Spring 5.1+ should allow me to configure Auth0's login without a 3rd party jar, I've done similar things before. problem is I haven't figured out all the right properties. What do I need to set in order for this to work?
Create a new Application in Auth0 Dashboard, select Spring Boot as framework.
Set the following callback URL, when adding the settings of your application.
http://localhost:8080/login/oauth2/code/auth0
In dependencies
runtimeOnly("org.springframework.boot:spring-boot-starter-security")
runtimeOnly("org.springframework.boot:spring-boot-starter-web")
runtimeOnly("org.springframework.boot:spring-boot-starter-oauth2-client")
In application.properties is
spring.security.oauth2.client.registration.auth0.scope[0]=openid
spring.security.oauth2.client.registration.auth0.scope[1]=profile
spring.security.oauth2.client.registration.auth0.scope[2]=email
spring.security.oauth2.client.registration.auth0.client-id=<your client id in your application in Auth0 Dashboard>
spring.security.oauth2.client.registration.auth0.client-secret=<your secret in your application in Auth0 Dashboard>
# I haven't found general documentation for this but it's in format https://<your domain in dashboard
spring.security.oauth2.client.provider.auth0.issuer-uri=https://<your domain in your application in Auth0 Dashboard>
For more information a technology documentation page should have opened up when you created the application. Seems to be available via Applicaton -> QuickStart.
Related
I need to secure a web-app, the backend will be Java Rest API, meanwhile I'll use Angular for my front.
I am using Keycloak to authenticate into my webapp, but I need to follow the standard flow of OAuth, that means I need to get first the auth code and then the access&refresh tokens.
I saw some configuration, but they're all related to Spring, like putting this code in application.properties
# keycloak properties
keycloak.realm = services
keycloak.auth-server-url = http://127.0.0.1:8080/auth
keycloak.ssl-required = external
keycloak.resource = todo-api
keycloak.use-resource-role-mappings = true
keycloak.security-constraints[0].authRoles[0]=users
keycloak.security-constraints[0].securityCollections[0].patterns[0]=/api/todo/*
The thing is in my project I don't have an application.properties file.
I've created a client in Keycloak, how do I have to configurate my JEE project to get the auth code?
Thanks a lot
You will need to log into Keycloak and select your realm and client "todo-api". Select the Installation tab and usually the Keycloak OIDC JSON format. This will create a configuration file that your frontend application will use for managing keycloak. To enforce the Auth code flow, disable the "Implicit Flow Enabled" and "Direct Access Grants Enabled" setting on the "todo-api" client.
I am developing a spring boot application that integrates with multiple Idp's. I have checked many examples over the internet on integrating Spring application with SAML, all of them show how to integrate with IDP's via application properties.
In the case of OAuth 2.0, we had Clients provided by MSAL libraries, we integrated as below.
ConfidentialClientApplication
.builder(decryptCredential(adClientId), clientSecret)
.authority(authorityURL).build();
clientApplication.getAuthorizationRequestUrl(parameters).toString();
clientApplication.acquireToken(authorizationCodeParameters);
Is there a similar way in Spring boot, to have a Client call to ADFS SAMLIDP and get the user authenticated?
Based on the request, fetch IDP details from Database and invoke a call to the appropriate IDP to get the user authenticated.
thanks in advance.
I explored coveooss library, which has clients and it is easiest one to invoke ADFS to fetch SAML assertions. Here is the link for COVEOOSS git link
is possible create authorization server for PKCE authentication in current version of spring security?
I did research and I found out this authorization server project https://github.com/spring-projects-experimental/spring-authorization-server but there is no usable sample for that project.
I also find out that spring recommends Keycloak as authorization server, but it is not fit for my case.
We need be able fetch and verify user against remote service, and then use authorization server only for generating and verifying jwt tokens. In my knowledge Keycloak should holds also users right? So the best solution would be custom spring standalone authorization server. Is it possible in some way? Thank you!
You may have a look to this project: CloudFoundry User Account and Authentication (UAA) Server.
UAA is a (Spring MVC) component of Cloud Foundry but it could be used as a stand alone OAuth2 server. It can support external authentication service. And there is a Pull Request that implements PKCE: https://github.com/cloudfoundry/uaa/pull/939 (not yet merged, but under review).
You can find an example on how to use UAA on baeldung.com.
As far as I know, Spring framework has one more implementation of the authorization server. It is a part of spring-security-oauth project. But this project was moved into maintenance mode.
According to this migration guide, the new authorization server project (that you have already found) will be created to change the legacy solution.
From my point of view now there are several possible options:
Using old legacy spring-security-oauth. More examples with old auth server
Using external services like Keycloak, Auth0, Okta and etc
I've written a software system that uses Spring Cloud Netflix. Due to Spring Security 5 not offering support for writing an Authorization Server (pls shout out here https://github.com/spring-projects/spring-security/issues/6320) I need to write my own Authorization server. I want my application to permit Social login and username/password registration, have a custom login page but also use keycloack. I don't even know from where to start, if you have any documentations or code samples please provide.
You can use the cas project. By using the overlay it is easy to set up and to customize:
https://github.com/apereo/cas-overlay-template/blob/master/README.md
It serves a frontend where your user can be redirected to and can login. After successful login, the user is redirected back to your web page. The frontend is completely customizable.
It supports all kinda of authentication providers like keycloak, database or Google/Facebook.
After basic setup you just add the dependency inside the gradle file, configure your keycloak/database/... in the application.properties and can start using it as authentication server.
It fits perfect into a microservice landscape and is curated by professionals implementing security best practice.
https://apereo.github.io/cas/6.1.x/planning/Getting-Started.html
I'd like to give users the option to login to a Spring Boot web application using their Google or Facebook account.
I checked The Spring Cloud Security documentation and also This GitHub issue to add such SSO functionality, but on both they only show how to configure one SSO server, so it's either Google or Facebook.
How can I add both options? on the web front-end I will add a button for each option so the users can choose which account to use, either Google or Facebook.
Or I am choosing the wrong package and should use something different altogether to achieve this?
Thanks!
You basically have to install a separate authentication filter for each provider. There's a tutorial here: https://spring.io/guides/tutorials/spring-boot-oauth2/.