Sorry if this is a VERY stupid question...
I'm new to Spring Security and I have a basic SpringBoot Rest API which I now want to learn how to secure.
Now what I really want to do is have separate webpage that does the "Login in with Facebook" view. But how do I secure some of the endpoints in my rest api using the token from facebook?
Imagine:
Endpoint /profile -- only the user who has logged in should be able to see their profile. Endpoint /welcome -- Everyone can access Endpoint /messages -- only the user who has logged in should be able to see their messages.
What frameworks should I be using here or how do i even go about doing this
Thanks!
Welcome to OAuth (Open Authorization). There was a problem called "Access Delegation Problem"
at past, and OAuth was created to fix it. If you are able to access "Microservice Security In Action" book, it tells you exactly you want on Facebook example. (at appendix D)
In your scenario, here is the OAuth components.
Resource Server: Your Spring Boot Project
Authorization Server: Facebook
Resource Owner: The end-user
First of all, import spring-security-oauth2 module to your project. Then configure spring security.
delegate your authentication to Facebook by OpenID Connect / OIDC (basically, authentication by OAuth 2.0)
http.oaut2Login()
Provide authorization code flow grant type details like client_id, redirect_uri, token_uri, authorize_uri.
spring:
security:
oauth2:
...
permit some urls to be public.
http.authorizeRequests().antMatchers(preparePermittedUrls()).permitAll()
Related
I'm trying to extend my home made OAuth2 Authorization Server with the OpenID Connect. At the moment, the Server works fine and successfully issues an access token.
What I need is that the token endpoint returns an id_token along with the access_token.
The Authorization Server is a Spring boot (2.5) app, which implements the authorization code flow using following oauth dependencies.
spring-security-oauth2
spring-security-oauth2-autoconfigure
spring-security-jwt
spring-security-oauth2-jose
Is there some standard way to configure an OAuth2 Spring Server so it provides the OpenID Connect features?
Thanks in advance for an example code and/or useful documenation.
The Spring team are working on a new OAuth server, that provides OIDC capability. It's still very early days, but it is useable.
See here for the code, that includes a set of samples:
https://github.com/spring-projects/spring-authorization-server
I have a spring based application which does authentication and authorization(oauth2 based) for a client app.I want to now use keycloak to manage my authorizations, but i want to keep my spring code. Basically i want to use my existing auth code as an external identity provider in keycloak.
I am thinking of adding changes in client app such that it receives token from my existing oauth code(which does the authentication) and then exchange this token with keycloak(for session and authorization management). How can i do this? What configurations need to be done in keycloak?
I read about token exchange in keycloak here, but i am not clear about the kind of token i need to send from my existing auth code.
https://www.keycloak.org/docs/latest/securing_apps/
Here is how OAuth2 roles are usually spread:
Keycloak is authorization-server
Spring service is resource-server
front-end is client
user is resource-owner
I have a doubt of you wanting your Spring service to be "authorization-server" as well (serve user identity). If so, I think you should not.
Keycloak (or any other OpenID provider) should be the only authorization-server. Both Spring and client(s) should be configured to use it as so.
To write it differently, Keycloak is responsible for users login and emitting tokens with user ID (subject) and rights (roles or whatever). Other tiers in the architecture (clients & resource servers) get user info from the token and apply relevant security checks (spring security annotations, Angular guards, etc.).
I published a mono-repo for a meetup with minimal sample involving a Spring resource-server and Angular (with Ionic) client talking to a Keycloak OpenID authorization-server. You might find some inspiration browsing it.
As we know the Spring Security OAuth 2.0 project has bee depreciated and now it's Spring Security 5.
My question is related with Authorisation Server for grant_type: authorization_code. Spring team is also working on standalone project for Authorization Server. So most of the codebase in Spring Security project is depreciated for Authorization Server.
Still, I've couple of questions for endpoints with authorization_code flow in Spring Security 2.0/5.
OAuth 2.0:
Can you please let me know, which endpoints are supported for below use cases in Authorization Flow:
Login Button: ask the customised authorization url from Authorization Server.
User logged-in: once end-user logged-in (authenticate), need to authorise with registered client application and provide the code in the callback URI.
Request For Access Token: once the code has been received in previous step, it should use the code to get the access token.
Please let me know which endpoints are meant to be used in Spring Security OAuth 2.0/5 for above use cases. Based on my research, I've found these endpoints:
/oauth/token: get the access token
/oauth/token_key: produces JWT encoded token values
/oauth/check_token: validate the access token
Can you please let me know which endpoint dedicated for authorisation before end-user authenticate in use case #1. And after end-user authentication in use case #2.
Any help would be appreciated.
Many Thanks,
Adnan
I want to implement in backend rest safely in oauth2 + jwt.
I want to implement the following authentication flow in spring boot, but I am not sure how to do it:
1. The user is authenticated.
2. That request is received and with that login and password a ws that validates the credentials is attacked.
3. If it is correct, a series of data and permissions are searched in the database
4. If it is correct, access is granted and the jwt token is generated
I'm lost with this and as much as I read I can't know how I can do it.
Any manual or post I can follow?
Are you running your own (a custom) Auth server or is the plan to allow users to authenticate via a provider such as Google, Facebook etc? If its the later, then you cannot expect to receive user / password credentials at all so you might have misunderstood the OAuth flow. You will typically receive an 'Authorization code' from the provider (e.g. Google).
Also, what do you mean by "a ws that validates the credentials is attacked"?
This Google use-case diagram depicts a common flow. It's part of this guide.
Either way, Spring Boot does not itself deal with OAuth / security, but it has a tight
integration with Spring Security which is a good security framework to use, especially as you're already using Spring. Spring Security can handle OAuth, JWT etc.
A couple of guides that may help to get you started:
https://www.baeldung.com/spring-security-oauth-jwt
https://spring.io/guides/tutorials/spring-boot-oauth2/
I'm looking for a simple example of a spring security configuration (Java config preferred) on how I can secure my REST Services with Spring-Security and SAML.
There's an Web Application Firewall in front which will only pass requests which contain a valid SAML Token or otherwise redirects to IDP to get one. So I don't have to look if the user is logged in or redirect the user if not so to the IDP.
The only thing I'll need to do is allow only authenticated requests to all REST Services, read the user from SAML-Token and check that the Token is from Airlock.
Later I'll need to add ACL support for more fine granular rights of the user on specific services but I'm already lost with the first part of the integration work in spring security. Any help would be welcome :)
the magic happens here: https://github.com/spring-projects/spring-security-saml/blob/master/core/src/main/java/org/springframework/security/saml/SAMLProcessingFilter.java
in attemptAuthentication(), it gets the SAML message, parse it and gets the token (SAMLAuthenticationToken). Then it tries to authenticate the user: authenticate(token);