I need to create a REST API (with Springboot) that is consumed by a web client written with vue.js. The authentication must be made with OpenId Connect and the authorization code flow. My company has its own OIDC provider and my question is how can I implements this flow.
I first saw the oidc-client-js library that perfoms everything i need except that it is fully client side and the security of my company does not allow it.
Secondly I saw this tutorial (source code availlable here), what i understand is that spring handles everything for you as long as the configuration is ok. But what I do not understand is how the token is provided to the client ?
Does someone has any further explaination on this mechanism ? Or am I simply misleaded ?
Thanx for your answer.
Related
I am a Spring Developer trying to figure out how to connect a WordPress WooCommerce Website to my REST Spring boot Service. I haven't worked with WordPress, so there are a lot of unknown unknowns for me there. I am in collaboration with another developer on the WordPress side of things, trying to solve this issue, but we are a little lost.
Are there Best Practices for a WordPress website to access the Spring boot Oauth2 API (including JWT Token delivery Service) ?
CONCRETE DESCRIPTION OF MY SITUATION:
State right now (working):
Someone orders a Product on the WooCommerce website and the order status is set to processing.
The goal:
WordPress WooCommerce Backend calls the Spring boot API to send how many Products were ordered.
WHAT WE FOUND OUT AND WHAT WE TRIED:
Spring boot:
We found out that Spring boot outh2 is the way to go for the REST API ENDPOINT
The only resource I found about this are this once, which are very good and sufficient:
https://developer.okta.com/blog/2018/04/02/client-creds-with-spring-boot
https://www.youtube.com/watch?v=X80nJ5T7YpE
WordPress:
The Problem is, that we find a lot on WordPress Webhooks but not a lot on how to call an API Endpoint with a Token system.
Here are some resources we worked through, which are not sufficient:
https://developer.wordpress.org/plugins/http-api/
https://woocommerce.github.io/woocommerce-rest-api-docs/v3.html?shell#webhooks
https://duckduckgo.com/?q=wordpress+oauth2+rest+call&t=bravened&ia=web
WHAT WE THINK TO KNOW ABOUT THE SERVER TO SERVER COMMUNICATION IN THIS CASE** (Handshake):
In WordPress, I manually safely store a Username and a Password which
Spring Security knows about, on WordPress.
WordPress, an order has been finished.
WordPress calls Spring boot Https Request to /api with Payload:
OrderInformation, Password and Username.
Spring sees that there is no Token or the Token is outdated
Spring searches the Request Payload for Username and Password
Spring generates a signed JWT Token based on Username and Password.
WordPress receives that Token and stores is safely
WordPress HTTPS Request /api with Payload: OrderInformation, Token.
Spring validates the Token, accepts the OrderInformation
Spring does what ever it needs to do with the information and when
everything works out
Spring Oauth2 somehow has to tell Woocomerce that the information
was successfully delivered. Otherwise Woocomerce has to resend the
information. And start form point
WHAT WE HOPE THIS POST SHOULD ACCOMPLISH FOR PEOPLE WITH THE SAME QUESTION:
If someone knows any resource or best practices how to configure WordPress WooCommerce, please let us, who have a lot of unknown unknowns, know what to do next.
We hope this post and its answers can be a gateway and vertex for other people to find the information they need.
Thank you very much in advance
I am not sure about Spring Boot API specifically, but I have done this type of integration with other REST API's.
I would recommend using wordpress action hook. The hook that I would recommend you to use is woocommerce_order_status_changed.
// define the woocommerce_order_status_changed callback
function action_woocommerce_order_status_changed( $this_get_id, $this_status_transition_from, $this_status_transition_to, $instance ) {
// make action magic happen here...
};
// add the action
add_action( 'woocommerce_order_status_changed', 'action_woocommerce_order_status_changed', 10, 4 );
At the place of // make action magic happen here... write the logic where you contact with your API. Run your code when $this_status_transition_to is processing. The $instance should have woocommerce order instance which you can use to push to API.
Some pointers that I would like to give are.
Save the API Token/Credentials in an Enviroment Variable for security.
Would recommend using Guzzle package to make http request. Use composer to install the package.
I'm new here and posting the first question ever, and coming straight to the point.
I have a N Tier Application, Front UI on AngularJS, backend on Spring Boot and a NoSQL DB with some caching attached to it.
I'm struggling in getting the SSO configured using PING Identity for my Home grown application for following reason.
Lack of knowledge on PING SSO.
The knowledge that i have gained so far only gives me limited visibility on how i can achieve the solution for having a successful SSO configured.
Summarized Solution:
Front End UI -- Speaks to Middleware Service for Auth(current design) -- Middleware Service acts as a Interceptor for my backend services(also known as BFF) which handles all my tokens for necessary handshaking. --- Backend Services performs logics & functions
Problem: Trying to bring in PING for SSO is confusing:
as far as i know PING can be configured in 2 ways.
OAUTH2.0
SAML Based Auth.
in Oauth, User would access, Ping URL with context path which will internally speak to PING federate and AD and return a Token.. i might be wrong here. hence need clarification! as im not an expert on PING.
the confusion in case of OAUTH is, its totally confusing.. i have used oauth before, but via PING using it for the first time.
in SAML based Auth, again a PING URL with context path which will internally perform its work and then add some Assertion and then return the SAML token to a POST endpoint.
the confusion in case of SAML is as following:
if i configure my middleware to receive the SAML Token, how can i redirect the user to welcome page?
PS the middleware has some encryption logic that cannot be by passed!
any help in this matter would be highly appreciated. as im looking to see what options do i have on PING or even on my Springboot app.
I'm building a Angular 6 front-end and Spring boot based REST api. Angular app is going to be hosted separately behind a nginx. I want to implement spring security in order to secure REST apis. As per my understanding I need to two following things.
Spring security to authenticate API calls for valid tokens and respond 403 if not
Angular library in order to redirect user to google login and maintain access/refresh tokens, pass access token for api calls in headers and refresh access token if backend respond with 403.
I'm not quite sure whether the authenticate request go via spring backend or directly to google.
I have been searching for a good tutorial for sometime but didn't find one matching my requirement( most are html pages hosted within spring ). So please correct if my understanding on how to do this is wrong and share if there are tutorials.
Check this article. This might be the article which help to you.
Moreover let me know if it worked.
I’ve got a question which seems popular, but I couldn’t find the answer. Well there’s a lot of information about it but I’m not sure what the best way is. So here’s the scenario.
We have a Single Page Application (SPA) and a RESTful Web Service (API). We use an external authentication/authorization service provider via OAuth2/JWT. But I need to persist the user ID (provided by the external authentication provider) on the database on the server side after successful login. And also I need to enrich the Authentication/Principal object in security context after successful login (for example by adding email).
There's a lot on the web about this scenario. But we have SDK for authentication/authorization already and it works perfectly (no custom code, etc). I just need to add something to the authentication object. What is the correct way to do it? Thanks.
For the record, this is what we did:
As I said there's already a SDK doing all the heavy lifting of authentication mechanics. We just need to enrich the authentication object after successful authentication. So we wrapped the AuthenticationProvider (implemented in the SDK) in our implementation (inspired by PreAuthenticatedAuthenticationProvider) and after successful authentication, we enriched the result using our UserDetails implementation (inspired by PreAuthenticatedGrantedAuthoritiesUserDetailsService). The rest was straight forward.
PS: please let me know if you don't like the idea.
So we have an authentication server where the UI application gets the access token and then it communicate with API server, it's all good. Now we are building a third application which needs SSO to authenticate the same user and that is fine too.
However, there are scenarios where this third application needs to use some resources on the API server which, from my understanding, we need to get a token from auth server using client-id/secret and then send the request with the access token. This seems ok too, however I am not sure how API server is going to authorise that token (a hint on this would be great).
But the main problem is we want this request to be sent on behalf of the user. This is because API server needs to audit all user's activities. How can we achieve this using Spring Boot/OAuth2 and JWT Token?
I went through documentation and I know about #EnableOauth2Sso #EnableAuthorisationServer etc. but this scenario is not clear and I'm not even sure it's been implemented in Spring or not.
If there is no implementation for this scenario, what do you recommend? Any experience you have had on this, can you please share?
Your API server plays the role of a Resource Server. There is an annotation designed for that purpose: #EnableResourceServer. Your client app then will consume this resource using the handy OAuth2RestTemplate.
There are two approaches to properly configure the Resource Server and get this working:
Have the public key directly in your resource server app: this way when the client app try to use a token provided by the authorization server to get a resource from the Resource Server, this will verify if the token is valid by itself.
Configure the resource server to ask the authorization server if a given access token is valid and depending of the response it will allow or decline to get the resource.
I have posted a sample app on github using the first approach. There you can see the interaction between the Authorization Server, the Client and the Resource Server, as well as all the configurations you need for this implementation. Hope it helps you.