I have a project user java spring boot and oauth2. Access token is very too long.
How to set length of access token. Thanks for help
I assume you're using mostly default configuration and therefore the DefaultTokenServices builds your access token.
Since spring is completely open source you can look easily into their code and find this line:
DefaultOAuth2AccessToken token = new DefaultOAuth2AccessToken(UUID.randomUUID().toString());
There is no option to specify the length of your access token. An option would be to implement a token service by yourself and create an access token in a way you want to.
There is already another question that asks how to create a custom oauth2 token. Maybe this helps you doing this.
But be careful when implementing this by yourself, because this is in fact your security token. If it is weak, your authentication is weak.
Related
I am currently migrating the authorization server from old Spring Security OAuth2 to the new Spring Authorization Server.
It seems that the new Spring Authorization Server generates JWT tokens by default.
What if I dont want to use JWT and Opaque.
Is it possible to generate tokens same as the old Spring Security OAuth2?
By the way, I also dont have idea what type of token the old Spring Security OAuth2 generates...i am a noob here...any idea is appreciated.
Thanks.
You can generate any type of token you want, using OAuth2TokenGenerator, though it sounds like you don't have another type in mind.
Spring Authorization Server supports OAuth2TokenFormat.SELF_CONTAINED and OAuth2TokenFormat.REFERENCE as types, which are high level categories that map concretely to JWT and Opaque respectively. If you aren't interested in using a JWT, then I suggest using Opaque. It is quite simple to configure and use.
If you want to use another self-contained format, there are many areas of the framework you will need to customize and get right, which might be difficult without a spec. I don't remember off hand what formats were supported by the old project, but it was likely one or both of these.
I have Okta App's client id and secret key and I would like to know how to generate access token using spring default classes and not by hitting the API endpoint.
Please provide the spring pre-defined classes to which I can provide the client id along with secret and the access token is generated.
You are dealing with server to server authentication. You don't actually explicitly need access token, use oauth2resttemplate for all requests just to have things under control.
You could implement as is from link: https://developer.okta.com/blog/2018/04/02/client-creds-with-spring-boot
As I can understand, OAuth2 framework needs a custom JWT authentication server and I have to create a custom security filter with JWT utility class for the filter-based JWT implementation.
However my question is, what is the best method to implement JWT on Spring Boot 2? filter-based authentication or OAuth2?
Is there any pros and cons based on nature of the clients and application?
As an example; Does OAuth2 authentication provide any advantage, if application manages different clients such as mobile, web, web service etc.?
Note: My question is related to the security of Spring-Boot REST API + web application.
I have found a discussion regarding the same matter and I’m extracting the important points below.
From the technical point of view, still I didn’t get a clear idea of which implementation, when and where, but it helps me to take a decision.
I personally hesitate to bring in OAuth when I only need JWT authentication. It feels confusing and honestly I do not want the additional complexity to use #EnableResourceServer etc. Maybe it's just a couple of lines of configuration but if feels like overkill.
Can someone show me why it's so difficult to set up an OAuth2 provider with JWT tokens? If you want JWT tokens all the code is already here. Why is it so hard to just use it?
Answer:
Maybe it's not difficult but 1) it feels unnatural to do so and 2) it can be easier.
Instead of using #EnableResourceServer and other setup I would like something much more easier like:
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.jwt()
.loginUrl(new AntPathRequestMatcher("/api/login", "POST"))
.secret("my-super-duper-secret")
.claimsProvider(new MyClaimsProvider)
What you typically want set to for JWT is the login url (can be defaulted to /login), the secret and optionally some claimsProvider implementation. A default implementation should be provided out of the box adding the username and roles to the claims.
This way it would be very easy to setup JWT in Spring Security.
With OAuth2 there is a "refresh token", so you put the onus on the client to keep the access token live, and the authorization server can check the user account every time it is refreshed. If you start worrying about that kind of problem (which you should) then you will end up implementing something that is getting pretty close to OAuth2, at which point you might say "why didn't we just use OAuth2 in the first place?" Do you see my point?
Isn't the use case described in this issue conceptually different from the OAuth2 case? Here we have a password as an input and JWT token as an output, and JWT token is then used for accessing the resources. The JWT profile for OAuth 2 spec specifies a different case, where a JWT token is an input to the token service and the access token is an output, and access token is then used for accessing the resources.
It will be good to have just simple JWT token base authentication without OAuth which is sometimes complicated for small projects.
https://github.com/spring-projects/spring-security-oauth/issues/368
I am working on securing a REST API, here is the basic set up (Happy Path) I am working with:
1) UI will request to authenticate with another service, this service will return a JWT to the UI.
2) Once a user of the UI is done with their work, they will make a request to the REST API that I am tasked with securing using a JWT that is passed to me.
3) I will then ensure the JWT is legit, get the users roles and then determine if the user is authorized to access that endpoint (perform the requested function).
I am sure this is possible, but my past experience with Spring Security wasn't dealing with JWT or Authorization only.
Would it be a correct approach to implement Authentication and Authorization, get that working and then back out the Authentication part?
Thank you for your kind help!
I suggest that you take a look at the Spring Security OAuth2 project. It makes this kind of thing fairly easy.
In particular, have a look at this section about using JWT
I have a small problem at the moment. The problem is that my web service is RESTful. Consequently, I need a stateless session for Spring Security in order not to break REST conception. I want to get the current user information and since my Spring Security session is stateless I don't know how. I also wanted to use #PreAuthorized annotations, but, now, it's impossible too for the reasons, I wrote above. Honestly, I'm new to REST services and I would be grateful for a piece of advice.
Thank you in advance.
So the problem is in JSESSIONID. Spring use it as token in security filter chain to get UserDetails. But it's not good practice to use JSESSIONID for REST.
Briefly:
I suppose you should use Spring OAuth/OAuth2 for authorization. You will have to configure AuthorizationServerConfigurerAdapter and ResourceServerConfigurerAdapter. Then you will be able authenticate your user -> obtain access_token and refresh_token. After that you can use access_token for your REST requests, for example as HTTP header Authorization: Bearer access_token. When access_token become expired you should use refresh_token to refresh it. As usually you will be able to access UserDetails via SecurityContextHolder.
Hope it's useful for you.