I have a spring boot v.5+ application which uses spring security saml.
When an idp initiated SingleLogout Request is called i get an error saying :
org.springframework.security.saml.SAMLStatusException: LogoutRequest is required to be signed by the entity policy
Is there an option to disable signing of LogoutRequest in my service provider?
I was facing the same issue. I tried to tweak the default value of requireLogoutRequestSigned property (from default true to false) in Table 7.2. Extended metadata settings of my SP and it worked for me. I'm using MetadataGenerator bean to configure this setting in spring-boot v2.1.1.RELEASE and spring-security-saml2-core v1.0.3.RELEASE.
Related
With a Spring Boot client configured in the DMZ and Spring Security OAuth configured using:
issuer-uri: https://authentication_server/auth/realms/my-realm
I get this error from Spring Security:
The Issuer "https://external_url/auth/realms/my-realm" provided in the configuration metadata did not match the requested issuer "https://authentication_server/auth/realms/my-realm
From this post I have learned that I need to specify authorization-uri, token-uri and jwk-set-uri instead of issuer-uri, and then it also works.
authorization-uri: https://external_url/auth/realms/my-realm/protocol/openid-connect/auth
token-uri: https://authentication_server/auth/realms/my-realm/protocol/openid-connect/token
jwk-set-uri: https://authentication_server/auth/realms/my-realm/protocol/openid-connect/certs
(I do not get why Spring Security cannot auto-configure with the same values from the issuer-uri when it works setting the values individually)
Now the problem is that logout stops working. When using issuer-uri the OAuth is auto-configured and end_session_endpoint is fetched from the answer, but when specifying each setting there is no way to specify the end_session_endpoint.
Is this an outstanding issue in Spring Security OAuth, or do I need to configure it differently?
I had to make a work around for this. With little time I started by copying the existing OidcClientInitiatedLogoutSuccessHandler which I already were using in configuring LogoutRedirectUri.
I simply copied the class and changed the implementation of the method endSessionEndpoint() to return the URI which is returned by our OAuth server as end_session_endpoint.
This issue is tracked in spring-security GitHub.
Probable fix will be allowing to add "Additional attributes for ClientRegistration and ProviderDetails".
I found an odd behavior with JWT parsing and JwtValidators.
Scenario:
Spring Boot OIDC client (for now a tiny web app, only displaying logged in user and some OIDC objects provided by Spring)
Custom JwtDecoderFacotry<ClientRegistration> for ID-Token validation
JwtValidatorFactory based on JwtValidators.createDefaultWithIssuer(String)
This worked well with Spring Boot version <= 2.2.10.
Debugging:
NimbusJwtDecoder (JAR spring-security-oauth2-jose) uses claim set converters. The 'iss' (issuer) claim is handled as URL.
JwtIssuerValidator (internally created by JwtValidators.createDefaultWithIssuer(String)) wraps a JwtClaimValidator<String>.
this one finally calls equals() that is always false - it compares String with URL.
My current workaround is not calling JwtValidators.createDefaultWithIssuer() but just using the validators new JwtTimestampValidator() and an own implementation of OAuth2TokenValidator<Jwt> (with wrapping JwtClaimValidator<URL>).
Anyone else having trouble with this?
--Christian
It's a bug. Pull Request is created.
I use Keycloak and I configure it with my application.properties file.
# Keycloak config (instead of keycloak.json)
keycloak.auth-server-url=http://localhost:8080/auth
keycloak.realm=demo
keycloak.resource=DemoApplication
keycloak.principal-attribute=preferred_username
keycloak.bearer-only=true
This works just fine. The problem is that I expected to create a Client in my keycloak admin console for the raealm that is used as keycloak resource.
The docs say
resource
The client-id of the application. Each application has a client-id that is used to identify the application. This is REQUIRED.
But in this example DemoApplication is not registred in keycloak. As I understsand, every Application that includes the keycloak-adapter dependency exchanges the public key with keycloak on startup to be able to verify the signature of an incoming token. But why is this working if the client is not registered in keycloak?
Im new on spring security and I had some research on authentication ,I saw two options there are some guys posted.First one Jdbc authentication or In memory authentication ,and there are also loadUserByName(UserDetailService).
what is difference between them ,and also what is use case of loadUserByName (UserDetailService)
This is the official reference https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#jc-authentication
For In Memory Authentication, you have a set of username-password pair hard-coded in your xml/java config class.
In jdbc authentication, you can have a direct database contact to fetch users and authorities, provided you have configured a datasource
You can define custom authentication by exposing a custom UserDetailsService as a bean. You can do whatever functionality to return an instance of UserDetails in loadUserByUsername(). This method is called implicitly to authenticate a user, when creating an authentication.
I'm trying to use Facebook sign in as described in
https://github.com/spring-guides/gs-accessing-facebook
When I'm trying to create JdbcUsersConnectionRepository, I need spring security in class path.
And when I add spring security I receive
"java.lang.IllegalStateException: Unable to get a ConnectionRepository: no user signed in"
when trying to receive Connection
Connection<Facebook> connection = connectionRepository.findPrimaryConnection(Facebook.class);
or checking
if (!facebook.isAuthorized())
All this happens only when spring security is in the class path
Social Connection should be correspond to any auth user. It seems user should login through username/password or Service Provider. Try look at http://docs.spring.io/spring-social/docs/1.0.x/reference/html/signin.html
"java.lang.IllegalStateException: Unable to get a ConnectionRepository: no user signed in"
It happens because AuthenticationNameUserIdSource used by default
Internally, Spring Social’s configuration support will use the UsersConnectionRepository to create a request-scoped ConnectionRepository bean. In doing so, it must identify the current user. Therefore, we must also override the getUserIdSource() to return an instance of a UserIdSource.
In this case, we’re returning an instance of AuthenticationNameUserIdSource. This implementation of the UserIdSource interface assumes that the application is secured with Spring Security. It uses the SecurityContextHolder to lookup a SecurityContext, and from that return the name property of the Authentication object.
If your application isn’t secured with Spring Security, you’ll need to implement the UserIdSource interface as approprate for your application’s security mechanism. The UserIdSource interface looks like this:
package org.springframework.social;
public interface UserIdSource {
String getUserId();
}
The getUserId() method simply returns a String that uniquely identifies the current user.
More info here
If you are using Spring boot, then the property security basic should not be set to false. Hide this line in your application.properties. This disables the security and boot throws the error if spring-security is disabled.
#security.basic.enabled=false