I tried to search on the internet, but not found any clear. I am using spring-boot. I have the requirement for supporting either Basic Auth or Bearer (JWT Token). If the request coming with Basic Auth then, only Basic Auth configuration must execute and skip the JWT Token authentication. If Bearer authentication (JWT Token) request is coming, then only JWT Token authentication must execute and skip Basic authentication.
Any suggestions or input will helpful.
Thanks
Manoj
Related
I have a simple REST API which is a GET service and doesn't require any user login to consume, but I want to protect it using Bearer Token, when I research on this in internet it's been showed that I need to implement bearer token only after user logs in and authenticated. Is there a way in springboot where I can generate a token for my API and give it to client and client calls my API with that and the program validates the same and provides response?
You have the OAuth2TokenGenerator available in Spring Authorization Server.
I'm trying to make Authorization Server with Spring-Authorization-Server.
To generate Authorization Code, I need to authenticate the user.
But I don't know how to authenticate User(without FormLogin).
How can I send credentials to server?
my opinion
generate opaque / jwk token in login api
redirect to /oauth2/authorize endpoint with token
if valid token, generate authentication token
Is there any other good way?
Or how other services send credentials?
I understand that a resource server will make a call to the authentication server with a token to confirm that it is valid.
However is this token the same Cookie: JSESSIONID?
Oauth 2.0 Bearer tokens are of two types - General tokens(e.g like java uuid string) and JWT tokens.
General tokens will be stored in the authorization server token store along with their scopes, expiry, client ID, UserId and other related information. When client sends request to resource server, Resource server need to reach out authorization server(Spring oauth 2.0) for bearer token validation.
JWT tokens contains information about its expiry along other user information and self sufficient to work in stateless sessions, Here we don't need to validate oauth 2.0 JWT tokens from authorization server.
JSESSIONID Cookie is created by spring security by default, its not related to Bearer token authorization.
Well the standard solution is an introspection request, as in step 14 of this post: https://authguidance.com/2017/09/26/basicspa-oauthworkflow/
Not all solutions are standards based though - and I always recommend capturing the HTTP traffic
I am developing web API 2 services with authentication as bearer Token using oauth 2. I am not able to understand how authorization server create Token and revalidate that Token for subsequent request with that token. I also want to know that if I request token for same user name and password from different machine how server manage the token generation .
Regards
I have developed a oauth2 server in spring boot with jwt token , I am facing difficulty in logout .I have followed this link http://www.baeldung.com/spring-security-oauth-revoke-tokens
After logout if give the token in header and hit the /user it is giving all the user info instead it should throw and error saying the user is logged out
Such a logout is not possible with JWT tokens.
JWT token is self-contained, which means that all information regarding the authentication are in the token itself. If you want to check, if a user is logged in, you just need to check the signature in the JWT token and the token expiration time. No communication with a server is required.
If you want to logout a user with JWT token, you need to delete the JWT token on the client side. And preferrably, the expiration time of JWT tokens should be rather short and the client should e.g. use refresh tokens to get new tokens.
To read more about JWT tokens, check out JWT.io.
Moreover, the guide you were using should not work for you, as it explicitely states:
Also note that this article only covers the standard token implementation in the framework, not JWT tokens.