I need to handle authentication of hundreds of thousands of users.
For the moment I have bunch of microservices and a single SpringBoot app configured as Spring Security OAuth2 Authorization Server.
Does Spring Security OAuth2 Authorization Server support horizontal scaling?
(for example, Dockerize that Spring Security OAuth2 Authorization Server and use AWS ECS to launch multiple instances)
I cound't find any official Spring Security OAuth2 documentation talking about scalability.
Related
I have been exploring APIgee and okta configuration using https://github.com/tom-smith-okta/okta-api-center repo. Here APIgee edge acts as a gateway to https://okta-solar-system.herokuapp.com/ api’s and the token for authentication is generated via okta. My understanding is that https://okta-solar-system.herokuapp.com/ doesnt have any okta authentication enforcement. The check is via apigee.
If I were to replace https://okta-solar-system.herokuapp.com/ with a spring boot application hosted publicly should the application have okta security enabled (eg : https://github.com/oktadeveloper/okta-spring-boot-oauth-example) or should i follow same procedure as above and delegate enforcement of token to apigee, without any security enforcement on the spring boot application?
Can someone tell me what is the standard way of implementation I should follow?
If the spring boot application has no enforcement of security, what is to prevent someone from bypassing the Apigee API gateway and calling it directly?
If you have successfully managed to secure the spring boot application so that only the API gateway can communicate with it (via mutual TLS connection, IP allow listing, etc), you might be able to forego any enforement at the service level, but I would recommend doing some authorization checks in the service itself.
Our stack includes the following services, each service runs in a docker container:
Front-end in React
Backend service based on Spring boot "resource-service"
Keycloak
Other backend service (consumer)
Both the front-end and the consumer services communicate with the backend using REST API.
We use Keycloak as our user management and authentication service.
We would like to integrate our Spring based service "resource-service" with Keycloak by serving both web application and a service flows:
Web application - React based front-send that should get a redirect 302 from the "resource-service" and send the user / browser to login in the Keycloak site and then return to get the requested resource.
Server 2 Server coomunication - A server that need to use the "resource-service" API's should get 401 in case of authentication issues and not a redirection / login page.
There are few options to integrate Spring with Keycloak:
Keycloak Spring Boot Adapter
Keycloak Spring Security Adapter
Spring Security and OAuth2
I noticed that there is a "autodetect-bearer-only" in Keycloak documentation, that seems to support exactly that case. But -
There are a lot of integration options and I'm not sure what is the best way to go, for a new Spring boot service.
In addition, I didn't find where to configure that property.
I've used approaches one and two and in my opinion, if you are using Spring Boot, use the corresponding adapter, use the Spring Security adapter if you're still using plain Spring MVC. I've never seen the necessity for the third approach as you basically have to do everything on your own, why would anyone not use the first two methods?
As for using the Spring Bood adapter, the only configuration necessary is the following:
keycloak:
bearer-only: true
auth-server-url: your-url
realm: your-realm
resource: your-resource
And you're done. The bearer-only is so that you return 401 if a client arrives without a bearer token and isn't redirected to a login page, as you wanted. At least that's what's working for us :-)
After that, you can either use the configuration for securing endpoints but it's a bit more flexible to either use httpSecurity or #EnableGlobalMethodSecurity which we're doing with e. g. #Secured({"ROLE_whatever_role"}).
If you're using the newest Spring Boot version combined with Spring Cloud, you might run into this issue.
I configure my resource-servers to always return 401 when Authorization header is missing or invalid (and never 302), whatever the client.
The client handles authentication when it is required, token refreshing, etc.: Some of certified OpenID client libs even propose features to ensure user has a valid access-token before issuing requests to protected resources. My favorite for Angular is angular-auth-oidc-client, but I don't know which React lib has same features.
Keycloak adapters for Spring are now deprecated. You can refer to this tutorials for various resource-server security configuration options. It covers uses cases from most simple RBAC to building DSL like: #PreAuthorize("is(#username) or isNice() or onBehalfOf(#username).can('greet')")
My rest api on spring boot application is secured with spring security Oauth2 client credentials with memory token.
How can I horizontal scale my application so access token will be valid in any scaled instances ?
I am guessing that you are running an Authorization Server that is embedded in your Spring application. If you want to scale horizontally you need to separate the two concerns. There are two ways to do this.
Run multiple REST / API servers and a single separate authorization server. The JWT granted by your single authorization server would be valid across all your REST / API servers as long as you configure your verifier correctly.
If you can for your project, use a third party authorization service like Auth0 or Okta to grant JWTs. The JWTs granted by these services would be valid and verifiable across all of your REST / API servers. These services will make your life easier since the provide HA and scalable Authorization server implementations. They are also more secure than trying to run your own authorization server.
I am using SSO and preAuthenticated Filter in my micro services. Micro services are built using spring boot and are stateless in nature. How can I apply CSRF protection across all micro services using spring security. Please let me know if any solution is available to implement CSRF for this scenario.
You are probably looking for a proxy server. Take a look at Zuul and its security filters:
https://github.com/spring-cloud/spring-cloud-netflix/issues/796
https://github.com/spring-cloud/spring-cloud-security/issues/88
I have an existing Spring MVC/RESTful web application. Right now all of my REST endpoints secured with OAuth2.
Now, I need to reimplement security of my REST endpoints from OAuth2 to Jasig CAS.
I have already created my own CAS server and looking for an example how to secure Spring REST endpoints with CAS. Unfortunately I can't find any examples right now.
Could you please show me an example how to use Spring Security with CAS client in order to secure my Spring RESTful webservices.