I am working in a project where we have 3 servers:
Frontend Server running in Reactjs/redux.
Backend application server where project business logic is setup(DRF). This doesn't have authorization mechanism.
User management server where user login/registration(DRF).
Currently in this project registration with session and login is implemented but the user session is maintained only User management server.
Authorization system workflow should be as below:
A request is made from Frontend server to Backend.
Allow only logged in user to get the result.
User Backend server is the one managing user database and session. How can we check in Backend Server if user is logged in through User Management Server and return result back to Frontend Server based on if user is logged in/not.
Token authentication is preferred. I searched for JWT, but the implementation is detailed for single server projects.
Please let me if there is a solution/alternative for the above scenario.
Thanks in advance.
Related
I‘m not new in either Spring boot or Spring Security but I am in Spring Authentication‘s Server.
Description
I have tree apps:
a spring boot backend,
a flutter frontend and
a Keycloak for authentification.
The Backend has only one login method, that is oauth2 and is client of Keycloak. The login method for the Backend is already implemented and is working, using Authorization code.
The flutter should also log into the Backend using Authorization code, but this part is not yet implemented.
The Backend is the part I‘m responsible of and the workflow should be following:
The user on Flutter tries to login
The Flutter App then requests login from Backend App
Backend App, as an authorization server with only one login method which is Keycloak, redirects the user to Keycloak.
The first authentification and authorization happens on Keycloak.
The Keycloak redirect the user on the Backend.
The Backend finds out who the user is and authorizes him.
The Backend redirect the user to Flutter‘s scheme and then flutter open (or continue).
The Flutter calls the Backend to get tokens.
Now my question is how should I configure the Backend, so that it behaves as Authorization‘s server?
This I what I‘ve tried.
I‘ve used the newly created spring-authorization-server. So my SecurityFilterChain already contains:
…
http
.oauth2Login(withDefaults())
…
Now my backend is resource server for itself and client of itself (I can‘t dissociate it now). So I‘m thinking of
adding .oauth2ResourceServer with the configuration of this same server for verifying the tokens I will issue, and
adding .oauth2Client with again the configurations pointing to this server, for the Flutter app being able to login.
Now I don‘t know how to turn my backend into Autorization server, and to be more precise, how to turn on authorization code for user login.
Thanks for reading. Any help would be appreciated.
currently, I'm working on an application in which we want to offer a single sign-on experience, but let me put you in the context:
We have two different Cognito clients created for the same Cognito pool, both are configured to allow the users to login into two different applications:
App A: mydomain.com
App B: appb.mydomain.com
well, the thing is that when a user uses the hosted UI to log in to the first application, I noticed that the Cognito server creates a cookie called "Cognito" as can see in the image:
Cookie set by the auth server
Then, when a user tries to access the other application appb.mydomain.com, and the application, instead of showing the hosted UI, the user automatically enters the application without going to all the login process again, and this is possible because of the cookie I mentioned (when I delete that cookie, then the user is requested to login again using its credentials).
So, that's nice because the user doesn't need to go through all the login process again. But my situation is the following:
I want to create a login page in mydomain.com with my own customized form and using the Cognito SDK. I already have the backend working, also the frontend. The backend can authenticate users to get the JWT tokens (IDtoken, refresh token, etc.) as you can see in the next image:
Tokens I get when I authenticate a user
But at this point I'm not able to redirect the user to appb.mydomain.com with a valid session, I mean, I have the JWT tokens, and I tried to do the same thing that the hosted UI clients are doing, that is setting a cookie somehow containing the JWT session. But I don't know how to make the application appb.mydomain.com to be able to detect this cookie. But the most important problem is that I really don't know how to construct a valid cookie (like Cognito's) to be detected by mydomain.auth.eu-west-1.amazoncognito.com (this domain is shared for both Hosted UI clients).
I don't know if this approach is feasible, or if there is another approach to send a JWT token to the auth server with a callback to redirect the user to the appb.mydomain.com
without going to all the login process again or something like that.
Do you have any advice on how to implement this kind of SSO Experience? I'm using .Net Core in the backend.
I am working on an application with spring boot backend, that I want to secure with OAuth2 using implicit flow. The front end will be angular (SPA). For the initial phase I will have Authorization and Resource server on the same instance, but want to be able to seperate it later on.
I do understand that authorization "takes place" on the Authorization server and then a token is used to access resources. But how do I add a new user to the system? Should there be a registration (password reset etc.) endpoint on Authorization server or the Resource Server?
It makes sense to put it on Authorization server, so when I add a new application that uses it will be able to add a new user to the system.
From other point of view the Authorization server should be used only for authorization, so user creation could be delegated to a resource server.
Usually the registration process is implemented in the resource server, so this endpoint and similar endpoints like retrieving a forgotten password, resetting the password etc all of them lives in the resource server, as they are part of the logic of your application, not part of the authorisation itself.
I'm doing some research about authentication via Active Directory for internal application.
Application is divided in two parts - front-end in Angular 2, and back-end in Spring. I would like to add windows authentication to it to avoid providing credentials when you are already logged in, but i can't fully understand how possibly server knows the credentials of which user to compare with those stored in Active Directory. For example let's assume that I've logged into windows, my data are sent to Active Directory. Now I'm heading to website, which i would like to automatically authenticate me with http request sent to rest api. Rest server invokes some logic connected with authentication with Active Directory, and after success rest api sends token back to Angular. But the thing I'm missing is how server knows which credentials compare to know if user exists in AD. Should i somehow use angular to gain acces of user credentials stored in windows through browser? Or I'm missing something important here.
I have configured WSO2 Identity Server as IDP and have two applications configured as SP. All working fine, except few things:
when I logged out from one application, another application don't see, that I was logged out
when I login into one application, another application don't see, that I was logged in
IMHO, there is main principles of SSO and SLO.
When I check SecurityContextHolder.getContext().getAuthentication() there is no changes after logout or login in another app.
Maybe I should call WSO2 page /samlsso before every load url?
What can I do wrong? How to retrieve from another app, that user logged out/logged in?
EDIT:
For example, WSO2 API Manager Store have such mechanism:
when I logged out from my application and reload Store page, then going redirection to main not logged page in Store. Same with login.
UPDATE:
I found problem in class org.springframework.security.saml.websso.SingleLogoutProfileImpl. When logout request is coming from WSO2 IS, than objects Authentication and SAMLCredential are nulls and error No user is logged in is occured, but for real user still logged in in Spring SAML application.
Same discussion was here, but with no effect :\
You have to verify whether both apps are calling Identity Server (IS) using the same host name. E.g. https://is.blahblah.com/samlsso.
IS session is based on cookies ('commonAuthId' and 'samlssoTokenId' cookies to be specific). If apps are calling IS using two different host names, there will be two different sessions created at the IS side. For SSO and SLO to happen both apps must share a single IS session.
We are using travelocity.com and avis.com web app for test SAML2 sso. You can found the more details here[1]. Further you can checked this documentation[2] Registering the two service providers in the Identity Server and followed the 1 to 8 steps.
[1] https://docs.wso2.com/display/IS500/Configuring+Single+Sign-On+with+SAML+2.0
[2] https://docs.wso2.com/display/IS500/Customizing+Login+Pages