I have a web application (using Spring Boot). I am thinking to use some 3rd party tool for Authentication/Authorization purpose, instead of handling Identity logic myself.. and my web-app is a simple application.
So, do you think whether some IAM tool (Identity and Access Management) is over-burden for my simple web application? or do you suggest me to create Authorization Server myself, instead of some any IAM tool?
Related
What is the best way to integrate my Spring Boot app with OAuth2? It already has login functionality with issuing a JWT token. What I want to achieve: perform login using OAuth2 and issue the same JWT to access my app.
What should I use:
Keycloak auth server + make my app a resource server
Write my own auth server using spring-security-oauth2-autoconfigure and spring-boot-starter-oauth2-client + make my app a resource server?
Any other approach you can suggest...
Maybe, this link can help you: https://stackshare.io/stackups/keycloak-vs-spring-security
It really depends on your scenario.
But, in my opinion, the first option has more advantages. The main one is the maintenance effort. With your own oauth server, you must maintain one more service. Keycloak is mature and open source, with many developers maintaining it.
is possible create authorization server for PKCE authentication in current version of spring security?
I did research and I found out this authorization server project https://github.com/spring-projects-experimental/spring-authorization-server but there is no usable sample for that project.
I also find out that spring recommends Keycloak as authorization server, but it is not fit for my case.
We need be able fetch and verify user against remote service, and then use authorization server only for generating and verifying jwt tokens. In my knowledge Keycloak should holds also users right? So the best solution would be custom spring standalone authorization server. Is it possible in some way? Thank you!
You may have a look to this project: CloudFoundry User Account and Authentication (UAA) Server.
UAA is a (Spring MVC) component of Cloud Foundry but it could be used as a stand alone OAuth2 server. It can support external authentication service. And there is a Pull Request that implements PKCE: https://github.com/cloudfoundry/uaa/pull/939 (not yet merged, but under review).
You can find an example on how to use UAA on baeldung.com.
As far as I know, Spring framework has one more implementation of the authorization server. It is a part of spring-security-oauth project. But this project was moved into maintenance mode.
According to this migration guide, the new authorization server project (that you have already found) will be created to change the legacy solution.
From my point of view now there are several possible options:
Using old legacy spring-security-oauth. More examples with old auth server
Using external services like Keycloak, Auth0, Okta and etc
I have a working Authorization Server and Resource Server implemented using Spring Security features that provide single sign-on to all the registered clients in my organization.
It supports the following grant type:
Authorization code for web application
Password
Implicit
Now, one of our new products is a single page application built using React. In order to authenticate and grant access token to it from our custom Auth Server, we are enhancing the Spring project to support PKCE grant type and also making sure the existing functionality does not break.
I know I need to use the latest Spring Security 5 classes of the artifact 'spring-security-oauth2-core', but I am not able to find any documentation around it or sample code example, to begin with.
Any pointers will be a great help.
I would like to build a web based application using Spring Boot micro service. I am planning to use OAuth2 and OpenID Connect to implement authentication and authorization in my application. What grant type I have to choose to implement OAuth2 if my application is going to be single page application (Angular.js for front end Spring Boot services for backend)?
You can use Implicit or Authorization Code flow with a single page app :
In order for a single-page app to use the Authorization Code flow, it must be able to make a POST request to the authorization server. This means if the authorization server is on a different domain, the server will need to support the appropriate CORS headers. If supporting CORS headers is not an option, then the service may use the Implicit Flow instead.
oauth.com
but it's recommanded to use Authorization Code flow :
It is generally not recommended to use the implicit flow (and some servers prohibit this flow entirely). In the time since the spec was originally written, the industry best practice has changed to recommend that public clients should use the authorization code flow with the PKCE extension instead. oauth.com
What is the Best way to secure REST Services (develop by Spring Framework) for use in Android app? Please consider the limitation of httpclient in android. using http authentication header is enough?
My need is to be able to control which application is calling my web service and is this application authorized to call it.