We are using the #EnableResourceServer annotation to apply the security filter for all our APIs. We are using Spring OAuth2 and JWT tokens. We use both client credentials token (obtained using client-id and client secret) and User token (using name/password)
We want to protect certain endpoints (**/clientTokenAllowed/myapi) using the client JWT token, whereas all others would need a user JWT token.
Where should I put this validation check in the filter? Could not find the right example to do this.
In Spring Security OAuth you can make use of expressions like #oauth2.hasScope(), #oauth2.isUser(), #oauth2.isClient() and the likes in your ResourceServer HTTPSecurity configuration. More like these expressions can be found here
So in your case you might want to use #oauth2.isUser() and #oauth2.isClient().
Related
I have an API gateway in front of my Spring Boot app. This API gateway performs the oauth2 authentication and validation of the JWT token for me. My app receives the valid JWT token as HTTP header.
How can I combine this JWT token with the standard Spring security? I want to use the user groups passed in the JWT token for access control to my REST endpoints. And how can I avoid double validation of the JWT (on API gateway and service side)?
Configure Spring REST APIs secured with OAuth2 as resource-servers. Tutorials here.
This can be as simple as:
<dependency>
<groupId>com.c4-soft.springaddons</groupId>
<!-- replace "webmvc" with "weblux" if your app is reactive -->
<!-- replace "jwt" with "introspecting" to use token introspection instead of JWT decoding -->
<artifactId>spring-addons-webmvc-jwt-resource-server</artifactId>
<!-- this version is to be used with spring-boot 3.0.0-RC1, use 5.x for spring-boot 2.6.x or before -->
<version>6.0.4</version>
</dependency>
#EnableMethodSecurity
public static class WebSecurityConfig { }
com.c4-soft.springaddons.security.issuers[0].location=https://localhost:8443/realms/master
com.c4-soft.springaddons.security.issuers[0].authorities.claims=realm_access.roles,ressource_access.some-client.roles
com.c4-soft.springaddons.security.cors[0].path=/some-api
If you can absolutely control that all interactions to your microservice will always be routed through API Gateway and if Gatway is the sole entity responsible for validation and verification of the JWT token,
you can simply disable Oauth2 resource server configuration in your
microservice app's security config and instead accept the verified JWT via an
HTTP header.
Possibly a custom security filter plugged into the security filter chain can then take the responsibilty of building an Authentication Token with it's authorities (GrantedAuthority) mapped to user groups in JWT.
The authentication token can also be customized to include all the other relevant information extracted from JWT that your service will need to make any further authorization decisions.
Currently, I am Using Spring Security with LDAP authentication. But I want to Create one Rest API which will do LDAP authentication and will then I will generate JWT token so for upcoming request I can valid JWT tokens.
Any suggestions to achieve this ?
I've been at this for about a week now.
I have a use case where I recieve an auth token through the body instead of the header, and because of that Keycloak and Spring don't automatically set the user. (The reason being, with websockets, I can only send the auth token through the body with the initial connection)
I've tried intercepting the call before keycloak and copying the token from the body to the header, but that did not work.
So now I would like to manually authenticate through keycloak (or just manually set the principal user). I have access to the JWT Access Token, but from here I'm not sure how to authenticate with keycloak.
Anyone have any input?
Since there are two Keycloak pieces that could be in play here, I'll start with a clarification:
Keycloak - This is the authorization server that a client will use to obtain a JWT
Keycloak Adapter - This is the thing that configures a Resource Server to integrate Keycloak with Spring Security
I have a use case where I recieve an auth token through the body instead of the header, and because of that Keycloak and Spring don't automatically set the user.
Spring Security 5.1 ships with built-in support for JWT-based access tokens, so you may not need to use the Keycloak Adapter for what you are wanting to do.
When using Spring Security's built-in support, you can configure the DefaultBearerTokenResolver to look in the body:
#Bean
public BearerTokenResolver bearerTokenResolver() {
DefaultBearerTokenResolver resolver =
new DefaultBearerTokenResolver();
resolver.setAllowFormEncodedBodyParameter(true);
return resolver;
}
I am new to spring boot and trying to implement oauth2 client with facebook as oauth2 provider.
I already have a traditional JWT token authentication in place which is configured with in #EnableWebSecurity with default authentication manager and custome JWT token generator.
is it really required to configure AuthorizationServer and
ResourceServer in above scenario?
if not then why my code always returns me only Code and state from facebook to call back URL.
Please have a look into the code here
Oauth2 = Authorization delegation protocol NOT an authentication one.
If you want to use FaceBook and Google as identity provider then you must go with an identity federation protocol, ie OpenId Connect (OIDC).
This last add an authentication layer (using JWT id token) above oauth2 authorization layer.
Regarding more specifically your question (which is not very clear) about the spring security configuration part , it seems that the current oauth2 server implementation (AuthorizationServer and ResourceServer you're talking about are part of it) is not suitable as it is to implement an OIDC identity provider)
Regarding the code and state returned to the callback URL, it's part of the oauth2 authorization code flow and it's perfectly normal, you then have to exchange the retrieved code against an access token using the authorization server token endpoint.
(state is just here to allow to transmit an information for example a tenant id, across the oauth2 whole flow).
Here is really well written oauth2 vulgarization article.
In Spring Security OAuth, can it consume/work with JWT tokens that were generated from a user authenticating with Keycloak? Keycloak's open-id far as that goes, but it all seems to be really similar. I'm still trying to understand the dividing line and also what's similar or same with this.
Basically I'd like to authenticate separately in a REST client then use the token in the Authorization header for REST calls to some web services. There seems to be some JWT stuff in in the Spring Security OAuth, so I'm wondering I can actually use that instead of the Keycloak Spring stuff? Are there any examples of this out there? (I'd love to use the Spring security checks on different methods in my controller)
You can use the Keycloak Spring adapter and still rely on Spring Security annotations for controller security. The main purpose of the Keycloak Spring adapter is simplify the integration with Keycloak for interactive login and also to correctly map JWT access token claims into the Spring Security authentication context.
Reading through the Spring Security OAuth2 documentation, I get the impression that it's not quite ready out of the box to handle OpenID Connect JWT access tokens. However, it's customizable so it could most likely be made to work.
My advice for now is to stick with the Keycloak Spring adapter if you're using Keycloak as your OIDC server. It will save you time and it's well tested with Keycloak.