Our application is a Spring Boot application and we have gotten a requirement to implement OAuth2 authorization with the IdentityServer3 as the provider.
However, with everything set up properly, we keep getting the error The client application is not known or is not authorized. when redirected to the login screen of the SSO system.
Using postman, we are able to access the login screen when clicking 'Get New Access Token'
Using AdvanceRestClient, we get the same error as our Spring Boot application.
Checking the log of these 2 tools, i found that on postman, the request will POST to the Access Token URL first, while on both Spring Boot security and the AdvanceRESTClient, it will generate a GET URI to the authorize URL.
Example of POSTMAN:
POST https://login.xxx.com.my/LoginHost/core/connect/token
Example of AdvanceRESTClient first request:
GET https://login.xxxx.com.my/LoginHost/core/connect/authorize?response_type=code&client_id=xxx.web&redirect_uri=https%3A%2F%2Fauth.advancedrestclient.com%2Foauth-popup.html&scope=openid%20email%20profile&state=XXX
This is confusing. Which behaviour is correct? And why is there a difference there?
Hope anyone can help with this. Thanks.
* UPDATE 1 *
POSTMAN settings:
AdvanceRESTClient:
After looking at the console logs of both client, it seems that the issue is caused by the redirect-url. After changing the redirect url on AdvancedRestClient to match with postman settings then it works.
Related
I'm trying to do a POC project. I want to login just like stackoverflow. User just login their google account without having to register first and forget password in the future.
My stack is Angular + Spring boot. Angular or React shouldn't matter here. I have did some research and see how people setup on Google GCP and use it in the webapp.
Ok, now assume I can login in my webapp. I got user's name, picture, etc. How would my Spring boot server auth with the info I got from google?
Any help is appreciated!
Usually, you would get a JWT from Google (or other type of token) that you need to send to your Spring Boot server.
The server should then be configured to verify the token. See https://docs.spring.io/spring-security/reference/servlet/oauth2/resource-server/index.html and https://docs.spring.io/spring-security/reference/servlet/oauth2/resource-server/jwt.html (for JWT).
Basically, add spring-security-oauth2-resource-server (and spring-security-oauth2-jose if JWT) and set the issuer-uri in your applications.(yml | properties)
I think it is https://accounts.google.com/ for Google. This also assumes that you have created app/oauth2 in google console. See https://developers.google.com/identity/protocols/oauth2/openid-connect for details.
I have set basic auth in spring boot, when I try to access the web application using the browser by (entering localhost:8081/api/users) it directs me to the default login page generated by spring boot, then if the credentials were correct it re-directs me to localhost:8081/api/users and displays all the users.
But if I wanted to do the same thing in Postman it gives me a 200Ok and returns the html file in the body!!. I have set the autherization to basic auth and entered the right credintials but nothing seems to work on postman !!
I‘m not new in either Spring boot or Spring Security but I am in Spring Authentication‘s Server.
Description
I have tree apps:
a spring boot backend,
a flutter frontend and
a Keycloak for authentification.
The Backend has only one login method, that is oauth2 and is client of Keycloak. The login method for the Backend is already implemented and is working, using Authorization code.
The flutter should also log into the Backend using Authorization code, but this part is not yet implemented.
The Backend is the part I‘m responsible of and the workflow should be following:
The user on Flutter tries to login
The Flutter App then requests login from Backend App
Backend App, as an authorization server with only one login method which is Keycloak, redirects the user to Keycloak.
The first authentification and authorization happens on Keycloak.
The Keycloak redirect the user on the Backend.
The Backend finds out who the user is and authorizes him.
The Backend redirect the user to Flutter‘s scheme and then flutter open (or continue).
The Flutter calls the Backend to get tokens.
Now my question is how should I configure the Backend, so that it behaves as Authorization‘s server?
This I what I‘ve tried.
I‘ve used the newly created spring-authorization-server. So my SecurityFilterChain already contains:
…
http
.oauth2Login(withDefaults())
…
Now my backend is resource server for itself and client of itself (I can‘t dissociate it now). So I‘m thinking of
adding .oauth2ResourceServer with the configuration of this same server for verifying the tokens I will issue, and
adding .oauth2Client with again the configurations pointing to this server, for the Flutter app being able to login.
Now I don‘t know how to turn my backend into Autorization server, and to be more precise, how to turn on authorization code for user login.
Thanks for reading. Any help would be appreciated.
I am new to Okta and OAuth.
I tried to first do a sample tutorial and followed the same procedure as described here
I am stuck with Angular Authentication using OpenId Connect.
I have created OIDC application in my Octa Account and below is the default Authorization server:
Below is the snapshot of OIDC application in Okta
Below are the snapshots of the output and error I get :
When I click the login button, I am getting 400 Bad Request
Below is the request url :
https://dev-my-id.okta.com/oauth2/default/v1/authorize?client_id=0oa14cwbxyudJGVdr4x7&code_challenge=5QqCuQ-BjTJ7uoFVgpX2ourrL7XBxZ39WSSvvw1GDPw&code_challenge_method=S256&nonce=2HbF0A4V664QRo4CXSD51XhI8cGIWBzRvVxGIzyevzhlVByLYlz3NPkBEOcd0Ld3&redirect_uri=http%3A%2F%2Flocalhost%3A4200%2Fcallback&response_type=code&state=jpew68c6Nwo6skLAPqtdtf4uXxTriKJMPiat7YxDUSvCXH87GSoSa9eeQsSxEnnH&scope=openid%20profile
Check to see if the OIDC application you are using in Okta is set to active. That may be the cause of the 400 error you are seeing.
Im having a problem to understand the OAuth flow with Spring.
I have a server running, which got protected endpoints to deliver metric data about the users, revenue usw.
These are used inside an admin panel written in Angular2. Currently the access_token for these endpoints is received by sending the ClientId/Secret and username password to my server.
But obviously its bad to store the Clientsecret on a javascript site.
So I need a way to retreive an access_token from javascript without exposing the client_secret.
I tried to implement the Spring OAuth2 implicit flow which somehow works, but only when I type it inside a browser so the /login page from spring shows up.
My Admin panel has its own Login page so this doesnt work out.
Does anyone have suggestions?