Spring Security against Azure OIDC OAuth2 Flow - spring-boot

The real question, I could have asked, why am I only getting an id_token in my response to the authorization endpoint? And, probably best created in an azure stackoverflow space.
For context, the original question was more about customization strategy. Which, further research determined was not necassary.
I've been reading through the OAuth2/OIDC features of the Spring Security Reference Guide - 5.7 OAuth 2.0 Login, 31. OAuth 2.0 Login — Advanced Configuration, and the github OAuth2 Login Samples trying to figure out how to extend or create a custom implementation for Microsofts Azure OIDC API - Authorize access to web applications using OpenID Connect and Azure Active Directory.
These are observations. And generally, what I’ve seen based on my experiment and what I believe to be true based on the spring security behavior and the Microsoft Understanding OpenID Connect Protocol guide documentation.
Azure’s sign in request against the /authorization endpoint has 3 additional nuances to their sign-in request that are currently not supported in the Spring Security 5 code base.
“response_type” – The Microsoft OIDC API allows id_token or id_token+code … Spring Security supports “code” or “token” OOTB. (id_token gets you the id_toke, id_token+code will get you id_toke and code. The code you can exchange for an access token.
“response_mode” – The Microsoft OIDC API recommends use of response_mode=form_post … This is not supported OOTB Spring Security.
“nonce” – The Microsoft OIDC API recommends use of nonce=[unique_value] … This is not supported OOTB Spring Security.
I've created a fork to see what enhancements would be needed to support the above. I believe they would be.
spring-security-oauth2-core
OAuth2AuthorizationResponseType - to include additional types.
OAuth2AuthoriztionRequest - to include support for nonce and responseMode
oauth2-client
OAuth2AuthoriationRequestRedirectFilter
OAuth2AuthorizationRequestUriBuilder
And a mechanism to auto configure the appropriate options.
The changes to support these parameters at first glance appears to be trivial. However, the classes in spring security are final and thus the extension is much bigger.
Anyone have any advice on a customization strategy? What would be the recommended approach to creating a customized configuration to support the nuances without replicating the code base?

With juunas clue ... I realized my issues were related to the fact I had not created api scope when I registered my application in the azure b2c blade. Thus, the issue was not the spring security configuration. But, a result of the missing scope.
Incidentally, the Get Access Token section in Microsoft Understanding OpenID Connect Protocol guide states, "... By including permission scopes in the request and using response_type=code+id_token, the authorize endpoint ensures that the user has consented to the permissions indicated in the scope query parameter, and return your app an authorization code to exchange for an access token."
Per juunas, this happens when response_type=code as well. –

Related

What are the possibilities with Spring Authorization Server when using it for authentication (and authorization)?

I'm looking to find a tool that will do the authentication (and authorization) part of the project. For the project, I will be using spring boot and java 8.
I will be working with OAuth2.0, the flow for untrusted client(web-applictation) and trusted client(another server)
I was looking at Keycloak and Spring Authorization Server.
But it's unclear what are all the possibilities with the Spring Authorization Server.
Like with Keycloak you have single sign on, identity brokering, social login, user federation, admin console, account management console, standard protocols etc.
Is this also possible with Spring Authorization Server, or what are the possibilities of Spring Authorization Server?
We're working on reference documentation which will include a feature list. In the meantime, see feature list on the GitHub wiki for the project.
From this PR, a possible short overview/answer to your question would be:
Spring Authorization Server is a framework that provides implementations of the OAuth 2.1 and OpenID Connect 1.0 specifications and other related specifications. It is built on top of Spring Security to provide a secure, light-weight, and customizable foundation for building OpenID Connect 1.0 Identity Providers and OAuth2 Authorization Server products.
Update: The reference documentation is now available and contains an Overview page with this information.
You can make custom OAuth resource server implementation or use the SAML standard.
Also, you can implement access by JWT token, which suites well for API-only service.
You can use also "Basic Authentication", but it's too simple for a mature applications.

Openid-connect or SAML 2.0

Our current Application
Backend is in Spring Boot 2(RestAPI's) and Angular in the front-end.
Once Authentication is done it currently uses JWT(Bearer) to perform create, update, and delete resources via passing Authorization headers for RestAPI's. For reading operations, it can be accessed by all without any authorization.
Now, due to the increase in applications, we are moving to IDP with KEYCLOAK
I wanted to know which type of SSO to be used for the given case.
SAML 2.0
If implemented, after SSO with SAML how do I create/Update/Delete response for my REST endpoint? as I see SAML provides assertion and I require a bearer token to create the resource.
How to use assertion to create/Update/Delete response for my REST endpoint?
I tried to implement this using the Spring-Saml extension. But, I was not able to achieve the above objective.
OIDC-OAuth
If implemented, how do I filter read-only endpoints to all that is certain URL's to be available without an authorization?
Keycloak default implementation is out-of-the-box for OIDC.
I’ve implemented this in oidc using Keycloaks adapter for spring rest .
Thanks!!
SAML 2.0 is an older XML based protocol whereas Open Id Connect is JSON based and browser / mobile friendly. In any modern architecture use OIDC. See also this summary.
It is still possible to integrate SAML identity providers into an OIDC architecture by using federation features of the authorization server. However, your actual application code should know nothing about SAML - it should just work with OAuth 2.0 tokens after sign in.
If possible I would avoid SAML completely.

Creating Custom OpenId Provider for Oauth2 Spring Boot

I have used Oauth2 framework for authorization and access control for protecting my spring boot microservice api's. Oauth2 framework is working fine but now my Client wants a dedicated OpenId Provider for authentication purpose on top of Oauth2 framework. I have done some round of searching across Google but couldn't find much resources for implementing Own OpenId Provider for Oauth2. I have gone through many blogs and could understood that OpenId is basically used when we want to delegate the authentication from Oauth2. OpenId is created on top of Oauth2 but couldn't find much resource for activating or implementing it.
Can anyone please help me on this
My complete source code which I have done using Oauth2 with Spring Framework is as given below
oauth2-spring
According to "OAuth 2.0 Features Matrix" in spring-projects/spring-security, Spring Framework is not a good starting point for OpenID Connect. None of the new projects (Spring Security, Spring Cloud Security and Spring Boot OAuth2) supports Authorization Server. On the other hand, the old project (Spring Security OAuth) has architectural problems that prevent OpenID Connect support.
The website of OpenID Connect says "OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol." This sentence may give an impression that OpenID Connect can be implemented on top of an existing OAuth 2.0 implementation step by step. However, it's not true. One evidence is spring-security-oauth Issue 619 where you see the project has given up supporting OpenID Connect. If interested, see "5. Response Type" in "Full-Scratch Implementor of OAuth and OpenID Connect Talks About Findings" for further details.
There exist many implementations that support OpenID Connect. Why don't you check the list of certified implementations?
Update (November 14, 2019):
The Spring Security team has decided to no longer provide support for authorization servers. See their announce for details.
I think it could be easier to start by first implementing OAuth2 code flow. Then add implicit flow, and finally OpenID Connect part.
If you want to have a serious OpenID Provider I would suggest not implementing from scratch as there are a lot of details to get right. Instead I would recommend using something like Hydra that can be integrated into existing system.
Have created from scratch a OpenID Provider (SimpleLogin.io), I can say that it takes almost forever to be 100% compliant to the protocol ...

Spring Security and OpenID Connect (OIDC)

In my current project I use in a full scope the Spring Security OAuth (http://projects.spring.io/spring-security-oauth/) project to protect our resources (Web API). Everything works fine till now.
I'm now working on the development of the clients and I'm looking for a good support for the authentication scenarios (as OAuth is an authorization protocol). After long, long internet search I'm quite sure I should take the OpenID Connect (http://openid.net/connect/) to fulfill this requirement, as it is "a simple identity layer on top of OAuth 2.0" (I know however, there is no "simple" in case of security topics).
Sad but true I'm not able to find any good resources about the support for OpenID Connect (not to confuse with "pure" OpenID) in Spring Security. There is a OpenID Connect reference implementation at https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server but I have expected something similar direct in/from Spring Security with comprehensive documentation and so on. I have found about 2 years old discussion about it here https://github.com/spring-projects/spring-security-oauth/issues/220 but what is the current status? Looking for "Spring Security support for OpenID Connect" does not deliver any "tangible" results.
Do you have any infos, documentation and/or experience regarding implementation of the OpenID Connect with the help of Spring Security?
Before OpenID Connect emerged, it was practically okay to assume that the value of the request parameter response_type be either code (for authorization code flow) or token (for implicit flow). However, now an authorization server implementation must be able to handle any combination of (code, token, id_token), and none. Details are described in "OpenID Connect Core 1.0, 3. Authentication" and "OAuth 2.0 Multiple Response Type Encoding Practices".
As the first step to support OpenID Connect, Spring Security OAuth has to become flexible for response_type. You can find a request for it at "Issue 619: Handling additional response_types". However, it is hard to change an existing code that expects only either code or token to a new one that can accept multiple values at a time. As of this writing, the lastest comment of Issue 619 made on Dec. 12, 2015 ends with a sentence as excerpted below.
Any comments are more than welcome as this turned out to be (as I predicted) a large refactor exercise.
If Spring Security OAuth is purely a voluntary project without any support from commercial bodies, such a big change would be unlikely to happen.
My experience: About two years ago, I wrote an OAuth 2.0 server from scratch. It was after it that I knew of the existence of OpenID Connect. After reading specifications related to OpenID Connect, I finally reached a conclusion to dump the existing implementation and re-write the server from scratch again.
As you guessed, OpenID Connect is not simple at all.
See also "5. Response Type" in
"Full-Scratch Implementor of OAuth and OpenID Connect Talks About Findings".
**Update** (2017-Nov-23)
Authorization Server and OpenID Provider on Spring Framework
https://github.com/authlete/spring-oauth-server
Resource Server on Spring Framework
https://github.com/authlete/spring-resource-server
spring-oauth-server supports OAuth 2.0 and OpenID Connect. spring-resource-server has an implementation of UserInfo Endpoint which is defined in "OpenID Connect 1.0, 5.3. UserInfo Endpoint". Both implementations don't use Spring Security OAuth but use Spring Boot and Authlete.
Blog: Spring + OAuth 2.0 + OpenID Connect

Real Time examples for Oauth2 Grant Types and Good document, example for Oauth2 with Spring MVC

I've read about Oauth2 few days before, it has entities like Client, Resource Owner, Resource Server, Authorization Server and i understood the explanations too. but i don't understand the grant type's completely still i got confusion on following types. Oauth2 has 4 different grant types like,
Authorization code
Implict
Resource Owner Password Credentials
Client Credentials
please, give me some real time examples for the above types to differentiate the implementation. I need to know that what are the types of grant implementation spring security oauth2 has and full flow for spring oauth2 with security.
I have gone through some example implemented with oauth2 with spring mvc, spring security. but it's confusing me i don't get clear picture of the api implementation.
I'm looking for good Oauth2 flow and document with Spring mvc and Spring security. please help me.
In terms of understanding the flows and the differences between them, this presentation is the best resource I found online. After this, if you read the OAuth2 spec description, it'll be much easier to follow.
Unfortunately, in terms of code samples, there isn't good Spring Security OAuth2 sample code out there (the Sparklr and Tonr examples are okay but not super clear). Best resource there is to look at unit tests in Spring Security OAuth2 code on github.
One question I want to ask is - are you looking to create your own OAuth2 Provider or do you just want to connect to Facebook, Google, etc as OAuth2 client. If it's the second part, I would suggest skipping Spring Security OAuth2 and instead look at Spring Social project.
Edit:
For creating an OAuth2 Provider, check out this code by Dave Syer (he is the lead of Spring Security OAuth project) . It shows how you can create an OAuth2 Provider and Resource Server in 20 lines of code. This is the easiest way to create Spring Security OAuth code.
https://github.com/dsyer/sparklr-boot
It uses Spring Boot and Spring Security OAuth projects. Of course, you'll have to understand Spring Security, JavaConfig configuration and the OAuth2 protocol properly to understand how all of this works.
Authorization Code is redirection based flow, in most application when we login via Facebook or google we use this grant type.
Implicit is used mostly in mobile or single page application, Client confidentiality is not guaranteed here. This also has a redirect flow similar to Authorization Code. This does not support refresh token.
Password Grant Type is used when client application and resource owner belong to same application, this is goin to be case when your application is end to end working. Here we are sharing username and password. unlike the above two where we authenticate via Facebook or google.
Client Credentials: its a way to access it own service. like one microservice to access another microservice.
I also got into OAuth2 using spring last month.
I've read most of the OAuth2 spec and used the samples from the spring-security source, which are wonderful. That way I got a running application which I could use to play with and view it's sources next the the specs.

Resources