I am following Quarkus OpenID Connect tutorial here.
But I don't need to check roles.
I want all endpoints except health-check and swagger-ui to check if the token is valid. Some times I may inject the JsonWebToken to use a claim. How can I do that using the extension?
Currently I haven't found a straight forward way to achieve this but Quarkus provides the io.quarkus.security.Authenticated annotation that will permit any authenticated user to access the resource (equivalent to #RolesAllowed("**")).
Check this guide for more information: https://quarkus.io/guides/security-authorization
Related
Currently in our project we already implemented firebase messaging service(FCM).We already have service account created for this. Now we need to implement a pub/sub with different google and service account.
When I try to implement this its taking default credentials.
How can we configure different service account credentials for FCM and pub/sub?
Kindly let me know how can we fix this.
default credentials
Dependencies added
Error I am facing
To explicitly provide credentials for Spring Cloud GCP Pub/Sub, use the spring.cloud.gcp.pubsub.credentials.location or spring.cloud.gcp.pubsub.credentials.encoded-key property.
Documentation available here.
The error you have is unrelated to GCP authentication, though -- the issue is that two different starters are defining a Jwt parsing bean. If you don't need to extract identity from Firebase, then it can be turned off with spring.cloud.gcp.security.firebase.enabled=false. If you do need it, and com.magilhub is under your control, follow the Spring Boot suggestion and use #Qualifier to get the specific one you need.
We have a standard OIDC/OAuth2 provider.
With Quarkus I am able to do setup and do auto discover with openid well know configurations. So overall it works fine.
How to customize the URL. We need to add few parameters viz. Resource
customize the callback url
handle tokes differently
Can someone guide on this.
How to pass resource server public resgister URI in quarkus.
I see all examples only use keycloak , but we cant use as we already have predefined Federation service and Authorization service built in.
Do guide with some directions to make quarkus customize the urls.
Is there any way to configure spring security to use a certain authorization for a group of endpoints and another authorization for another group?
For example I want to authorize all endpoints that start with /facebook to use the Facebook login consent screen and endpoints that start with /google to use Google login consent screen.
I configured the properties for Spring Boot 2.x OAuth Client but I don't know how to configure the HttpSecurity object.
I think I can achieve this by implementing multiple ResourceServerConfigurerAdapter, one for Facebook and one for Google, but I am not sure how.
Any help is welcomed. Thanks!
I have 2 Spring web-apps. I'm using Keycloak to protect them. In Keycloak doc it's said that to logout i can use:
HttpServletRequest.logout()
Yes, it loges out user from one app. But the second one still remains active. How to configure Keycloak and/or Spring to provide Single Sign Out?
If you're using the Spring Security adapter use the /sso/logout endpoint instead (either in GET or POST). For instance:
http://myapplication/sso/logout
The real question, I could have asked, why am I only getting an id_token in my response to the authorization endpoint? And, probably best created in an azure stackoverflow space.
For context, the original question was more about customization strategy. Which, further research determined was not necassary.
I've been reading through the OAuth2/OIDC features of the Spring Security Reference Guide - 5.7 OAuth 2.0 Login, 31. OAuth 2.0 Login — Advanced Configuration, and the github OAuth2 Login Samples trying to figure out how to extend or create a custom implementation for Microsofts Azure OIDC API - Authorize access to web applications using OpenID Connect and Azure Active Directory.
These are observations. And generally, what I’ve seen based on my experiment and what I believe to be true based on the spring security behavior and the Microsoft Understanding OpenID Connect Protocol guide documentation.
Azure’s sign in request against the /authorization endpoint has 3 additional nuances to their sign-in request that are currently not supported in the Spring Security 5 code base.
“response_type” – The Microsoft OIDC API allows id_token or id_token+code … Spring Security supports “code” or “token” OOTB. (id_token gets you the id_toke, id_token+code will get you id_toke and code. The code you can exchange for an access token.
“response_mode” – The Microsoft OIDC API recommends use of response_mode=form_post … This is not supported OOTB Spring Security.
“nonce” – The Microsoft OIDC API recommends use of nonce=[unique_value] … This is not supported OOTB Spring Security.
I've created a fork to see what enhancements would be needed to support the above. I believe they would be.
spring-security-oauth2-core
OAuth2AuthorizationResponseType - to include additional types.
OAuth2AuthoriztionRequest - to include support for nonce and responseMode
oauth2-client
OAuth2AuthoriationRequestRedirectFilter
OAuth2AuthorizationRequestUriBuilder
And a mechanism to auto configure the appropriate options.
The changes to support these parameters at first glance appears to be trivial. However, the classes in spring security are final and thus the extension is much bigger.
Anyone have any advice on a customization strategy? What would be the recommended approach to creating a customized configuration to support the nuances without replicating the code base?
With juunas clue ... I realized my issues were related to the fact I had not created api scope when I registered my application in the azure b2c blade. Thus, the issue was not the spring security configuration. But, a result of the missing scope.
Incidentally, the Get Access Token section in Microsoft Understanding OpenID Connect Protocol guide states, "... By including permission scopes in the request and using response_type=code+id_token, the authorize endpoint ensures that the user has consented to the permissions indicated in the scope query parameter, and return your app an authorization code to exchange for an access token."
Per juunas, this happens when response_type=code as well. –