We have implemented an SPA (Angular 5 with angular-auth-oidc) which requests an id_token and an access_token to from an OpenID Connect provider (for the moment we are testing with google), and then sends the id_token to the back-end (a REST API using Spring Boot 5)
My questions are:
what is the approach to send the access_token instead of the id_token ?
Once I am able to validate the access_token, how can I request another access_token and refresh_token ?
Does Spring Security provides a store (in memory) to keep temporarily the access_token and the refresh_token ?
I used the #EnableResourceServer to validate the id_token (jwt) and it works, but when I send the access_token (not a jwt), I get an exception, such as : Invalid characters (CR/LF) in header WWW-Authenticate.
Related
I have some microservices in Spring Boot and my front end application is in angular. I am using OpenID Connect for authentication and authorization. Right now, in my application, when the angular app is loaded, it redirects the user to the authentication server and after login the token is received which is sent by the angular application in each HTTP request to the resource servers. Now I have a question. My microservices also communicate with each other but as each microservice is acting as a resource server and the Rest APIs are secure now, so microservices can not communicate. What I want to achieve is that the requests which are sent by the user from the angular app should contain a token and those requests should be verified but I want to bypass or disable OAuth security for inter service-service communication between microservices. Is there any way to achieve this in Spring Boot?
Do not disable OAuth2 security in your micro-services:
if the inter-services request has the context of user (issued to satisfy part of an authorized request) just forward the original access-token
if inter-services request is not originated by a user request / event / callback,... (scheduled task for instance), then it is possible to acquire an access-token using client credentials flow. Authorization-server should be configured to attach required roles to each client when it issues access-tokens with client credentials flow.
In first case, you can access bearer token from the Authentication in the security context. Add this Bearer string as Authorization header to the requests to other micro-services.
In second case configuring REST client (WebClient, RestTemplate, FeignClient, ...) with client credentials is usually enough for it to automatically fetch an access-token from the authorization-server and add it as bearer header before sending requests to the resource-server.
My application has frontend build with angular and backend build with spring boot, and I use openam by Forgerock as an authentication server. I got the access_token in frontend and pass this access_token to backend through Bearer authentication, But now I have to check if the token is valid in backend by calling /userInfo endpoint. My question is how to config in spring boot to call this endpoint everytime when get the request? Thanks
I may case I didn't had any explicit configuration for access token. You just have to call end points and the tokens will be stored in the header for authentication. Though you can set the timer for it.
I would like to write OAuth2 access token to a cookie instead of writing to response. Since my OAuth request uses /oauth/token endpoint defined in TokenEndpoint.java of Spring Security OAuth2 module, the token is always written to response.
How can I remove this token from response and set to cookie? Should I implement my own TokenEndpoint?
on spring boot 1.4, using #EnableOAuth2Sso for sso client and a kong third party authorization server, i'm able to receive the authorization code but unable to retrieve the access token.
the authorization code is part of the redirect url after which is there any configuration or a process for retrieving the access token?
Once you get the Authz code, you need to make a server side call(so that access token flow doesn't go through end user browser) to Authz Server for access_token, Look at this section of OAuth 2.0 Spec.
I'm working on a service that will accept an OAuth2 Bearer token and validate the token then relay that token to other backend services.
I can pull the token from the request and pass it along, but is there anything already in Spring's OAuth2 support for retrieving a token from the request and passing it along?
Or should I create a custom OAuth2ProtectedResourceDetails and OAuth2ClientContext to handle this?