So I have this situation.
I am coding inside a controller API in spring boot that gets a request with authorisation header.
I need to hit a token endpoint with this header to get the access token.
After this I need to hit an API with this toke to get some information.
Now one way of approaching this is to ,
Create a clients one to get the token .
Create another client to hit the actual API.
Then when my API received the request , then hit these above endpoints in succession to get
the job done. Also, need to take care of caching the token so that we dont end up doing this
every time.
Because this looks like a pattern I want to create a system where i can create one client kind of like the Spring WebCLient and that can take care of hitting the token uri when required.
But all documentation I am reading suggest providing a token url(which I have) and also clientid/secret in the configuration.(These I dont. I only have the incoming auth code).
Is there a programmatic way I can achieve the same with webclient ?
Related
I'm building out a backend REST API app, and it takes in requests from a client that uses Firebase Authentication, which will be passing in the JWT Token in the headers of all requests.
Should I still require UserID in the request body for requests, or should I just have the JWT Token be my source for decoding and fetching the UserID for all requests?
Using SpringBoot, and I think I can create a filter to decode the JWT for all requests and then create a User object that can be referenced throughout the chain.
But I'm not sure if it still makes sense to also require the UserID, if anything just as a point of documentation to say the UserID is being used here to handle business logic. Watcha think?
I don't think this would make any sense. You wouldn't actually use the value from the request body anywhere in the code, would you? Since your concern seems to be abobut documentation I'd rather clearly describe that resources in your application are bound to the authenticated user.
I need to authenticate a webhook post from a third party integration on my backend api server. The only thing I can define is the endpoint url they will call. It can't be dynamic once they have to register and the process takes 3 days. And we use a multi-tenant solution, so we have to authenticate with different schema on every call.
So the problem is that I have to create a filter for this webhook, so I can authenticate it through a value contained in the json of a post body.
So I defined a WebSecurityConfigurerAdapter and added a AbstractPreAuthenticatedProcessingFilter so I can intercept the request, read the value in the json body authenticated with the appropriate credentials.
I follow this tutorial Reading HttpServletRequest Multiple Times in Spring so I could be able to read InputStream from the request without erase it.
So my question about it are two.
1: Is there a better/easy approach so I can archive this result?
2: I guess this tutorial are missing something, because I'm getting null pointer at servlet when try to read the request (again, after I have already read at the filter).
Any guess would be appreciated, thanks in advance.
Are we allowed to know which 3rd party service?
PayPal/Stripe for example have docs already to explain how to verify the data.
If you can add metadata/custom fields to the webhook, you could sign it for example.
As far as checking the signature/verifying it, why not do this in the #Contoller=>#Service?
I'm developing backend for oauth2 client. I'm using authorization_grant flow with PKCE extension. I'm trying to implement it in such way that code verifier and code challenge is generated on clients side. So i have to add additional parameters to my token request (the second request, when input is authorization code and my application exchange it for access token).
My app will have to take this code_verifier from request param and pass it to authorization server with authorization code, client id, and client secret.
So now I'm struggling with customizing spring-security-oauth2-client to add additional parameter. There is way to add such parameters to authorization request by implementing OAuth2AuthorizationRequestResolver, but is there analogical way for adding parameters to token request?
Or maybe should i implement this endpoint manually?
I feel your pain, since Spring OAuth Security is often poorly documented for common use cases. One option you might consider is to provide a custom Spring filter that uses the open source nimbusds libraries, which have very good documentation and are easy to use.
I am looking for the best approach to work with the IdentityServer4 autorization code flow.
My apps system is quite ordinary: I have an MVC client, a WebAPI and the IS. I also use AJAX to request the API from the client side. So I need the access token on the client side to put it into the authorization header.
Is it good idea to store access token in the cookies?
Do I need self-contained or reference token (it is about security, I suppose)?
What is the best approach to renew when it was expired?
I thought about the two strategies:
Update access token when the first 401 status code was recieved. Can be the problem cause I send more than 1 query to the API and I need to synchronized them and recall the first one (to get result);
Every time before API calling call the MVC client method with GetTokenAsync, check the expire time and get or update and get access token. Seems cheating, cause I need to call the MVC client every time when I want to call the API.
Could you help me to find the best way?
"Is it good idea to store access token in the cookies?"
No, not with the authorization code flow. If you are using an MVC web application you should find a way to store tokens in some kind of datastore away from the browser. All the MVC application should administer is a cookie to access future MVC endpoints (that will make subsequent calls to Identity Server with the appropriate access token in the datastore).
"Do I need self-contained or reference token (it is about security, I suppose)?"
That's all up to you and what you think is best for your use cases. If you'd like to see the information in the access token and skip the extra backend call for validation then use reference tokens. Strategy 2 requires you to use self-contained tokens so that you can check the expiry.
"Could you help me to find the best way?
I don't know if I can give the "best" way, but I'd probably go with strategy 2 and use self-contained tokens.
EDIT: If you wanted to use "axios , to get data from the API" then I would suggest using the implicit flow which has no concept of a refresh token. In this case, leaving it in the cookie should be OK.
I have met a seemly easy, but actual pretty difficult situation for me, hope you can help.
WE need to provide secured rest api, but we have difference service, for example, authentication service, execution service. I now need to secure execution service.
I am using spring4 boot to boost, it seemed natural that using spring security, and then provide a customer userdetail service,but then when I start implement it, I met this big problem.
ExecutionService is not responsible for login purpose, so it won't provide a login form and consequently, it won't save token at all. What it needs to do is only checking header info, if it sees token in the header, it will use some decode algorithm to decode that token and then check if user is qualified to continue to not.
In all the posts on line regarding spring security, it all require a token storage, that means, user login first and then save token in memory, and then when user comes again, just check that token.
Can anyone help me to figure out,
1) how to use spring security to check request header info;
2) when see token in header, use a customized function to check validity of that header and then authenticate the user based on the checking result?
Thanks in advance