OAuth2.0 Spring Security - spring-boot

I have a question regarding the oauth2.0 openId and spring boot. I am developing a personal project, and I have deployed a Keycloak instance as an Auth server and I am writing code for the resource server. I would like to ask you some questions regarding security. As the Spring Docs say, we need only the issuer-uri of the Auth Server and the Resource Server will use this property to further self-configure, discover the authorization server’s public keys, and subsequently validate incoming JWTs. For example a resource server will have to specify the following:
spring:
security:
oauth2:
resourceserver:
jwt:
issuer-uri: <uri>
However, this means that any resource server can use my deployed Auth Server to self configure just by knowing the issuer-uri is there any way to protect the Auth Server from resource server APIs(that are external to my application)?
Thank you in advance!

Related

OAuth2 Resource Server calling Authorization Server to validate token

I am new to OAuth2 concept but trying to setup a simple system that will consist of 2 separate microservices (no UI yet, will use REST client for test purpose):
Authorization Server with own database which will own User entity, credentials, all other information needed for MFA for example.
Resource Server with its own database, which will have a User Projection entity. I want my Resource server to drive UserManagement flow, which will save on its side non-auth user information, like address, titles, logos etc and will just call Auth Server to store auth information.
If I understood the oauth2 flow propertly i will have to:
call Authorization Server first with user/password to obtain access token.
Then using this access token i will call my Resource server.
Resource server should call Authorization Server to validate the token.
My question replies to step-3.
What I did is some basic configuration on Authorization Server side:
security:
oauth2:
client:
client-id: clientId
client-secret: very-strong-secret
provider:
issuer-uri: http://localhost:8080/oauth/token
And on Resource server side:
spring:
security:
oauth2:
resourceserver:
jwt:
issuer-uri: http://localhost:8080/oauth/token
my resource server is starting on port 8081 and calling localhost on port 8080 where authorization server is running.
I was able to obtain access token, but when I am calling resource server (I assume spring makes a magic and calling auth server under the hood) i get the error:
Unable to resolve the Configuration with the provided Issuer of "http://localhost:8080/oauth/token"
How exactly should I instruct my resource server to validate the token?
It's quite simple. If you don't configure the issuer uri explicitly, the default value is host:port.( In your case it's just http://localhost:8080 )

Spring Boot - How to create a standalone authenthication MICROSERVICE?

I wrote my first backend spring boot application.
I also created a seperate frontend application.
I would like to create a standalone basic authentication microservice.
The authentication thechnology is currently not relevant. It can use JWT, OUTH2, OKTA, whatever.
I emphsize the MICROSERVICE, rather than adding classes to an application code.
This is because all that I could find on the web and in several books was adding this authentication part as an embedded code in a whole spring boot application.
I would like to build an authentication seperate microservice, such the my other microservices (currently I have only one SP, but there will be more), will be able to use it in order to authenticate the users.
I hope I explained myself right :)
Could you please give me pointer for the correct implementation, or some updated tutorial which can help me accomplish this task?
UPDATE:
I have found a really great and up to date tutorial:
https://dzone.com/articles/step-by-step-a-simple-spring-boot-microservices-ba
Enjoy!
Thanks!
As you need an authentication service, you could work on validating the token generated by the authentication microservice.
You could:
Return a token from your authentication microservice;
Create a token validation service in your main microservice
The link below shows how to implement the authentication application in a manner that it works like an authentication gateway through JWT:
https://medium.com/#mool.smreeti/microservices-with-spring-boot-authentication-with-jwt-and-spring-security-6e10155d9db0
Alternatively, you could add a 3rd party solution to be linked to Spring Security. For this option, something like the code bellow in application.yml should work:
spring:
security:
oauth2:
client:
registration:
sts:
provider: sts
client-id: ${STS_CLIENT_ID}
client-secret: ${STS_SECRET_ID}
client-authentication-method: post
authorization-grant-type: client_credentials
provider:
sts:
token-uri: ${STS_URL}
In my opinion, both ways are valid. It depends on your context and scope.

Multiple grant types for one client application with Spring Boot Security

I'm programming a client (Spring Boot application) which has to provide two endpoints for a user, one which uses Authorization Code Grant, and the other which uses Resource Owner Password Credentials Grant. Endpoints are on different URLs. The other one will be used by internal application so I'm not concerned about security.
I have an external OAuth2 server (both authorization and resource server) - so I'm not programming those but I have full access to their configuration. Keycloak is in question.
I've managed to set up Authorization Code Grant, but cannot get the other one to work.
My application.yml looks something like:
security:
oauth2:
resource:
token-info-uri: ...3rd party...
userInfoUri: ...3rd party...
client:
client-id: ...
client-secret: ...
grant-type: authorization_code
registered-redirect-uri: http://localhost:8080/app/auth_grant
pre-established-redirect-uri: http://localhost:8080/app/auth_grant/
user-authorization-uri: ...3rd party uri...
access-token-uri: ...3rd party uri...
scope:
- read
- write
- openid
I have an WebSecurityConfigurerAdapter implementation annotated with #EnableOAuth2Sso
#Configuration which permits only /login to be accessed unauthorized.
Now I want my users to be able to login with Resource Owner Password Credentials Grant at (example) /login_ROPCG.
I've read the documentation but I guess I've headed in the wrong direction. Can you give me some hints?
I've read this comment: Spring Boot Oauth2 use multiple grant_types for for same URL
In which the hint is that I need two different security configurations with different mapping but I don't know how to do this.
I've read this: How can I implement Basic Authentication with JWT authentication in Spring Boot? but I don't see how to set two different grant types.
And because of this I'm not sure is this even possible:
https://github.com/spring-projects/spring-boot/issues/14554

Spring multiple OAuth2 authorization servers with Eureka

I'm currently developing an application with a micro-service architecture back-end using Spring. We are using Zuul+Eureka for load balancing and service discovery and OAuth2 for authorization.
Is it possible to route requests to the OAuth2 endpoints on the authorization server through zuul? We want to do this in order to support multiple authorization server instances, but the problem is that as far as I know I have to provide a URI to the following config properties:
security:
oauth2:
client:
...
accessTokenUri: http://localhost:3001/oauth/token
userAuthorizationUri: http://localhost:3001/oauth/authorize
resource:
token-info-uri: http://localhost:3001/oauth/check_token
userInfoUri: http://localhost:3001/user
So my question is if this is even possible with a OAuth2SSoClient server or if we should do this via another way, such as a server-side load balancer.

Spring zuul proxy to OAuth2 server password grant

I'm trying to implement a Zuul reverse proxy with #EnableOAuth2Sso so I can relay the access tokens obtained from the authentication server to my resource server.
The question is how do I configure the Zuul proxy to forward the username and password to the authentication server, since I am using the password grant flow to obtain the tokens.
If the question is still relevant...
I had a task to configure Authorization and Resource servers behind Zuul using password grant type.
This article and example on github helped me a lot, but mostly I've used debug to configure the environment.
Please check my example of configuration OAuth2 Password Grant Type behind Zuul.
To run the example, inside every service folder run mnv spring-boot:run
In browser go to http://localhost:8765, credentials user/user, admin/admin
http://localhost:8761/ - eureka
I have not used #EnableOAuth2Sso, but instead #EnableOAuth2Client and configure only ResourceOwnerPasswordAccessTokenProvider (more details here).
#EnableOAuth2Sso is configured all token providers, but I need only password provider.
Example uses JwtTokens.

Resources