I have 2 microservices. 1 is a Spring boot 2 project setup as a oauth2 server running on port 8000 and the other is a Spring boot 2 project oauth2 client running on port 8001.
I have the oauth server setup and I can confirm it's working because I get a token when I login using the client id and secret. I use Postman to do a post to /oauth/token and I can see the content. I see the access token and refresh token.
I then use Postman to do a call to the other microservice which is a Spring boot project setup as a oauth2 client. I set the Access Token using Postman as a oauth2 Authorization and I can see that the Authorization: Bearer TOKEN is added to the header. I then do a call to the oauth2 client where I call the following endpoint:
#GetMapping("/api/user/test")
#PreAuthorize("isAuthenticated()")
public MyObject doTest() {
return new String("Test");
}
When I invoke that url I can determine that spring sends a request to the oauth server to get the current user. In my application.yml I have the following so that spring knows where the oauth server is:
security:
oauth2:
resource:
user-info-uri: http://localhost:8000/oauth/user
So far so good. Now here is the thing. I debug the http://localhost:8000/oauth/user url and according to spring the principal is null. I have found where it is going wrong. Either my configuration is wrong or there is a huge bug in Spring because when I add a filter to the oauth2 server and print all the headers this is what I see:
Header: application/json
Header: Java/1.8.0_181
Header: localhost:8000
Header: http
Header: 8000
Header: 172.20.0.1
Header: gzip
Header: 0
Header: 192.168.178.153:9001
Header: Keep-Alive
As you can see there is no Authorization header. Apparently spring oauth2 client isn't sending the Authorization header when invoking user-info-uri. Can anybody help?
I need to know how to configure my spring boot oauth2 client so that each url that needs authentication will call a certain url to get the current user.
Thanks in advance,
Martijn
I found the solution. It was connecting through a zull proxy and by default the zuul proxy filters out the Authorization header. Add this to the zuul configuration and it will work: zuul.sensitiveHeaders: Cookie,Set-Cookie
Related
My application has frontend build with angular and backend build with spring boot, and I use openam by Forgerock as an authentication server. I got the access_token in frontend and pass this access_token to backend through Bearer authentication, But now I have to check if the token is valid in backend by calling /userInfo endpoint. My question is how to config in spring boot to call this endpoint everytime when get the request? Thanks
I may case I didn't had any explicit configuration for access token. You just have to call end points and the tokens will be stored in the header for authentication. Though you can set the timer for it.
My application has microservices behind (spring) gateway with zuul proxy. There is also internal (spring) oauth2 authorization server. I want to implement client_credentials grant type for my microservices calls from outside - for M2M communication.
When I configure for the gateway client_id and client_secret in its application.yml requests come through the gateway but there is no requester check - oauth authorizes the gateway itself, as a result there is no authorization at all. I could use authorization code grant type, but then it would require web-client authorization which (web client) user might not have.
If I request authentication token from the oauth microservice, I get correct token for this app.
How can I force the gateway use the requester's client_id and client_secret to get token from oauth? - e.g. I can provide them as basic authorization via header.
Or can I provide to the gateway the token obtained by the requester from oauth?
The question is very similar to another one: Implementing authentication and authorization using Zuul Proxy, Oauth2 on REST Microservices
except the thing that there might be no web client, but an external microservice.
I have answered the question Implementing authentication and authorization using Zuul Proxy, Oauth2 on REST Microservices.
In my case the most important thing was to configure zuul proxy to forward authorization header to downstream services. Initially I thought about using zuul filters, but solution was much simpler - just configure sensitive headers for zuul:
server:
port: 8080
zuul:
sensitiveHeaders: Cookie,Set-Cookie # <--- this line
routes:
spring-security-oauth-resource:
path: /spring-security-oauth-resource/**
url: http://localhost:8081/spring-security-oauth-resource
oauth:
path: /oauth/**
url: http://localhost:8083/spring-security-oauth-server/oauth
After successful authentication of a client/user with oauth JWT token will be forwarded to downstream by the gateway.
Certainly, for this gateway must allow unathenticated access to oauth resource and require authentication for all others.
More details on the topics can be found in the article
https://www.baeldung.com/spring-security-zuul-oauth-jwt
i am new to oauth2.0 and trying to introspect token which is send in request headers from angular to spring endpoint. i want to configure web security as to how it can access the endpoint in authorization server for token validation for each incoming request to spring back end.
angular 2 -- > get token from authorization server.
angular 2 -> https request sends token in headers to --> spring boot backend
spring backend (spring-boot) - > to configure security for each incoming request to introspect token. and then send the response back to angular 2
Hi everyone i am not able to proceed with following settings. your small pointers are appreciated.
problem statement
i am trying to use custom authorization server provided by spring cloud security and OAuth2 with my web application so that it can propagate access token to micro services in back end.
i can able to see my authorization server can able to provide access token and when try to ingest access token for invoking endpoints for for back end micro service it work as per expectation
problem faced
when i provide following configuration in spring boot web client(which will call my back end micro service)
in application.properties
security.oauth2.client.clientId=myclient
security.oauth2.client.clientSecret=abcsecret
security.oauth2.client.access-token-uri=http://localhost:9000/services/oauth/token
security.oauth2.client.user-authorization-uri=http://localhost:9000/services/oauth/authorize
security.oauth2.client.clientAuthenticationScheme=form
security.oauth2.resource.user-info-uri=http://localhost:9000/services/user
security.oauth2.resource.prefer-token-info=true
and i provide
http://localhost:8080
in my browser. it asks for credentials. i provide credentials as present with authorization server.
once valid credentials provided authorization server asks for valid scopes.
but one important thing i observe when my web client routed to authorization server it has redirect_uri
http://localhost:8080/login
(not ok since initially i entered http://localhost:8080)
i am also getting HTTP 401 error
on spring boot 1.4, using #EnableOAuth2Sso for sso client and a kong third party authorization server, i'm able to receive the authorization code but unable to retrieve the access token.
the authorization code is part of the redirect url after which is there any configuration or a process for retrieving the access token?
Once you get the Authz code, you need to make a server side call(so that access token flow doesn't go through end user browser) to Authz Server for access_token, Look at this section of OAuth 2.0 Spec.