Today I'm using Spring Boot OAuth2 to grant correct use of OAuth2 in my project, so I have the following:
I have API A calling API B
API A generate JWT Token and calls API B.
API B validate the JWT Token using two ways: Online (Introspection) and Offline (with RSA keys).
So, migrating to Spring Security 5 I got the following problems:
I didn't found any samples (https://github.com/spring-projects/spring-security/tree/master/samples/boot) using Spring Cloud OpenFeign. All my project use it (Feing) and change to Spring WebClient can be very problematic.
Documentation just talk about WebClient (https://docs.spring.io/spring-security/site/docs/current/reference/html5/#oauth2client), nothing about RestTemplate or Feign.
Joe Grandja wrote an OAuth2 application and the corresponding migrated Spring Security application.
You can check the examples here:
Spring Security OAuth 2.4 Migration Sample
Also, docs about configuring Spring Security are here:
OAuth 2.0 Resource Server
Related
I want to use Spring Cloud Gateway with SAML. Is this possible?
It seems that the Saml extension for spring security is based on the old Spring Stack and won't work with Gateway.
Has anybody got any experience on this?
I'm afraid SAML is not supported as of time of writing. Spring Cloud Gateway has been redeveloped using Reactive programming and is now based on Spring WebFlux. Only the following authentication methods are currently supported :
OAuth 2.0 or OpenID Connect 1.0
x509 authentication
This is stated on SCG page:
Spring Cloud Gateway is built on Spring Boot 2.x, Spring WebFlux, and
Project Reactor. As a consequence, many of the familiar synchronous
libraries (Spring Data and Spring Security, for example) and patterns
you know may not apply when you use Spring Cloud Gateway. If you are
unfamiliar with these projects, we suggest you begin by reading their
documentation to familiarize yourself with some of the new concepts
before working with Spring Cloud Gateway.
The previous gateway spring-cloud-netflix-zuul, based on Servlets and which supported SAML, has been removed from Spring Cloud 2020.
Here is an open issue on GitHub, SAML2 for reactive environment, where we can vote for asking for this to be implemented.
I have existing REST API's built into multiple springboot projects. Now would want to enabled JWT for all REST services. I have a separate project which does JWT for a test service. Can that JWT project be linked like a library or associated as a springboot parent to enable spring JWT auth for all REST services which are present in multiple projects.
There are not enough details within your question but we also have multiple spring boot services which share common authentication and authorization mechanism (OAuth2.0 authorization token flow + Keycloak + JWT). The implementation of this mehanism is realized as a custom spring boot starter which is the approach I would recommend to you. You can start reading about that, for example, here.
currently am Creating Rest Apis in Spring Boot I want to secure Those Apis Using Okta Wit Oauth.
Can Any one Help On this....
You can use Okta's Spring Boot Starter for this. https://github.com/okta/okta-spring-boot
Warning: there is an issue where you can't use devtools with this starter.
I’m developing back-end services and securing it using my custom OAuth server. At front-end I’m planning to support facebook, google and username and password OAuth. How can I implement this using spring boot ?
Spring Boot and OAuth2
This tutorial demonstrates how to create a Spring Boot app that leverages OAuth2 authorization via Facebook and GitHub.
Spring Boot + Spring Security + OAuth2 + Microservices
This tutorial demonstrates how to create a microservices architecture with a Spring Boot stack that separates your concerns into the following apps: UI, Auth, Resource.
I run my app with Spring Boot using JWT token for authentication. I have a filter checks a token. Also my app provide rest API documentation with Swagger 2. I don't want my rest api will be public
So my question is, how i can provide a security for Swagger access? and can provide basic security for it?