I'm currently developing an app in asp.net core 2. However, i'm having issue configuring swagger properly and the authentication layer for the webapi.
In my instance, I have a web api that is configured with jwt. It uses the app id url as the jwt audience. Swagger is configured to run on top of this service and AAD is set up. However, because it's logging in to itself it has the resource configured as the web api client ID. Login successfully works, but the token does not work with the api calls. The main reason is that there is difference in resource/audience. The token is configured with an audience of the client ID and the webapi is conifgured with a jwtaudience of the app ID URL.
It only works if i configure the jwtAudience to the clientID. I doesn't work if i try to update the swagger resource as the app ID URL.
I need the jwtAudience to be configured to the APP ID URL. I can't figure how to do this thou.
Do i need to modify the AAD manifest to give permission to itself?
Any advice appreciated?
Thanks,
Derek
Related
I'm trying to do a POC project. I want to login just like stackoverflow. User just login their google account without having to register first and forget password in the future.
My stack is Angular + Spring boot. Angular or React shouldn't matter here. I have did some research and see how people setup on Google GCP and use it in the webapp.
Ok, now assume I can login in my webapp. I got user's name, picture, etc. How would my Spring boot server auth with the info I got from google?
Any help is appreciated!
Usually, you would get a JWT from Google (or other type of token) that you need to send to your Spring Boot server.
The server should then be configured to verify the token. See https://docs.spring.io/spring-security/reference/servlet/oauth2/resource-server/index.html and https://docs.spring.io/spring-security/reference/servlet/oauth2/resource-server/jwt.html (for JWT).
Basically, add spring-security-oauth2-resource-server (and spring-security-oauth2-jose if JWT) and set the issuer-uri in your applications.(yml | properties)
I think it is https://accounts.google.com/ for Google. This also assumes that you have created app/oauth2 in google console. See https://developers.google.com/identity/protocols/oauth2/openid-connect for details.
I have an old web app that uses Forms Authentication that we've converted to support SAML using Shibboleth. This part is complete and works fine. The app redirects to login.microsoftonline.com, allows a login against the customer's AD (hburg.kyschools.us), and redirects back to the app which now allows the authenticated user in.
The web app also has some ASP.NET Web API controllers that we'd like to authenticate the same way. This also seems to work when the controllers are accessed from a browser that has already logged in. So far, so good.
Now we want to access these Web API controllers from a WPF app. The WPF app has been accessing them for years but just using Basic Authentication. Looking for an example, I found this project on github that shows how to use MSAL:
https://github.com/Azure-Samples/active-directory-dotnet-desktop-msgraph-v2
This project will acquire a token via MSAL and then use it with HttpClient to call a web service. I can run this project and use it to log in to the same AD as above (hburg.kyschools.us). And then it can use HttpClient to access MS Graph.
Now, when instead I try to have the project call into my Web API controller using HttpClient, passing in the same token I received back from the hburg.kyschools.us AD, I get back the Log In page at login.microsoftonline.com, as if I haven't authenticated.
Can I use MSAL to get a token this way that can be used to access my web api via HttpClient from WPF? It seems like I'd need to tell MSAL that I want the token to include authorization for the web app. Is that done somehow in the scopes parameter?
I‘m not new in either Spring boot or Spring Security but I am in Spring Authentication‘s Server.
Description
I have tree apps:
a spring boot backend,
a flutter frontend and
a Keycloak for authentification.
The Backend has only one login method, that is oauth2 and is client of Keycloak. The login method for the Backend is already implemented and is working, using Authorization code.
The flutter should also log into the Backend using Authorization code, but this part is not yet implemented.
The Backend is the part I‘m responsible of and the workflow should be following:
The user on Flutter tries to login
The Flutter App then requests login from Backend App
Backend App, as an authorization server with only one login method which is Keycloak, redirects the user to Keycloak.
The first authentification and authorization happens on Keycloak.
The Keycloak redirect the user on the Backend.
The Backend finds out who the user is and authorizes him.
The Backend redirect the user to Flutter‘s scheme and then flutter open (or continue).
The Flutter calls the Backend to get tokens.
Now my question is how should I configure the Backend, so that it behaves as Authorization‘s server?
This I what I‘ve tried.
I‘ve used the newly created spring-authorization-server. So my SecurityFilterChain already contains:
…
http
.oauth2Login(withDefaults())
…
Now my backend is resource server for itself and client of itself (I can‘t dissociate it now). So I‘m thinking of
adding .oauth2ResourceServer with the configuration of this same server for verifying the tokens I will issue, and
adding .oauth2Client with again the configurations pointing to this server, for the Flutter app being able to login.
Now I don‘t know how to turn my backend into Autorization server, and to be more precise, how to turn on authorization code for user login.
Thanks for reading. Any help would be appreciated.
We developed a web application that uses Angular8 for the front-end and SpringBoot for Service APIs. We secured the SpringBoot application with Basic Authentication. So that when we need to call the API from front-end angular code we need to send the user name and password with the API headers.
So we are keeping the username and password in the environment.js file in the angular project. Those credentials are exposing in client-side code which loads into the browser.
So Anyone please help with where to place these credentials in Angular code?
Storing credentials in code is not recommended
To answer your question, you can store it in localStorage, sessionStorage or you can use HttpInterceptor in which you can automaticaly add headers to your every request. For more information, read Authenticaion using the HttpClient and HttpInterceptors
Recommend Using Token based authenticator - users will provide its credentials and get unique and time limited access token. you can manage token creation, checking validity, expiration.
I am working through a process of validating the JWT after OKTA Login. I have a SPA Sample SPA Site that handles user login and calling an API.
SPA SITE
User Logins into OKTA
Obtains a JWT
Passes JWT to a .NET Web API (hosted on my own server not at OKTA).
WEB API: This accepts the JWT and needs to validate it.
Per OKTA I need verify the JWT through an Authorization Server. I setup the Authorization Server but I cannot see where the two features (shown on the images) are located on the SPA API or the Auth Server. This includes a URL that is required that follows the format of xxxx.okta.com/AS/{key}
Is there something that has to be enabled that is not enabled in my OKTA Account? I think so but what is it? OKTA support states that everything is enabled and confirmed this is a good code sample (GitHub) to use.
The Image Below should appear after setting up the SPA App. I cannot find this feature under the SPA or under the Auth Server. It does not seem to exist anywhere on OKTA. This is why it seems something is not enabled on my Dev account, or this documentation is outdated?
SPA Code Sample (includes the images below from the PDF) https://github.com/oktadeveloper/okta-oauth-spa-authjs-osw
I see that under the Security menu item -> API.
Also, when I had my app OpenID Connect enabled, I used well-known endpoint:
GET /.well-known/openid-configuration to get "jwks_uri", I used this url to self-verify the JWT token at the API level.
OKTA confirmed the code sample and documentation is out of date. They have no ETA to any updated samples and could not provide any documentation to help. This was via a response on a support ticket. Well already then, time to look at Azure.