Have a spring boot mvc app protected by spring security oauth2 using authorization code flow . App is redirecting to proper redirect uri for login when deployed and running in local machine . But in our kubernetes deployment there is a api gateway in front of the app and app is accessed at following path
https:///<k8_namespace_name>/<app_name>
where
k8_namespace_name is the kubernetes namespace name and app_name is a identifier for the app in the namespace . Issue is that redirect uri for login is going to
https:///oauth2/authorization/okta
instead of
https:///<k8_namespace_name>/<app_name>/oauth2/authorization/okta
Below is the application.yaml config
management:
endpoints:
web:
base-path: /
spring:
security:
oauth2:
client:
registration:
okta:
client-id: xxxxx
scope:
# Include the required openid scope
- openid
- employee_number
- groups_whitelist
- first_name
- last_name
- store_number
provider:
okta:
authorization-uri: https://auth.com/v1/xxxx/authorize?skip_iwa=true
token-uri: https://auth.com/v1/xxxx/token
user-info-uri: https://auth.com/v1/xxxx/userinfo
jwk-set-uri: https://auth.com/v1/xxx/keys
You can use redirect-uri property to define where user will be redirected after successful login.
It should look like that:
spring:
security:
oauth2:
client:
registration:
okta:
redirect-uri: https:///<k8_namespace_name>/<app_name>/login/oauth2/code/{registrationId}
client-id: xxxxx
scope:
# Include the required openid scope
- openid
- employee_number
- groups_whitelist
- first_name
- last_name
- store_number
provider:
okta:
authorization-uri: https://auth.com/v1/xxxx/authorize?skip_iwa=true
token-uri: https://auth.com/v1/xxxx/token
user-info-uri: https://auth.com/v1/xxxx/userinfo
jwk-set-uri: https://auth.com/v1/xxx/keys
Please remember to add your redirect uri to Okta client configuration.
Related
My application based on microservices were working fine working on just localhost untill trying to set it up on docker-compose.
I've got issue on API Gateway side. I've figured that authorization-uri has to be on localhost since it goes from outside of docker network.
token-uri and user-info-uri are going from gateway to keycloak and need to call keycloak by its dns name. clientId and userId null in the error.
19:09:20,616 WARN [org.keycloak.events] (default task-2) type=USER_INFO_REQUEST_ERROR, realmId=cinema, clientId=null, userId=null, ipAddress=172.21.0.9, error=invalid_token, auth_method=validate_access_token
spring:
application:
name: Gateway
config:
import: optional:configserver:http://${ConfigService:configserver}:8888
cloud:
gateway:
discovery:
locator:
enabled: true
default-filters:
- TokenRelay
security:
oauth2:
client:
provider:
keycloak-spring-gateway-client:
token-uri: http://${KEYCLOAK:localhost}:8080/auth/realms/${app.config.keycloak.realm}/protocol/openid-connect/token
authorization-uri: http://localhost:28080/auth/realms/${app.config.keycloak.realm}/protocol/openid-connect/auth
user-name-attribute: preferred_username
user-info-uri: http://${KEYCLOAK:localhost}:8080/auth/realms/${app.config.keycloak.realm}/protocol/openid-connect/userinfo
jwk-set-uri: http://${KEYCLOAK:localhost}:8080/auth/realms/${app.config.keycloak.realm}/protocol/openid-connect/certs
user-info-authentication-method: header
registration:
keycloak-spring-gateway-client:
provider: keycloak-spring-gateway-client
client-id: gateway
client-secret: ${GATEWAY_SECRET:PxY64IIOcSCUgZDWRdt2rHf8SL41xdX5}
authorization-grant-type: authorization_code
redirect-uri: http://localhost:8890/login/oauth2/code/keycloak
scope: openid
resourceserver:
jwt:
jwk-set-uri: ${app.config.keycloak.url}/realms/${app.config.keycloak.realm}/protocol/openid-connect/certs
I've tried to change user-id to user_Id, but doesnt change anything.
Any ideas what could be wrong? Any help would be appreciated.
I am following the steps on https://blog.jdriven.com/2019/11/spring-cloud-gateway-with-openid-connect-and-token-relay/ , using a gateway and a microservice. Everything works fine, but when I try to exclude a resource (like for example "somepage.html") in the microservice, it does not work, I always get redirected to the keycloak login.
I tried to in the config part of the service to add
http.authorizeRequests()
.antMatchers("/index*")
.permitAll();
but it did not work, I added this part to the config:
#Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/public/**");
}
but it did not help either...
This is the gateway config file:
server:
port: 8080
spring:
application:
name: travel-spring-cloud-gateway
security:
oauth2:
client:
provider:
keycloak:
issuer-uri: http://localhost:8090/auth/realms/spring-cloud-gateway-realm
user-name-attribute: preferred_username
registration:
keycloak:
client-id: spring-cloud-gateway-client
client-secret: 3a456790-c720-4208-9d4b-fb230ea03dc1
cloud:
gateway:
default-filters:
- TokenRelay
routes:
- id: front-service
uri: http://127.0.0.1:8086/front
predicates:
- Path=/front/**
How can I make the gateway (or the microservice) prevent a request from being redirected to the keycloak login?
I have used spring security to implement my oauth2 client. I have configured my callback as http://localhost:8080/login/oauth2/code/abc, so when I test my app in my local environment the callback is going to https://localhost:8080/login/oauth2/code/abc, as https is not valid for localhost my browser is throwing an error because of which I could not test my application loally
spring:
profiles: local
security:
oauth2:
client:
registration:
abc:
client-id: OTExZDE3MGQtZTkyMy00YWZjLWFhZDItMGVmZTI1ZDQ3MGJm
client-secret: MzNlZWFhNDQtOGE4Mi00NDVkLWFiMTUtZjAzNWE2YmU2YWIz
authorization-grant-type: authorization_code
redirectUri: http://localhost:3000/login/oauth2/code/abc
scope:
- openid
- internal
provider:
abc:
authorization-uri: https://api.abc.com/oauth/authorize
token-uri: https://api.abc.com/oauth/token
jwk-set-uri: https://api.abc.com/oauth/keys
How about this configuration?
security.oauth2.client.use-current-uri=false
The JavaDoc of AbstractRedirectResourceDetails.isUseCurrentUri() says as follows.
Flag to signal that the current URI (if set) in the request should be used in preference to the pre-established redirect URI.
I developed a spring boot application which is using OAuth2 autoconfigure but I am not able to force it to read client configurations from a yml file other than application.yml
Thanks in advance
One simple solution is to use multiple profiles and one client file by profile:
The first properties files named application-my-client-1.yml :
spring:
security:
oauth2:
client:
registration:
my-client-1:
client-id: ${APP-CLIENT-ID}
client-secret: ${APP-CLIENT-SECRET}
client-name: my-client user
provider: my-client
scope: user
redirect-uri: http://localhost:8080/login/oauth2/code/my-client
Activated by setting the my-client-1 profile to on when running the spring boot app:
java -jar -Dspring.profiles.active=my-client-1 myApplication.jar
The second properties files named application-my-client-2.yml :
spring:
security:
oauth2:
client:
registration:
my-client-2:
client-id: ${APP-CLIENT-ID}
client-secret: ${APP-CLIENT-SECRET}
client-name: my-client-2 email
provider: my-client-2
scope: user:email
redirect-uri: http://localhost:8080/login/oauth2/code/my-client-2
Activated by setting the my-client-2 profile to on when running the spring boot app:
java -jar -Dspring.profiles.active=my-client-2 myApplication.jar
All properties can be activited by setting all profiles on:
java -jar -Dspring.profiles.active=my-client-1,my-client-2 myApplication.jar
I have successfully implemented Google Sign-In on iOS with following application.yml:
security:
oauth2:
resource:
user-info-uri: https://www.googleapis.com/plus/v1/people/me
prefer-token-info: true
client:
client-id: xxxxx.apps.googleusercontent.com
access-token-uri: https://www.googleapis.com/oauth2/v3/tokeninfo
client-authentication-scheme: form
scope: email,profile
Now I need to add configuration for Android client. Obviously I cannot do this:
security:
oauth2:
resource:
user-info-uri: https://www.googleapis.com/plus/v1/people/me
prefer-token-info: true
client:
client-id: xxxxx.apps.googleusercontent.com
access-token-uri: https://www.googleapis.com/oauth2/v3/tokeninfo
client-authentication-scheme: form
scope: email,profile
client:
client-id: xxxxx.apps.googleusercontent.com
access-token-uri: https://www.googleapis.com/oauth2/v3/tokeninfo
client-authentication-scheme: form
scope: email,profile
What is the correct approach and best practice to do this?
I found the syntax you are looking for from this file Will Tran Github project application.yml
It will look like this,
# OAuth2 Details
security.oauth2:
client:
client-id: client001
client-secret: pwd001
authorized-grant-types: password,authorization_code,refresh_token
scope: read,write
---
security.oauth2:
client:
client-id: client002
client-secret: pwd002
authorized-grant-types: client_credentials
scope: TRUSTED
---
# /\ Dont forget this one
Ps.: Check the link for better reference.