I have a Spring Cloud Gateway, where I have ignored a set of URLs and authenticate a set of Authorized URLs. I have added SecurityContextRepository and AuthenticationManager which validates the token, now the issue is because it checks the token for every coming request so in case if I have an expired token coming in the header for an open endpoint it gives me an error that the token is expired.
Which I do not want because I have kept the endpoint open.
How can I resolved this, Does adding addFilterBefore or addFilterafter would work?
Please suggest something for this.
Thanks in advance.
Related
I have 2 secured resource microservices and 1 authentication service and another API Gateway.
Authentication service can generate JWT Token given username and password. It also can validate a JWT token.
So, I want to implement security at the API Gateway only such that on receiving a request, it will first fetch a bearer token from the authentication service and forward the request to the secured resource service. I would like to get some idea how to implement that in API Gateway. Should I make it just in an aggregate fashion, like it would be a sync call which will first make a request to auth service and next forward the request to resource service?
Now, if I want to add the support of OAuth as well, which I know the spring cloud API Gateway already has the support for this via global filters.
But, I am wondering about the legacy bearer token which is generated by the custom authentication service.. How do I ensure this?
Any suggestion would be appreciated.
Thanks in advance!
My application has frontend build with angular and backend build with spring boot, and I use openam by Forgerock as an authentication server. I got the access_token in frontend and pass this access_token to backend through Bearer authentication, But now I have to check if the token is valid in backend by calling /userInfo endpoint. My question is how to config in spring boot to call this endpoint everytime when get the request? Thanks
I may case I didn't had any explicit configuration for access token. You just have to call end points and the tokens will be stored in the header for authentication. Though you can set the timer for it.
I've been creating an OAuth2 Login application with Spring Security and have been making good progress, The Identity Provider I am working with requires that their /authorization endpoint be triggered with an HTTP POST.
I've been doing some testing and it seems that Spring Security triggers the /authorization endpoint by a GET request.
From looking at the OAuth RFC documentation, I see the following.
https://www.rfc-editor.org/rfc/rfc6749#section-3.1
The authorization server MUST support the use of the HTTP "GET"
method [RFC2616] for the authorization endpoint and MAY support the
use of the "POST" method as well.
So before I implement anything custom to trigger a POST request to the authorization server I am integrating with, I was just curious if anyone knew of a way to get Spring Security to trigger a POST for the /authorization instead of a /GET.
Curious if I'm missing where that functionality is supported, if at all.
Thanks for your time.
You can use springsecurity and oauth2server to configure your login model and through this interface to login
POST:
http://your_ip:port/auth/oauth/token?grant_type=password&username=username&password=password&client_id=yourclientid&client_secret=yoursecret
As we know the Spring Security OAuth 2.0 project has bee depreciated and now it's Spring Security 5.
My question is related with Authorisation Server for grant_type: authorization_code. Spring team is also working on standalone project for Authorization Server. So most of the codebase in Spring Security project is depreciated for Authorization Server.
Still, I've couple of questions for endpoints with authorization_code flow in Spring Security 2.0/5.
OAuth 2.0:
Can you please let me know, which endpoints are supported for below use cases in Authorization Flow:
Login Button: ask the customised authorization url from Authorization Server.
User logged-in: once end-user logged-in (authenticate), need to authorise with registered client application and provide the code in the callback URI.
Request For Access Token: once the code has been received in previous step, it should use the code to get the access token.
Please let me know which endpoints are meant to be used in Spring Security OAuth 2.0/5 for above use cases. Based on my research, I've found these endpoints:
/oauth/token: get the access token
/oauth/token_key: produces JWT encoded token values
/oauth/check_token: validate the access token
Can you please let me know which endpoint dedicated for authorisation before end-user authenticate in use case #1. And after end-user authentication in use case #2.
Any help would be appreciated.
Many Thanks,
Adnan
I am testing my Spring Security application using PostMan client. When I change the password and update the request and fire the request, I am not getting 401 error. Spring security does not call the UserDetailsService. Only when I change the username to some wrong username, the UserDetailsService is getting called and I start seeing expected results. This might be a security issue. Is there something I am missing here.
I was able to solve the error. Setting the sessionCreationPolicy to Stateless resolved the issue. This link talks about the issue - Link