I've been creating an OAuth2 Login application with Spring Security and have been making good progress, The Identity Provider I am working with requires that their /authorization endpoint be triggered with an HTTP POST.
I've been doing some testing and it seems that Spring Security triggers the /authorization endpoint by a GET request.
From looking at the OAuth RFC documentation, I see the following.
https://www.rfc-editor.org/rfc/rfc6749#section-3.1
The authorization server MUST support the use of the HTTP "GET"
method [RFC2616] for the authorization endpoint and MAY support the
use of the "POST" method as well.
So before I implement anything custom to trigger a POST request to the authorization server I am integrating with, I was just curious if anyone knew of a way to get Spring Security to trigger a POST for the /authorization instead of a /GET.
Curious if I'm missing where that functionality is supported, if at all.
Thanks for your time.
You can use springsecurity and oauth2server to configure your login model and through this interface to login
POST:
http://your_ip:port/auth/oauth/token?grant_type=password&username=username&password=password&client_id=yourclientid&client_secret=yoursecret
Related
As we know the Spring Security OAuth 2.0 project has bee depreciated and now it's Spring Security 5.
My question is related with Authorisation Server for grant_type: authorization_code. Spring team is also working on standalone project for Authorization Server. So most of the codebase in Spring Security project is depreciated for Authorization Server.
Still, I've couple of questions for endpoints with authorization_code flow in Spring Security 2.0/5.
OAuth 2.0:
Can you please let me know, which endpoints are supported for below use cases in Authorization Flow:
Login Button: ask the customised authorization url from Authorization Server.
User logged-in: once end-user logged-in (authenticate), need to authorise with registered client application and provide the code in the callback URI.
Request For Access Token: once the code has been received in previous step, it should use the code to get the access token.
Please let me know which endpoints are meant to be used in Spring Security OAuth 2.0/5 for above use cases. Based on my research, I've found these endpoints:
/oauth/token: get the access token
/oauth/token_key: produces JWT encoded token values
/oauth/check_token: validate the access token
Can you please let me know which endpoint dedicated for authorisation before end-user authenticate in use case #1. And after end-user authentication in use case #2.
Any help would be appreciated.
Many Thanks,
Adnan
I have to implement a OAUTH 2.0 server application , i know how oauth 2.0 works but when i have googled on how to implement, everywhere i am getting spring boot with oauth 2.0 and my requirement is i should give two URL's to the client
one to get the access_code and second rest call to get the access_token, is there a way that i can get this from spring boot or spring security ? in Memory storage for tokens.
I tried using spring boot oauth examples but none of them are giving separate URL's for access_code and access_token.
I think you mean you are delivering the API part:
* Client authenticates against an OAuth endpoint and gets an access token
* Client calls API with an access token
* API must validate access token
Typically you'll code the API - and use an out of the box Authorization Server for the OAuth endpoint
To answer your question properly it would help to know what type of client (partner back end / UI etc)
There will be a bunch of messages between client, API and Authorization Server - this post may give you some ideas:
https://authguidance.com/2017/09/26/basicspa-oauthworkflow/
I may be able to help you with the spring boot stuff once I understand your scenario better
I am working on securing a REST API, here is the basic set up (Happy Path) I am working with:
1) UI will request to authenticate with another service, this service will return a JWT to the UI.
2) Once a user of the UI is done with their work, they will make a request to the REST API that I am tasked with securing using a JWT that is passed to me.
3) I will then ensure the JWT is legit, get the users roles and then determine if the user is authorized to access that endpoint (perform the requested function).
I am sure this is possible, but my past experience with Spring Security wasn't dealing with JWT or Authorization only.
Would it be a correct approach to implement Authentication and Authorization, get that working and then back out the Authentication part?
Thank you for your kind help!
I suggest that you take a look at the Spring Security OAuth2 project. It makes this kind of thing fairly easy.
In particular, have a look at this section about using JWT
I need to know what happens when a POST request is sent to the /login endpoint of a Spring application.
For other endpoints like /oauth/authorize there are "DefaultEndpoint" classes, but I cant seem to find one for /login.
Does anyone have suggestions?
No. In OAuth 2.0 You need to obtain the endpoints from the Authorization server provider.
OpenID Connect provides discovery.
I need to create a SpringBoot RESTful API to be consumed either by a web project or a mobile app.
My question is how to secure it without the typically basic authorization that returns you a "jsessionid" to the web browser and mantains the session with it. It's not a problem for the web project, because it could store that jsessionid. But how about to secure the mobile app request to the API?
Sorry for my english. Thanks.
One of the architectural constraints of REST is that it must be stateless.
Your REST API must not have sessions that authenticate the client. Instead, the client should pass some sort of token, commonly placed in the Authentication HTTP Header.
JWT and OAuth 2.0 are both very popular ways of doing this, and you can absolutely use HTTP Basic Authentication with OAuth 2.0 if you wish.
Here's an article called Stateless Authenticaiton with Spring Security and JWT. Hopefully that will help!
You can use basic authentication. It work sending username and password on each request but don't need save the sessionid in the client.
Here are a sample application with basic authentication:
http://www.baeldung.com/spring-security-basic-authentication
If you don't save anything in the server session you don't need save the jsessionid in the client.