We have a standard OIDC/OAuth2 provider.
With Quarkus I am able to do setup and do auto discover with openid well know configurations. So overall it works fine.
How to customize the URL. We need to add few parameters viz. Resource
customize the callback url
handle tokes differently
Can someone guide on this.
How to pass resource server public resgister URI in quarkus.
I see all examples only use keycloak , but we cant use as we already have predefined Federation service and Authorization service built in.
Do guide with some directions to make quarkus customize the urls.
Related
One can define an OAUTH2 server easily based on the quarkus documentation.
quarkus.oauth2.client-id=XXXX
quarkus.oauth2.client-secret=YYYY
quarkus.oauth2.introspection-url=https://example.com/oauth2/...
How should I configure quarkus if I have to give the option to the users to choose their own OAUTH2 provider (github, gitlab, whatever)?
One solution can be running separate Quarkus instances for each OAuth2 provider.
If you need to have all requests to be sent to same path and port, a mediator instance can be created for handling requests and sending them to appropriate instance with chosen OAuth2 provider.
Currently in our project we already implemented firebase messaging service(FCM).We already have service account created for this. Now we need to implement a pub/sub with different google and service account.
When I try to implement this its taking default credentials.
How can we configure different service account credentials for FCM and pub/sub?
Kindly let me know how can we fix this.
default credentials
Dependencies added
Error I am facing
To explicitly provide credentials for Spring Cloud GCP Pub/Sub, use the spring.cloud.gcp.pubsub.credentials.location or spring.cloud.gcp.pubsub.credentials.encoded-key property.
Documentation available here.
The error you have is unrelated to GCP authentication, though -- the issue is that two different starters are defining a Jwt parsing bean. If you don't need to extract identity from Firebase, then it can be turned off with spring.cloud.gcp.security.firebase.enabled=false. If you do need it, and com.magilhub is under your control, follow the Spring Boot suggestion and use #Qualifier to get the specific one you need.
I am following Quarkus OpenID Connect tutorial here.
But I don't need to check roles.
I want all endpoints except health-check and swagger-ui to check if the token is valid. Some times I may inject the JsonWebToken to use a claim. How can I do that using the extension?
Currently I haven't found a straight forward way to achieve this but Quarkus provides the io.quarkus.security.Authenticated annotation that will permit any authenticated user to access the resource (equivalent to #RolesAllowed("**")).
Check this guide for more information: https://quarkus.io/guides/security-authorization
is possible create authorization server for PKCE authentication in current version of spring security?
I did research and I found out this authorization server project https://github.com/spring-projects-experimental/spring-authorization-server but there is no usable sample for that project.
I also find out that spring recommends Keycloak as authorization server, but it is not fit for my case.
We need be able fetch and verify user against remote service, and then use authorization server only for generating and verifying jwt tokens. In my knowledge Keycloak should holds also users right? So the best solution would be custom spring standalone authorization server. Is it possible in some way? Thank you!
You may have a look to this project: CloudFoundry User Account and Authentication (UAA) Server.
UAA is a (Spring MVC) component of Cloud Foundry but it could be used as a stand alone OAuth2 server. It can support external authentication service. And there is a Pull Request that implements PKCE: https://github.com/cloudfoundry/uaa/pull/939 (not yet merged, but under review).
You can find an example on how to use UAA on baeldung.com.
As far as I know, Spring framework has one more implementation of the authorization server. It is a part of spring-security-oauth project. But this project was moved into maintenance mode.
According to this migration guide, the new authorization server project (that you have already found) will be created to change the legacy solution.
From my point of view now there are several possible options:
Using old legacy spring-security-oauth. More examples with old auth server
Using external services like Keycloak, Auth0, Okta and etc
I've written a software system that uses Spring Cloud Netflix. Due to Spring Security 5 not offering support for writing an Authorization Server (pls shout out here https://github.com/spring-projects/spring-security/issues/6320) I need to write my own Authorization server. I want my application to permit Social login and username/password registration, have a custom login page but also use keycloack. I don't even know from where to start, if you have any documentations or code samples please provide.
You can use the cas project. By using the overlay it is easy to set up and to customize:
https://github.com/apereo/cas-overlay-template/blob/master/README.md
It serves a frontend where your user can be redirected to and can login. After successful login, the user is redirected back to your web page. The frontend is completely customizable.
It supports all kinda of authentication providers like keycloak, database or Google/Facebook.
After basic setup you just add the dependency inside the gradle file, configure your keycloak/database/... in the application.properties and can start using it as authentication server.
It fits perfect into a microservice landscape and is curated by professionals implementing security best practice.
https://apereo.github.io/cas/6.1.x/planning/Getting-Started.html