SCIM implementation for Spring Boot SAML and OKTA - spring-saml

My requirement is to implement SCIM 2.0 server for Spring Boot application which supports SAML for OKTA authentication.
I haven't found any library provided by Spring Boot for SCIM sever and neither the documentation exists for it in Spring's Repos.
I have found some third party implementations like Better Cloud SCIM 2.0 or WSO2 Charon etc. But should I use those third party implementations ? Because what if their git hub repos are messed up later or we may not get our issues resolved.
Also if there does not exist any documentation for SCIM server implementation in Spring Boot. Then should it just be treated as implementing other restful APIs ?
Any help on this will be much appreciated.

I'm watching over my company's SCIM API. So far what I have seen is there's no Spring official library and you should stick to the protocol description to provide your implementation (see more here: https://www.rfc-editor.org/rfc/rfc7644).
Despite the lack of an official Spring Boot library (that would be cool, I agree!), I'm using this thirty party library: https://github.com/pingidentity/scim2. It has all the resources you need to expose your endpoints for users operations as well as filtering when getting users, that can become quite complicated implementing from scratch as the specification provides a quite extensive query language for it.

Open source version for a lightweight SCIM spring-boot server.
https://bitbucket.org/wouter29/personify-scim-server/src
For using SAML, a custom java authentication filter can be plugged in, because only Basic and Bearer tokens are implemented.
Don't know if SAML is even mentioned in the specs/RFC
Storage layer can be chosen : ldap, mongo, postgres or MySQL.

Related

What are the possibilities with Spring Authorization Server when using it for authentication (and authorization)?

I'm looking to find a tool that will do the authentication (and authorization) part of the project. For the project, I will be using spring boot and java 8.
I will be working with OAuth2.0, the flow for untrusted client(web-applictation) and trusted client(another server)
I was looking at Keycloak and Spring Authorization Server.
But it's unclear what are all the possibilities with the Spring Authorization Server.
Like with Keycloak you have single sign on, identity brokering, social login, user federation, admin console, account management console, standard protocols etc.
Is this also possible with Spring Authorization Server, or what are the possibilities of Spring Authorization Server?
We're working on reference documentation which will include a feature list. In the meantime, see feature list on the GitHub wiki for the project.
From this PR, a possible short overview/answer to your question would be:
Spring Authorization Server is a framework that provides implementations of the OAuth 2.1 and OpenID Connect 1.0 specifications and other related specifications. It is built on top of Spring Security to provide a secure, light-weight, and customizable foundation for building OpenID Connect 1.0 Identity Providers and OAuth2 Authorization Server products.
Update: The reference documentation is now available and contains an Overview page with this information.
You can make custom OAuth resource server implementation or use the SAML standard.
Also, you can implement access by JWT token, which suites well for API-only service.
You can use also "Basic Authentication", but it's too simple for a mature applications.

what is difference between spring social and spring security oauth

As far as i understand, I can get the same result about login for Facebook, Google, and etc using both.
I searched a lot but nobody asked this...
What's difference between them?
Spring Social is an extension of the Spring Framework that allows you to connect your applications with Software-as-a-Service (SaaS) API providers such as Facebook, Twitter, and LinkedIn. You may also check this site https://projects.spring.io/spring-security-oauth/docs/oauth2.html
You can see this answer about use of spring social instead of plain oauth, not Spring security oauth.
But as this link is described Spring social is in end of life.
With the release of Spring Security 5, much of the functionality
offered by Spring Social’s connection framework, which is the most
valuable piece of Spring Social is now part of Spring Security
Probably you are speaking about spring-security-oauth2-client which part of spring security 5.
These links are some implementation with that:
https://spring.io/blog/2018/03/06/using-spring-security-5-to-integrate-with-oauth-2-secured-services-such-as-facebook-and-github
https://www.callicoder.com/spring-boot-security-oauth2-social-login-part-1/

Spring Boot Oauth2 mapping google users to mine

I'm just wrapping my head on Oauth2. I have a Spring boot app with its own users and roles system handled by Spring Security 5. Internally I use email to identify users, I want people who registered with their gmail addresses to be able to log in through Oauth2. Or, more generally, how do I make one of my users log in to my app using Oauth2? If you need code or more information just ask. Thanks in advance.
As far as I understood your question, you are looking for a general approach to authenticate users for using your Spring Boot application with the help of OAuth2 protocol.
In your case you will probably use Google as an authentication provider and your application as resource server, according to the OAuth2 standard wording. First at all to answer your general question, there are different ways of using OAuth2 to authenticate users. A good starting points are these links:
https://www.rfc-editor.org/rfc/rfc6749
https://auth0.com
To find the proper way of implementing OAuth2 for your usecase I recommend using this decision tree: https://auth0.com/docs/api-auth/which-oauth-flow-to-use
For starting to implement OAuth2 in Spring Boot you can use several Spring Security projects with further documentation:
https://docs.spring.io/spring-boot/docs/current/reference/html/boot-features-security.html#boot-features-security-oauth2
https://docs.spring.io/spring-security-oauth2-boot/docs/current-SNAPSHOT/reference/htmlsingle/

Creating Custom OpenId Provider for Oauth2 Spring Boot

I have used Oauth2 framework for authorization and access control for protecting my spring boot microservice api's. Oauth2 framework is working fine but now my Client wants a dedicated OpenId Provider for authentication purpose on top of Oauth2 framework. I have done some round of searching across Google but couldn't find much resources for implementing Own OpenId Provider for Oauth2. I have gone through many blogs and could understood that OpenId is basically used when we want to delegate the authentication from Oauth2. OpenId is created on top of Oauth2 but couldn't find much resource for activating or implementing it.
Can anyone please help me on this
My complete source code which I have done using Oauth2 with Spring Framework is as given below
oauth2-spring
According to "OAuth 2.0 Features Matrix" in spring-projects/spring-security, Spring Framework is not a good starting point for OpenID Connect. None of the new projects (Spring Security, Spring Cloud Security and Spring Boot OAuth2) supports Authorization Server. On the other hand, the old project (Spring Security OAuth) has architectural problems that prevent OpenID Connect support.
The website of OpenID Connect says "OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol." This sentence may give an impression that OpenID Connect can be implemented on top of an existing OAuth 2.0 implementation step by step. However, it's not true. One evidence is spring-security-oauth Issue 619 where you see the project has given up supporting OpenID Connect. If interested, see "5. Response Type" in "Full-Scratch Implementor of OAuth and OpenID Connect Talks About Findings" for further details.
There exist many implementations that support OpenID Connect. Why don't you check the list of certified implementations?
Update (November 14, 2019):
The Spring Security team has decided to no longer provide support for authorization servers. See their announce for details.
I think it could be easier to start by first implementing OAuth2 code flow. Then add implicit flow, and finally OpenID Connect part.
If you want to have a serious OpenID Provider I would suggest not implementing from scratch as there are a lot of details to get right. Instead I would recommend using something like Hydra that can be integrated into existing system.
Have created from scratch a OpenID Provider (SimpleLogin.io), I can say that it takes almost forever to be 100% compliant to the protocol ...

Need for RestApi authentication

Developed Rest API using Java/Spring MVC
Can we provide authentication for RestAPI? If yes, How?
Now I am struggling with authentication for RestApi. Can anyone send some examples regarding the same.
Accessing rest API through AJAX request.
Since you are already using Spring, you can use Spring security to provide security related functionality. This can give you one stop solution for your security needs. Common security mechanisms for Rest API's (basic, digest) and features are supported out of box and it's very easy to add your custom security too. For a start tutorial you can have a look here

Resources