I am trying to configure an authentication flow in Spring Boot using OneLogin SSO. I can successfully authenticate, create a JWT token, and redirect to my frontend app.
However, I am not certain of the next steps. When my JWT token expires, is the appropriate course to clear my security context and then to redirect to OneLogin again and reconfirm my authentication? Right now, as far as I can tell, Spring's security context represents one moment in time and I can't figure out how to refresh it against my SSO provider to ensure the user is still authenticated.
Related
I am implementing multi-factor authentication using Spring Authorization Server (OAuth 2.0). Essentially, I have three endpoints:
/login
/verify-otp
/oauth2/authorize?{oauth_params} (default Spring Authorization Server endpoint)
When a user attempts to log in, they are redirected to /oauth2/authorize with the required parameters. Spring Authorization Server checks whether the user has been authenticated. If not, the user is redirected to another endpoint, /login. At this point, the RequestCache caches the requested parameters from the oauth2 endpoint.
Everything works fine unless a user who has been redirected to the login page tries to access the /verify-otp endpoint without being authenticated. In this case, the RequestCache will cache the requested params from /verify-otp and redirect a user to /login endpoint again, which means that the oauth2 cached params will be overridden. As a result, when the user tries to log in with OTP again, they will not be redirected to the OAuth redirect URI.
Is there a way to prevent RequestCache from being overriden or any better solutions.
I have an mfa-sample branch with an mfa-authorizationserver sample that demonstrates a working MFA setup.
Note: It is an older branch and is not up to date with 1.0 (main).
It is based on Spring Security mfa sample.
Currently, Spring Security does not have official MFA support, so it is a bit tricky to get right.
The key elements are setting up a custom TrustResolver and authorization rules that allow access based on the state the user is in while they are going through the login flow.
The state the user is in during the login flow can be changed by setting up a new SecurityContext in the AuthenticationSuccessHandler and each custom #Controller endpoint during each step of the flow.
Take a look at the sample. One thing to watch out for is my branch is based on Spring Security 5.7, which automatically persists a SecurityContext when it is set on the SecurityContextHolder. If you start with Spring Boot 3, you'll be using Spring Security 6, which requires the SecurityContext to be saved explicitly (e.g. securityContextRepository.save(securityContext);).
(I'd like to add more links to important files in my sample branch and the official Spring Security sample, but as I type this GitHub is down on a Friday night... so I'm gonna go do something fun instead of repeatedly refresh waiting for the 500s to stop. Cheers!)
I have a spring based application which does authentication and authorization(oauth2 based) for a client app.I want to now use keycloak to manage my authorizations, but i want to keep my spring code. Basically i want to use my existing auth code as an external identity provider in keycloak.
I am thinking of adding changes in client app such that it receives token from my existing oauth code(which does the authentication) and then exchange this token with keycloak(for session and authorization management). How can i do this? What configurations need to be done in keycloak?
I read about token exchange in keycloak here, but i am not clear about the kind of token i need to send from my existing auth code.
https://www.keycloak.org/docs/latest/securing_apps/
Here is how OAuth2 roles are usually spread:
Keycloak is authorization-server
Spring service is resource-server
front-end is client
user is resource-owner
I have a doubt of you wanting your Spring service to be "authorization-server" as well (serve user identity). If so, I think you should not.
Keycloak (or any other OpenID provider) should be the only authorization-server. Both Spring and client(s) should be configured to use it as so.
To write it differently, Keycloak is responsible for users login and emitting tokens with user ID (subject) and rights (roles or whatever). Other tiers in the architecture (clients & resource servers) get user info from the token and apply relevant security checks (spring security annotations, Angular guards, etc.).
I published a mono-repo for a meetup with minimal sample involving a Spring resource-server and Angular (with Ionic) client talking to a Keycloak OpenID authorization-server. You might find some inspiration browsing it.
I am using Keycloak to provide SSO through OIDC for a bunch of applications that belong to the same realm. All of these applications are confidential clients that use the Authorization Code flow. They use JSP for the views, and all necessary redirects are managed by Spring Boot and Spring Security Keycloak adapters.
After successfully logging in I can switch from one application to another correctly (SSO). For each of them, an HttpSession is generated containing a org.keycloak.adapters.springsecurity.token.KeycloakAuthenticationToken. This class, has a details object (SimpleKeycloakAccount) with a securityContext (RefreshableKeycloakSecurityContext) that contains the access token (tokenString), id token (idTokenString) and refresh token (refreshTokenString):
The contained access token has a 5 minute expiration time. Oddly enough, after this time has passed, although I'm still correctly authenticated in the Spring Boot application, I've checked that the access token is never refreshed.
I need to have a valid access token, since some of these applications invoke REST services, secured with the same adapters with bearer only authentication. The problem is I end up having an expired access token and have to deal (manually?) with its expiration.
Is there a way to make the adapter refresh the access token when it expires or are we expected to do so programmatically?
Can you show how to do it?
I'm tring SSO Login with Spring Boot and OAuth2.
I have an oauth2 client running on http://localhost:8001/demo and an oauth2 authorization server running on http://localhost:9001/uaa
In result, after approval page it direct to the approval page again and again.I'm getting back "org.springframework.security.authentication.BadCredentialsException: Could not obtain access token" from the client.
I have no idea what's going on. I did this with Spring Boot1.5 everything seems to be find
Code
I'm looking for a simple example of a spring security configuration (Java config preferred) on how I can secure my REST Services with Spring-Security and SAML.
There's an Web Application Firewall in front which will only pass requests which contain a valid SAML Token or otherwise redirects to IDP to get one. So I don't have to look if the user is logged in or redirect the user if not so to the IDP.
The only thing I'll need to do is allow only authenticated requests to all REST Services, read the user from SAML-Token and check that the Token is from Airlock.
Later I'll need to add ACL support for more fine granular rights of the user on specific services but I'm already lost with the first part of the integration work in spring security. Any help would be welcome :)
the magic happens here: https://github.com/spring-projects/spring-security-saml/blob/master/core/src/main/java/org/springframework/security/saml/SAMLProcessingFilter.java
in attemptAuthentication(), it gets the SAML message, parse it and gets the token (SAMLAuthenticationToken). Then it tries to authenticate the user: authenticate(token);