token.
Then using this access token i will call my Resource server.
Resource server should call Authorization Server to validate the token.
My question replies to step-3.
What I did is some basic configuration on Authorization Server side:
security:
oauth2:
client:
client-id: clientId
client-secret: very-strong-secret
provider:
issuer-uri: http://localhost:8080/oauth/token
And on Resource server side:
spring:
security:
oauth2:
resourceserver:
jwt:
issuer-uri: http://localhost:8080/oauth/token
my resource server is starting on port 8081 and calling localhost on port 8080 where authorization server is running.
I was able to obtain access token, but when I am calling resource server (I assume spring makes a magic and calling auth server under the hood) i get the error:
Unable to resolve the Configuration with the provided Issuer of "http://localhost:8080/oauth/token"
How exactly should I instruct my resource server to validate the token?
It's quite simple. If you don't configure the issuer uri explicitly, the default value is host:port.( In your case it's just http://localhost:8080 )
Related
I have a question regarding the oauth2.0 openId and spring boot. I am developing a personal project, and I have deployed a Keycloak instance as an Auth server and I am writing code for the resource server. I would like to ask you some questions regarding security. As the Spring Docs say, we need only the issuer-uri of the Auth Server and the Resource Server will use this property to further self-configure, discover the authorization server’s public keys, and subsequently validate incoming JWTs. For example a resource server will have to specify the following:
spring:
security:
oauth2:
resourceserver:
jwt:
issuer-uri: <uri>
However, this means that any resource server can use my deployed Auth Server to self configure just by knowing the issuer-uri is there any way to protect the Auth Server from resource server APIs(that are external to my application)?
Thank you in advance!
I'm programming a client (Spring Boot application) which has to provide two endpoints for a user, one which uses Authorization Code Grant, and the other which uses Resource Owner Password Credentials Grant. Endpoints are on different URLs. The other one will be used by internal application so I'm not concerned about security.
I have an external OAuth2 server (both authorization and resource server) - so I'm not programming those but I have full access to their configuration. Keycloak is in question.
I've managed to set up Authorization Code Grant, but cannot get the other one to work.
My application.yml looks something like:
security:
oauth2:
resource:
token-info-uri: ...3rd party...
userInfoUri: ...3rd party...
client:
client-id: ...
client-secret: ...
grant-type: authorization_code
registered-redirect-uri: http://localhost:8080/app/auth_grant
pre-established-redirect-uri: http://localhost:8080/app/auth_grant/
user-authorization-uri: ...3rd party uri...
access-token-uri: ...3rd party uri...
scope:
- read
- write
- openid
I have an WebSecurityConfigurerAdapter implementation annotated with #EnableOAuth2Sso
#Configuration which permits only /login to be accessed unauthorized.
Now I want my users to be able to login with Resource Owner Password Credentials Grant at (example) /login_ROPCG.
I've read the documentation but I guess I've headed in the wrong direction. Can you give me some hints?
I've read this comment: Spring Boot Oauth2 use multiple grant_types for for same URL
In which the hint is that I need two different security configurations with different mapping but I don't know how to do this.
I've read this: How can I implement Basic Authentication with JWT authentication in Spring Boot? but I don't see how to set two different grant types.
And because of this I'm not sure is this even possible:
https://github.com/spring-projects/spring-boot/issues/14554
I write a spring security app which uses WSO2 identity server (ver. 5.7) as oauth2 server. The application.yaml file is just as the follows:
spring:
security:
oauth2:
client:
registration:
wso2is:
client-id: <id>
client-secret: <secret>
authorization-grant-type: authorization_code
redirect-uri-template: '{baseUrl}/login/oauth2/code/{registrationId}'
scope: openid
client-authentication-method: basic
client-name: WSO2 ID Provider
client-alias: wso2is
provider:
wso2is:
authorization-uri: https://<mydomain>/oauth2/authorize
token-uri: https://<mydomain>/oauth2/token
user-info-uri: https://<mydomain>/oauth2/userinfo?schema=openid
user-name-attribute: sub
jwk-set-uri: https://<mydomain>/oauth2/oauth2/jwks
client-name: wso2is
And in the identity server, I add a new service provider and add an Oauth/OpenID Connect Configuration under Inbound Authentication Configuration, the Callback Url of which is set to be http://localhost:8080/login/oauth2/code/wso2is.
The identity server itself is behind a http proxy of nginx, and I can log in the admin console using https://. I've also changed both HostName and MgtHostName to .
The question is when I access the spring security app via http://localhost:8080, it is redirected to a url of https://127.0.0.1:9443/authenticationendpoint/login.do?client_id=xxxxxxx, and from the log, I find it says Redirecting to 'https://<mydomain>/oauth2/authorize?response_type=code&client_id=xxxxxx. If I access the url directly, it is actually redirected to the https://localhost:9443.....
All the samples in the docs are all demonstrated in local environment, but how can I handle my case please?
Open <IS_HOME>/repository/conf/tomcat/catalina-server.xml file and add the proxy port 443 in https connector as follows.
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
port="9443"
proxyPort="443"
There are some additional steps [1] when configuring a proxy server for WSO2 IS if you need to work with the end-user dashboard as well (<IS_HOST>/dasboard).
[1] https://docs.wso2.com/display/IS570/Setting+Up+Deployment+Pattern+1#SettingUpDeploymentPattern1-ConfiguretheProxyPortinISNodes
My application has microservices behind (spring) gateway with zuul proxy. There is also internal (spring) oauth2 authorization server. I want to implement client_credentials grant type for my microservices calls from outside - for M2M communication.
When I configure for the gateway client_id and client_secret in its application.yml requests come through the gateway but there is no requester check - oauth authorizes the gateway itself, as a result there is no authorization at all. I could use authorization code grant type, but then it would require web-client authorization which (web client) user might not have.
If I request authentication token from the oauth microservice, I get correct token for this app.
How can I force the gateway use the requester's client_id and client_secret to get token from oauth? - e.g. I can provide them as basic authorization via header.
Or can I provide to the gateway the token obtained by the requester from oauth?
The question is very similar to another one: Implementing authentication and authorization using Zuul Proxy, Oauth2 on REST Microservices
except the thing that there might be no web client, but an external microservice.
I have answered the question Implementing authentication and authorization using Zuul Proxy, Oauth2 on REST Microservices.
In my case the most important thing was to configure zuul proxy to forward authorization header to downstream services. Initially I thought about using zuul filters, but solution was much simpler - just configure sensitive headers for zuul:
server:
port: 8080
zuul:
sensitiveHeaders: Cookie,Set-Cookie # <--- this line
routes:
spring-security-oauth-resource:
path: /spring-security-oauth-resource/**
url: http://localhost:8081/spring-security-oauth-resource
oauth:
path: /oauth/**
url: http://localhost:8083/spring-security-oauth-server/oauth
After successful authentication of a client/user with oauth JWT token will be forwarded to downstream by the gateway.
Certainly, for this gateway must allow unathenticated access to oauth resource and require authentication for all others.
More details on the topics can be found in the article
https://www.baeldung.com/spring-security-zuul-oauth-jwt
I'm currently developing an application with a micro-service architecture back-end using Spring. We are using Zuul+Eureka for load balancing and service discovery and OAuth2 for authorization.
Is it possible to route requests to the OAuth2 endpoints on the authorization server through zuul? We want to do this in order to support multiple authorization server instances, but the problem is that as far as I know I have to provide a URI to the following config properties:
security:
oauth2:
client:
...
accessTokenUri: http://localhost:3001/oauth/token
userAuthorizationUri: http://localhost:3001/oauth/authorize
resource:
token-info-uri: http://localhost:3001/oauth/check_token
userInfoUri: http://localhost:3001/user
So my question is if this is even possible with a OAuth2SSoClient server or if we should do this via another way, such as a server-side load balancer.