Setting up authentication/authorization using Traefik ForwardAuth - spring-boot

I'm using Docker to setup some services and Traefik 2 acts as a reverse proxy for these services.
So far I was using Basic Auth to protect the access to the services, but I'm trying to get rid of the user/pass prompt.
Looking at the Traefik's documentation, I found the "ForwardAuth" middleware which seems fine. I'm planning to use it to replace Basic Auth, but a full implementation example is not provided as an example, and I'm having a hard time trying to set it up.
So far, thanks to Traefik forward-auth, I'm successfully calling a specific URL on a remote server in charge of the authentication (this server is developped with Spring Boot by myself). I understand that if the authentication server answers 200, it means "authentication success" while another code means "authentication failure".
Yet, I'm currently unable to write the authentication code on the remote server as I don't know how to check if I must return 200 or something else. Especially I don't know how to communicate information between Traefik and the authentication server.
Basically, the problems I have are:
I can't ask the user for his/her username/password using Traefik
When the authentication server receives the request from Traefik, it has no way to define that the source request was a previously authenticated user
The following picture shows most of my concerns:
What I'd like to achieve is the following behavior:
The user tries to access to the Docker services without entering any username/password
Traefik determines that the user is not authenticated, thanks to forward-auth it asks the authentication server for authentication
The authentication server determines that the user is not authenticated, the user is redirected to the login page
The user enters his/her username/password on the authentication server
The user is redirected to the Docker services
Traefik determines that the user is authenticated
So far, I can successfully achieve step 1 to 5, but I don't know how to achieve step 6.
Is this the right way to use ForwardAuth?
If it is, are there some headers I must use to transfer the auth information? If not, is it possible to achieve what I want using ForwardAuth?

As far as i understand, traefik also forwards Any headers accompaning the original request. If you are not filtering Any. see docs traefik forward-auth.

Related

Set up a proxy between multiple user machines and Okta for authentication

We are using Okta Customer Identity with our application. The challenge with our architecture is that each user gets their own server and subdomain, which is a little weird for Okta, because each redirect URL needs to be provided as part of the application configuration. As we add new users, the list of redirect URLs continues to grow, one per user machine. Their API is not really designed for this, so we have to write the complete list of redirect URLs with every change.
We would like to find a way to use a proxy for the Okta authentication, so that we can just have a single redirect URL for the Okta application configuration. But we're using https://github.com/okta/okta-spring-boot, and we're not really sure how to make it work with a proxy.
If we set up an HTTP proxy using -Dhttp.proxyHost=my.proxy.host -Dhttp.proxyPort=8080, that's going to affect all HTTP traffic, which is not acceptable.
Is there a way we can use an HTTP proxy purely for the Okta auth only, leaving all other HTTP traffic unproxied?
Is there something we can do with the Okta Spring Boot library that would make it possible for all user machines to share a common proxy machine?
The final alternative would be to write some "active" proxy code that runs on the proxy which handles the requests and forwards them on to Okta. It would have to introspect the Okta response and pass it back to the right user machine.
Is there a way to do #1?
Failing that, is there a way to do #2?
If neither of those are possible, are you aware of an existing implementation of #3?

Cognito authorize endpoint in OAuth2 identity provider

been trying to figure this out forever, and I don't think it's supposed to be that complex...
I have an AzureAD setup with an OAuth2 Connection that I want to point to Cognito so that I can authenticate users in the User Pool, get a token back and call AppSync APIs, etc. Important note here, I cannot use Amplify in the current situation.
I have configured my App Client as follows:
The ngrok URLs are because I'm working on a cloud based app that needs tunneling. I have multiple URLs in there in the hope that I'd get one that works, to no avail.
To configure the OAuth2 Connection in Azure, I'm asked for 3 URLs,
authorize, token and refresh.
Here are the values I put into these fields
When I initiate the auth process with this connection, I get the redirect_mismatch error. I have no idea why. When I open the HostedUI, it shows up just fine, but it points to login instead of authorize. The redirect_uri, however, is localhost:3000/ as seen at the end of the address bar.
Clearly, I'm missing something, but I have no idea what. Should there be additional parameters in the config of my URLs on Azure's side? Anyone ever connected the two in this way? The company insists on this flow, and I just can't wrap my head around it.
Any and all help apreciated, thank you.
NOTE: There is a possibility to configure a custom OAuth2 connection on the side of Azure with more parameters, should this be the way? I do not, however, know what to put in these extra fields.
In the case of a Bot authentication, as it is the case in my situation, in Callback URLs, add the following:
https://token.botframework.com/.auth/web/redirect
This allows to open the authentication window when authenticating your bot.

Authentication with Active Directory. Angular 2, Spring - theoretical

I'm doing some research about authentication via Active Directory for internal application.
Application is divided in two parts - front-end in Angular 2, and back-end in Spring. I would like to add windows authentication to it to avoid providing credentials when you are already logged in, but i can't fully understand how possibly server knows the credentials of which user to compare with those stored in Active Directory. For example let's assume that I've logged into windows, my data are sent to Active Directory. Now I'm heading to website, which i would like to automatically authenticate me with http request sent to rest api. Rest server invokes some logic connected with authentication with Active Directory, and after success rest api sends token back to Angular. But the thing I'm missing is how server knows which credentials compare to know if user exists in AD. Should i somehow use angular to gain acces of user credentials stored in windows through browser? Or I'm missing something important here.

Oracle ADF Application and OpenAM

Using OpenAM i am trying to protect an ADF application, i have installed the weblogic policy agent as documented.
i get prompted to login with the OpenAM screens however once logged in and redirected back to the application i get the following error
Error 403 -- Forbidden
The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable.
Is there any logs or anything i can look at to find the exact reasoning?
the only thing i can think of is its something to do with the ADF security.
By default the Agent is running in 'ALL' mode, which means it's also enforcing authorizations for URL (urlPolicy). So you have to create URL policies as well.
However URL policies often do not make sense for Web Apps, so you could change the agent to run in 'SSO_ONLY' or 'J2EE' mode.
BTW the agent debug log (log level set to 'message' in agent profile) will tell you why it's denying access.

Should HTTPS be used for all calls involving authorization

It's common to use HTTPS for authentication, so the authentication details from client cannot be sniffed. However once the user is logged in then subsequent calls to a web app passing some sort of auth id which then the web app will then use to authorise with, should that not also be HTTPS? How is this done in things like Facebook? Seems easier to make all traffic HTTPS.
An answer by Jeff Atwood:
http://www.codinghorror.com/blog/2012/02/should-all-web-traffic-be-encrypted.html
Assuming the server can handle it, I'd go a step further and use SSL for everything, no matter if users are logged in or not.
This has the advantage that an eavesdropper doesn't even know if the user is accessing your site/app as a guest or as an authenticated user. It also saves you from having to decide when to use SSL and when not.

Resources