I am trying to use Keycloak as Identity Access Management. Creating client & authenticating user is quite okay between Spring Boot and Keycloak. What I am trying to do is authentication and authorization between Spring Boot microservices. The scenario is as follow.
There are two microservices: service A and service B.
Service A has one non-authenticated api route (api 1) which needs to communicate with authenticated api (api 2) on service B.
Api 2 would like to know which services are requesting and have certain access.
I have tried using service account and search online but no luck with Keycloak. :(
Please help me. Thanks
Related
So I'm migrating some Spring Boot microservices from Kubernetes to OpenShift. Below is the simplified situation:
Service 1: Spring Boot application that handles, exposes 2 endpoints (login and authenticate). The authenticate service accepts the Authorization header containing a JWT token and validates that token. It returns 400 if the token doesn't exist and 403 is the user isn't authorized or the token is invalid and 200 if everything is valid.
Service 2: Spring Boot for some business service, exposes many endpoints and contains the annotation below in the Kubernetes Ingress so that all traffic is routed to the Service 1 for authentication before actually reaching Service 2
nginx.ingress.kubernetes.io/auth-url: "http://service1/authenticate?url=$request_uri&method=$request_method"
The problem is that when I migrated to OpenShift, all applications are working fine but the annotation that should route traffic to Service 1 doesn't seem to be working, since the authenticate service is never called.
I have searched the OpenShift documentation for days with no success, so any help would be much appreciated.
Probably this could help https://docs.openshift.com/container-platform/4.5/serverless/networking/serverless-ossm-jwt.html, Openshift ServiceMesh include Istio. Here is how to configure Istio JWT https://istio.io/latest/docs/tasks/security/authorization/authz-jwt/. So there you could configure the Service 1 authenticate.
Here is the authorization service. It has endpoints to login and receive a JWT using either a custom username/password or social OAuth (Facebook, GitHub etc.).
I have a Eureka server setup and Zuul gateway service. From what I understand, there are two ways to go about implementing secure microservices. You either proxy requests through the auth service, or you send requests to the requested service (Ex. Service A) and service A authorizes using the auth service.
I would like to use the second way, however I'm having trouble implementing it. Is my understanding correct? Is there a way to setup service A somehow so that certain paths (configured using Ant matchers) will have to authorize using the auth service, which will set the SecurityContext appropriately and inject a UserPrincipal into the request. If anyone can point me to a good guide for this that would be much appreciated.
Currently in developer training, I am working on a personal project on spring. I started java 6 months ago, so there is a certain notion that I do not yet master. My trainer does not know spring at all, so he cannot help me.
I am also French and there is very little reliable documentation on spring (it is evolving quickly).
For example, I followed a French tutorial on microservices, and I used the ribbon and zuul proxy while they are currently in maintenance at spring. I started all over (new project) to recode in reactive webflux
I have several concerning spring starter security or spring cloud security
Spring cloud config (in connection with gitlab)
eureka server
admin server
gateway
2 business microservices
2 sub-module (model and repository)
I want all my microservices and the internal microservices (eureka, admin server, configserver) to be secure now. But I do not know how.
I want the microservice that consults config-server to identify themselves, and I also want the microservice gateway to identify itself to make requests to other microservices. Finally I want all my microservices to be protected.
Should we put spring-starter-security in microservice? Should we create a new microservice with spring-cloug-security?
Should we create a new spring-cloud-security microservice and add spring-start-security everywhere?
https://cloud.spring.io/spring-cloud-security/2.2.x/reference/html/ Obviously I find this link not very explanatory
Thank you
In a microservice architecture that I have worked, we have always used the OAUTH2 specification for securing service.
OAuth2 is a token-based security framework that allows a user to authenticate themselves with a third-party authentication server. If the user successfully authenticates, they will be presented with a token that must be sent with every request. The token can then be validated back to the OAuth2 Server. The OAuth2 Server is the intermediary between the application and the services being consumed. The OAuth2 Server allows the user to authenticate themselves without having to pass their user credentials down to every service the application is going to call on behalf of the user.
Detail information for OAuth2 you can find in the following LINK .
I have implemented simple microservice architecture for demonstrating how services are connected with each other.
Here is the link LINK
Below is the image representing the architecture:
I have gone through many posts and articles but didn't find a straightforward solution for the case below which I have to implement.
Platform: Spring Boot 2.x.x (Spring Security 5.x.x) with embed Tomcat
Solution: REST service that consume many client apps and many end users.
I have to implement a REST end point /api/search which accessible for many client application. As an example, web application APP-X (Angular), web application APP-Y(Jquery/Bootstrap) and mobile application APP-Z (IOS). All three clients are separate entities (both technical perspective and business perspective).
So I have to authenticate above application using onetime token. Therefore I planned to go for Spring OAuth2 by enabling #EnableAuthorizationServer and #EnableResourceServer. For each app client I’ll generate a token and they can use it when they connect with my REST service. Is this approach correct?
Apart from the app clients system has capability to register and login functionality for end users. Also my end point (/api/search) can access both anonymous users and users who registered under ROLE_REGUSER role. And through the security context, I need to access the user details as usual user authentication.
This is the place I got stuck. How can I handle the following points together using Spring Security 5.x.x (Spring Boot 2.x.x).
I. Both client apps and end users authentications.
II. Allow access for anonymous users and registered users for same end point.
I have attached small diagram to elaborate the above scenario.
Thanks
I found a solution when I upgraded my spring security version to 5.2. In version 5.2, they have depreciated #EnableAuthorizationServer and #EnableResourceServer. So I had to move with an external authorization provider who supports auth2. I chose AWS Cognito, and fulfill the above requirement, using the user pool option.
In AWS Cognito
I created a user pool.
Then created two app clients in the same user pool.
One app client configured as support to the client credentials flow.
The second app client configured as support to the user authentication flow.
In client applications
Retrieve access token directly from AWS Cognito using client credentials and used to secure all API calls.
If a user login at any stage, retrieve access token directly from AWS Cognito using the authorization code and replace any existing access token.
The advantage is, the resources server can validate any access token that generated related to the same user pool.
In resources server (backend API/Spring Boot)
Validate access token.
I'm new on Spring framework and I'm trying to create a restful service with LDAP authentication.
For the start, I followed these 2 tutorials on Spring website :
-https://spring.io/guides/gs/rest-service/
-https://spring.io/guides/gs/authenticating-ldap/
Now I want to create a new service which needs the LDAP authentication but I'm stuck. On the LDAP tutorial it's for a Spring application with user interface.
Me I want to call the service with a username/password or token and then executed the service.
Some services will need the authentication and some not.
Can anyone help me ?
Thank you