I have Okta App's client id and secret key and I would like to know how to generate access token using spring default classes and not by hitting the API endpoint.
Please provide the spring pre-defined classes to which I can provide the client id along with secret and the access token is generated.
You are dealing with server to server authentication. You don't actually explicitly need access token, use oauth2resttemplate for all requests just to have things under control.
You could implement as is from link: https://developer.okta.com/blog/2018/04/02/client-creds-with-spring-boot
Related
I have noticed that when authenticating with my auto-generated Swagger UI client, I do not have access to custom Auth0 permissions—and, in fact, the access token being used to make authenticated requests to my resource server is actually "opaque" (not a valid JWT).
I am using Auth0 as my authorization server abstraction. According to Auth0's docs, one must always pass audience in the POST request body when generating a JWT via the client credentials flow.
Going through the the flow by making the various API calls manually, I can generate the JWT correctly. The issue lies in there not being an obvious way to pass the audience to Auth0 when using the auto-generated Swagger UI client—any ideas?
Library versions:
Spring Boot starters (e.g., rest, jpa, web)
org.springdoc:springdoc-openapi-ui 1.3.9
org.springdoc:springdoc-openapi-data-rest 1.4.0
Update
I have realised that it is possible to provide a default audience for an entire Auth0 tenant, so I set this to be the same audience for my lone API. I am also able to obtain a valid token with scopes included on behalf of the Swagger UI application if I specify the grant type as client credentials (normally reserved for machine-to-machine auth). However, I can see from the Auth0 logs that the flow being used by the Swagger UI client is authorization code.
I am building an application using microservice architecture. I am using Eureka for service discovery with Spring Cloud Gateway for request routing. For authentication mechanism I am issuing JWT tokens (in auth service). What is the best practice when it comes to propagating Authentication so I can get logged user information in each service which is after the gateway?
So far I've came up/found couple of possible solutions:
In gateway add headers for relevant user information, and in each service create filter which would take said headers and create Authentication object and store it into SecurityContextHolder. The downside of this approach is I can't just plug and play services outside my application.
Pass the token coming from the client through the gateway to the each service, where I would have JWTFilter which would validate token and extract the user information. Downside I see with this approach is I have to have jwt secret shared between each service or stored on each service, and I would have to implement JWT logic, producing duplicate code.
Final solution is having something like oAuth token introspection endpoint in auth service which would be called from each service (filter) once the request reaches it.
I implemented the filter logic for validating the user token in the gateway service, but I would like to use role based authorization on each endpoint (service) differently (ie. user service has endpoint for creating users (ADMIN), and for fetching user information (ANY ROLE)).
I opted for something like your option 2 and use spring-boot to configure JWT decoder from an OIDC authorization-server (Keycloak).
Configuring OpenID resource-servers is super easy (more options in parent folder), and authorization-server JWT public signing key is retrieved automatically by spring JWT decoder.
All that is required is ensuring that Authorization header with JWT bearer is correctly propagated between services.
I am working on a Spring Boot application where existing user authentication is based on Oauth2 with 2FA. Now, I would like to call the APIs in my application from the third-party client as well, say from another service.
Basically, I would like to develop one auth API, where on providing a valid client name, valid API key, and API secret, the client will get an auth token, which will be valid for say 1 hour. Then this auth token can be passed in all successive API invocation until the token gets expired.
I found a few articles here:
a. Securing Spring Boot API with API key and secret
b. How to secure spring Boot API with API key and secret
c. how to implement api key secure in spring boot?
d. How to config multiple level authentication for spring boot RESTful web service?
But, I am not getting any concrete idea regarding, how to achieve this.
Could you please suggest how can I achieve this? Thanks
I have read some articles for Keycloak spring implementation (eg: easily-secure-your-spring-boot-applications-with-keycloak) but no one mention how to use with JWT.
I have created zuul api gateway and add Keycloak adapter as described in the previously linked article. That's ok, but I want to use JWT with keycloak.
Mentioned elsewhere set the client access type to bearer-only and the session strategy to NullAuthenticatedSessionStrategy. That's enough or need something else for JWT?
So my questions:
How do I configure client on Keycloak admin for JWT?
How do I configure Keycloak in backend config file for JWT?
How do I configure Keycloak adapter for JWT?
How do I pass user info to microservice? Create filter in gateway? But how I get user info from request?
Keycloak access token is a JWT. It is a JSON and each field in that JSON is called a claim. By default, logged in username is returned in a claim named “preferred_username” in access token. Spring Security OAuth2 Resource Server expects username in a claim named “user_name”. So, you need to create mapper to map logged in username to a new claim named user_name.
In order to provide access to client (micro-service), respective role needs to be assigned/mapped to user.
In your spring boot application, then you need to configure connection to keycloak server, providing, auth url, token url, scope, grant-type, client-id and client-secret.
Afterthat, your app be able to parse JWT token, you need to create some JwtAccessTokenCustomizer. This class should extend DefaultAccessTokenConverter and implement JwtAccessTokenConverterConfigurer classes. The main logic lays in public OAuth2Authentication extractAuthentication(Map<String, ?> tokenMap) method.
Then you need to configure OAuth2 Resource Server to provide access for other micro services. For that you define here - Oauth2RestTemplate Bean.
And in the end, secure your REST API, via the standard configuration Component.
So, you can see that, it is a large work, and couldn't be described with code, show some of your work, divide it to the chunk, and ask interesting your questions.
I have a project user java spring boot and oauth2. Access token is very too long.
How to set length of access token. Thanks for help
I assume you're using mostly default configuration and therefore the DefaultTokenServices builds your access token.
Since spring is completely open source you can look easily into their code and find this line:
DefaultOAuth2AccessToken token = new DefaultOAuth2AccessToken(UUID.randomUUID().toString());
There is no option to specify the length of your access token. An option would be to implement a token service by yourself and create an access token in a way you want to.
There is already another question that asks how to create a custom oauth2 token. Maybe this helps you doing this.
But be careful when implementing this by yourself, because this is in fact your security token. If it is weak, your authentication is weak.