How to implement PKCE Authorization Code in Spring Security OAuth Provider? - spring

I have a working Authorization Server and Resource Server implemented using Spring Security features that provide single sign-on to all the registered clients in my organization.
It supports the following grant type:
Authorization code for web application
Password
Implicit
Now, one of our new products is a single page application built using React. In order to authenticate and grant access token to it from our custom Auth Server, we are enhancing the Spring project to support PKCE grant type and also making sure the existing functionality does not break.
I know I need to use the latest Spring Security 5 classes of the artifact 'spring-security-oauth2-core', but I am not able to find any documentation around it or sample code example, to begin with.
Any pointers will be a great help.

Related

Spring webapp with multiple auth type: basic and social login togheter

I wrote a spring boot webapp with spring security authentication over jpa. It uses jwt to grant access to a simple html/js application.
I'd like to add oauth2 flow in order to allow users to authenticate over github or google or whatever cloud system.
What kind of solution may I adopt to target it?
I see many applications like udemy, for example, or others. They allow multiple authentication types:
username and password
google account
facebook account
How may I replicate this behaviour in my webapp?

What are the possibilities with Spring Authorization Server when using it for authentication (and authorization)?

I'm looking to find a tool that will do the authentication (and authorization) part of the project. For the project, I will be using spring boot and java 8.
I will be working with OAuth2.0, the flow for untrusted client(web-applictation) and trusted client(another server)
I was looking at Keycloak and Spring Authorization Server.
But it's unclear what are all the possibilities with the Spring Authorization Server.
Like with Keycloak you have single sign on, identity brokering, social login, user federation, admin console, account management console, standard protocols etc.
Is this also possible with Spring Authorization Server, or what are the possibilities of Spring Authorization Server?
We're working on reference documentation which will include a feature list. In the meantime, see feature list on the GitHub wiki for the project.
From this PR, a possible short overview/answer to your question would be:
Spring Authorization Server is a framework that provides implementations of the OAuth 2.1 and OpenID Connect 1.0 specifications and other related specifications. It is built on top of Spring Security to provide a secure, light-weight, and customizable foundation for building OpenID Connect 1.0 Identity Providers and OAuth2 Authorization Server products.
Update: The reference documentation is now available and contains an Overview page with this information.
You can make custom OAuth resource server implementation or use the SAML standard.
Also, you can implement access by JWT token, which suites well for API-only service.
You can use also "Basic Authentication", but it's too simple for a mature applications.

Spring Boot 2 Authorization Server for public clients (PKCE)

is possible create authorization server for PKCE authentication in current version of spring security?
I did research and I found out this authorization server project https://github.com/spring-projects-experimental/spring-authorization-server but there is no usable sample for that project.
I also find out that spring recommends Keycloak as authorization server, but it is not fit for my case.
We need be able fetch and verify user against remote service, and then use authorization server only for generating and verifying jwt tokens. In my knowledge Keycloak should holds also users right? So the best solution would be custom spring standalone authorization server. Is it possible in some way? Thank you!
You may have a look to this project: CloudFoundry User Account and Authentication (UAA) Server.
UAA is a (Spring MVC) component of Cloud Foundry but it could be used as a stand alone OAuth2 server. It can support external authentication service. And there is a Pull Request that implements PKCE: https://github.com/cloudfoundry/uaa/pull/939 (not yet merged, but under review).
You can find an example on how to use UAA on baeldung.com.
As far as I know, Spring framework has one more implementation of the authorization server. It is a part of spring-security-oauth project. But this project was moved into maintenance mode.
According to this migration guide, the new authorization server project (that you have already found) will be created to change the legacy solution.
From my point of view now there are several possible options:
Using old legacy spring-security-oauth. More examples with old auth server
Using external services like Keycloak, Auth0, Okta and etc

Grant type selection for OAuth2 implementation

I would like to build a web based application using Spring Boot micro service. I am planning to use OAuth2 and OpenID Connect to implement authentication and authorization in my application. What grant type I have to choose to implement OAuth2 if my application is going to be single page application (Angular.js for front end Spring Boot services for backend)?
You can use Implicit or Authorization Code flow with a single page app :
In order for a single-page app to use the Authorization Code flow, it must be able to make a POST request to the authorization server. This means if the authorization server is on a different domain, the server will need to support the appropriate CORS headers. If supporting CORS headers is not an option, then the service may use the Implicit Flow instead.
oauth.com
but it's recommanded to use Authorization Code flow :
It is generally not recommended to use the implicit flow (and some servers prohibit this flow entirely). In the time since the spec was originally written, the industry best practice has changed to recommend that public clients should use the authorization code flow with the PKCE extension instead. oauth.com

Real Time examples for Oauth2 Grant Types and Good document, example for Oauth2 with Spring MVC

I've read about Oauth2 few days before, it has entities like Client, Resource Owner, Resource Server, Authorization Server and i understood the explanations too. but i don't understand the grant type's completely still i got confusion on following types. Oauth2 has 4 different grant types like,
Authorization code
Implict
Resource Owner Password Credentials
Client Credentials
please, give me some real time examples for the above types to differentiate the implementation. I need to know that what are the types of grant implementation spring security oauth2 has and full flow for spring oauth2 with security.
I have gone through some example implemented with oauth2 with spring mvc, spring security. but it's confusing me i don't get clear picture of the api implementation.
I'm looking for good Oauth2 flow and document with Spring mvc and Spring security. please help me.
In terms of understanding the flows and the differences between them, this presentation is the best resource I found online. After this, if you read the OAuth2 spec description, it'll be much easier to follow.
Unfortunately, in terms of code samples, there isn't good Spring Security OAuth2 sample code out there (the Sparklr and Tonr examples are okay but not super clear). Best resource there is to look at unit tests in Spring Security OAuth2 code on github.
One question I want to ask is - are you looking to create your own OAuth2 Provider or do you just want to connect to Facebook, Google, etc as OAuth2 client. If it's the second part, I would suggest skipping Spring Security OAuth2 and instead look at Spring Social project.
Edit:
For creating an OAuth2 Provider, check out this code by Dave Syer (he is the lead of Spring Security OAuth project) . It shows how you can create an OAuth2 Provider and Resource Server in 20 lines of code. This is the easiest way to create Spring Security OAuth code.
https://github.com/dsyer/sparklr-boot
It uses Spring Boot and Spring Security OAuth projects. Of course, you'll have to understand Spring Security, JavaConfig configuration and the OAuth2 protocol properly to understand how all of this works.
Authorization Code is redirection based flow, in most application when we login via Facebook or google we use this grant type.
Implicit is used mostly in mobile or single page application, Client confidentiality is not guaranteed here. This also has a redirect flow similar to Authorization Code. This does not support refresh token.
Password Grant Type is used when client application and resource owner belong to same application, this is goin to be case when your application is end to end working. Here we are sharing username and password. unlike the above two where we authenticate via Facebook or google.
Client Credentials: its a way to access it own service. like one microservice to access another microservice.
I also got into OAuth2 using spring last month.
I've read most of the OAuth2 spec and used the samples from the spring-security source, which are wonderful. That way I got a running application which I could use to play with and view it's sources next the the specs.

Resources