I have a front end (angular) with login form, a back-end for that angular application as my OAuth client (spring dependency) then I have a third application that is the Authorization server and finally the forth is the ressources server.
So I want to know is there is any way to jump the redirect to /login from the authorization server?
I want to login the user with angular login page, then make a get with my OAuth client (spring) for the authorization code flow and then, since i'm not authenticated, instead of getting redirect, I want to get an error "401" and then send a post request with my OAuth client (spring) to the auth server again to login the user that have sent the data previously in angular login page.
Essentially I just wanted to login to my auth server with a custom page that exists in the front end application and let the backend build specially for that front, take over the flow.
You want seamless integration between login form and the rest of your Angular app? Share your CSS between Angular (public) client and authorization-server embedded (private) one, don't implement login in public client.
You might need to better grasp OAuth2 concepts.
Login, logout and user-registration are authorization-server business. Leave it there. Reasons are related to security and just being future-proof: what if you want to plug additional clients to your system (mobile apps for instance)? Are you going to implement login, logout and user-registration again and again? What if you have to introduce multi-factor authentication at some point? Would you break all clients at once?
Your "backend" (Spring REST API secured with OAuth2) is a resource-server, not a client. Make sure it is configured as so: depends on spring-boot-starter-oauth2-resource-server (directly or transitively). This is where the HTTP status for missing (or invalid) authorization is handled. The way to do it depends on your resource-server being a servlet or reactive app. The libs in the repo linked just before do what you want by default (401 instead of 302).
In your case, client is Angular app. I hope you use an OAuth2 client lib such as angular-auth-oidc-client to handle:
authorization-code flow (redirects to authorization-server, back from authorization-server with authorization-code and tokens retrieval with this authorization-code)
refresh-token flow (automatic access-token refreshing just before it expires)
requests authorization (add Bearer Authorization header with access-token on configured routes)
What my Angular apps do for login is just redirect users to authorization-server "authorization" end-point and then just wait for a redirect back to "post-login URL" with an authorization-code. How this code was obtained is none of their business (can be a login form, a "remember-me" cookie, some biometry, etc.).
Also, I have to admit that I don't use Spring's authorization-server. I prefer mature / feature-full solutions like Keycloak, Auth0, Okta, etc. which come with much more already implemented: multi-factor authentication, integration with LDAP, identity federation for "social" providers (Google, Facebook, Github, etc.), administration UI, ...
As ch4mp said, it's best to leave all the authentication and authorization logic and pages to the Spring Authorization Server, it's pretty easy to customize and configure all the user accessible pages (login, authorize, etc...) with Thymeleaf, you only have to bring in your CSS to unify the design.
There was a great demo in last year's Spring One which seems like something you'd like to achieve, you can find the code in this repo.
They used Spring Cloud Gateway as a means to run the Angular SPA in the flights-web app, configuring it as the OAuth client. Following this path you can route all calls to your backend API through the gateway's WebClient.
I'm trying to do a POC project. I want to login just like stackoverflow. User just login their google account without having to register first and forget password in the future.
My stack is Angular + Spring boot. Angular or React shouldn't matter here. I have did some research and see how people setup on Google GCP and use it in the webapp.
Ok, now assume I can login in my webapp. I got user's name, picture, etc. How would my Spring boot server auth with the info I got from google?
Any help is appreciated!
Usually, you would get a JWT from Google (or other type of token) that you need to send to your Spring Boot server.
The server should then be configured to verify the token. See https://docs.spring.io/spring-security/reference/servlet/oauth2/resource-server/index.html and https://docs.spring.io/spring-security/reference/servlet/oauth2/resource-server/jwt.html (for JWT).
Basically, add spring-security-oauth2-resource-server (and spring-security-oauth2-jose if JWT) and set the issuer-uri in your applications.(yml | properties)
I think it is https://accounts.google.com/ for Google. This also assumes that you have created app/oauth2 in google console. See https://developers.google.com/identity/protocols/oauth2/openid-connect for details.
I have an existing JHipster application generated with the JWT authentication process. Which means that user accounts are handled by the application itself. And every user have to log in with his username and password directly into the application.
Now we are developping some microservices and mobile apps that will communicate with the first JHipster app. And for that, we want to use Keycloak to manage the authentication process for the microservices and mobile apps, while keeping the existing JWT authentication process.
What we want is that: users with username and password will log in directly to the application (they will not be redirected to Keycloak to authenticate), and the microservices and mobile apps will need tokens from Keycloak (by sending the client id and secret to Keycloak) to get access to the JHipster app resources.
All the tutorials that I saw are about replacing the JWT authentication process by Keycloak. With this, every user will be redirected to Keycloak, and we don't want that for now (maybe in the future we will upgrade all of that).
Please if you have any resource that can help me, it will be nice.
I am trying to develop a mobile application. I will use Java in the backend. However, I confused about auth processes.
I will use okta as a authorization server. But I do not want to redirect my user to okta login page. Instead, I will create a login page and connect it to my backend service. I need to find a way that I can register user from my backend service to okta.
To summarize,
Client ---> Secured Spring Gateway ---> /signin (my backend service) ----> okta ( registering user) ----> back to my service so that I can save user to my db as well to relate with my other models ---> client (with provided token from okta)
OR
Client ---> Secured Spring Gateway ---> okta ( registering user) ----> /signin (my backend service) back to my service so that I can save user to my db as well to relate with my other models ---> client (with provided token from okta)
I could not find any detailed example, almost all of them using okta's login form.
Any help will be appriciated.
You can host the login page (Okta sign in widget) yourself. Okta provides a spring boot SDK which can help you get started.
SDK can be found here: https://github.com/okta/okta-spring-boot
Sample code can be found here: https://github.com/okta/samples-java-spring/tree/master/custom-login
Im having a problem to understand the OAuth flow with Spring.
I have a server running, which got protected endpoints to deliver metric data about the users, revenue usw.
These are used inside an admin panel written in Angular2. Currently the access_token for these endpoints is received by sending the ClientId/Secret and username password to my server.
But obviously its bad to store the Clientsecret on a javascript site.
So I need a way to retreive an access_token from javascript without exposing the client_secret.
I tried to implement the Spring OAuth2 implicit flow which somehow works, but only when I type it inside a browser so the /login page from spring shows up.
My Admin panel has its own Login page so this doesnt work out.
Does anyone have suggestions?