oauth 2.0, JWT, Spring security, Micro services - spring

I need some understanding on over all flow of spring security.
I have implemented oauth2 Authorization Server and a Resource server in the same Spring Boot App.Where i am able to generate JWT tokens. And sample Rest api in this app is secured and accessible only with token.
I have another spring boot app which should be secured? What should i do in this. Also i need to read the token in this service to know the role of user.
Please clarify me how to implement the step2.

You can create a module where your spring security config is implemented.
In this module is the class that is annotated with the #EnableWebSecurity annotation, where you define the open routes. I guess you already have a class like this for your sample rest API, mentioned in step 1.
Now every microseconds that has to be secured uses this module by importing it, eg as maven dependency. By this it's api is automatically secured via spring security.
Your auth service serves a jwk endpoint where every microservice can verify a token via public key.

Related

Adding authentication based on API key and API secret to APIs in Spring Boot application

I am working on a Spring Boot application where existing user authentication is based on Oauth2 with 2FA. Now, I would like to call the APIs in my application from the third-party client as well, say from another service.
Basically, I would like to develop one auth API, where on providing a valid client name, valid API key, and API secret, the client will get an auth token, which will be valid for say 1 hour. Then this auth token can be passed in all successive API invocation until the token gets expired.
I found a few articles here:
a. Securing Spring Boot API with API key and secret
b. How to secure spring Boot API with API key and secret
c. how to implement api key secure in spring boot?
d. How to config multiple level authentication for spring boot RESTful web service?
But, I am not getting any concrete idea regarding, how to achieve this.
Could you please suggest how can I achieve this? Thanks

Link Spring Security to exting Project

I have existing REST API's built into multiple springboot projects. Now would want to enabled JWT for all REST services. I have a separate project which does JWT for a test service. Can that JWT project be linked like a library or associated as a springboot parent to enable spring JWT auth for all REST services which are present in multiple projects.
There are not enough details within your question but we also have multiple spring boot services which share common authentication and authorization mechanism (OAuth2.0 authorization token flow + Keycloak + JWT). The implementation of this mehanism is realized as a custom spring boot starter which is the approach I would recommend to you. You can start reading about that, for example, here.

Implement Streamlined Identity Flows with Spring Security

I'm trying to implement Google's Streamlined Identity Flows for authenticating users on Actioins on Google with Spring Boot and Spring Security (OAuth).
I already managed to implement Google-SignIn but the server side is missing. I could implement every endpoint myself but as with most security concerns I think that it's better to use tested and proved frameworks or components. Now I'm trying to figure out how to use Spring Security's OAuth authorization server functionality.
How to implement the authorization endpoint that lets users authenticate with their browser and respond an authentication token
How to implement the JWT token endpoint
Is it possible to leverage the possibilities of Spring OAuth for this or do I have to create a custom endpoint with #Controller / #RestController for example.
Are their any tutorials or documentations on how to implement such a service with Spring Security?

Spring boot, security starter and OAuth2 client

I'm using Spring Boot with web and security starter dependencies, and spring-security-oauth2. I'm trying to secure a REST API with a remote (Openstack Keystone) OAuth2 provider.
So far I've managed to correctly fetch an access_token but when it comes to getting the user information I get a 404 not found, as it seems that the OS provider expects the access_token to be provided in the request parameters.
I can't figure out how to persuade the OAuth2RestTemplate class to append the access_token to the security.oauth2.client.resource.user-info-uri endpoint.
Figured out that setting security.oauth2.client.client-authentication-scheme to query will make the RestTemplate append the access_token to the subsequent requests for user information.

Spring Security OAuth - Can it consume JWT tokens from Keycloak

In Spring Security OAuth, can it consume/work with JWT tokens that were generated from a user authenticating with Keycloak? Keycloak's open-id far as that goes, but it all seems to be really similar. I'm still trying to understand the dividing line and also what's similar or same with this.
Basically I'd like to authenticate separately in a REST client then use the token in the Authorization header for REST calls to some web services. There seems to be some JWT stuff in in the Spring Security OAuth, so I'm wondering I can actually use that instead of the Keycloak Spring stuff? Are there any examples of this out there? (I'd love to use the Spring security checks on different methods in my controller)
You can use the Keycloak Spring adapter and still rely on Spring Security annotations for controller security. The main purpose of the Keycloak Spring adapter is simplify the integration with Keycloak for interactive login and also to correctly map JWT access token claims into the Spring Security authentication context.
Reading through the Spring Security OAuth2 documentation, I get the impression that it's not quite ready out of the box to handle OpenID Connect JWT access tokens. However, it's customizable so it could most likely be made to work.
My advice for now is to stick with the Keycloak Spring adapter if you're using Keycloak as your OIDC server. It will save you time and it's well tested with Keycloak.

Resources