We have a WebAPI that needs to service different client apps, each one using different authentication mechanisms. One web app client will authenticate using SAML and then pass a SAML based token to the WebAPI. Another one will be using an OpenID Connect token for authentication.
We need to be able to digest both types of tokens in our WebAPI, validate them and authenticate them. Could anyone shed some light on how this could possibly be achieved? Any advice would be much appreciated.
What IDP are you using?
Some IDP e.g. ADFS can be configured to pass JWT tokens on a SAML connection.
SAML wasn't really meant for web API. You could e.g. authenticate using SAML / OIDC and then use the client credential flow to the web API which simply relies on a secret key. That would not have user context though.
Related
I need to implement SAML 2.0 sso authentication to our existing Web API. I am fairly new to the topic so i am not sure where to start. i have been playing around with the dev ADFS server (ADFS 4 - Windows server 2016) and been following tutorials on how to setup Relying Trust Party.I have gotten the gist on how SAML works but still lost on how to implement this one via code in my webapi. I want to know how to begin implementing the SAML 2 auth to connect to the ADFS server, the web app is deployed on a different iis server. I have read https://github.com/Sustainsys/Saml2/tree/master but i am not getting how my web api would connect to the ADFS server to retrieve a SAML token and process it.
The problem you have is that the SAML spec. does not cater for API (either webapi or REST API). It's purely a browser SSO redirect protocol.
In ADFS, API are configured by the Application wizard but that's OpenID Connect with a JWT not an XML token.
Update
If your webapi is a REST API then use OIDC with a JWT.
Just FYI: ADFS also supports WS-Fed. WS-Fed does have an API profile (called the active profile) which is essentially WCF.
As we know the Spring Security OAuth 2.0 project has bee depreciated and now it's Spring Security 5.
My question is related with Authorisation Server for grant_type: authorization_code. Spring team is also working on standalone project for Authorization Server. So most of the codebase in Spring Security project is depreciated for Authorization Server.
Still, I've couple of questions for endpoints with authorization_code flow in Spring Security 2.0/5.
OAuth 2.0:
Can you please let me know, which endpoints are supported for below use cases in Authorization Flow:
Login Button: ask the customised authorization url from Authorization Server.
User logged-in: once end-user logged-in (authenticate), need to authorise with registered client application and provide the code in the callback URI.
Request For Access Token: once the code has been received in previous step, it should use the code to get the access token.
Please let me know which endpoints are meant to be used in Spring Security OAuth 2.0/5 for above use cases. Based on my research, I've found these endpoints:
/oauth/token: get the access token
/oauth/token_key: produces JWT encoded token values
/oauth/check_token: validate the access token
Can you please let me know which endpoint dedicated for authorisation before end-user authenticate in use case #1. And after end-user authentication in use case #2.
Any help would be appreciated.
Many Thanks,
Adnan
I have two Spring applicatons and I need to authenticate first application in another apllication. Its server-to-server communication and authentication. Is OAuth suitable for this or there is another way to rosolve it?
Yes, OAuth 2.0 is suitable for authenticating other applications (clients) with its Authorization Server.
OAuth 2.0 Client Credentials grant type does that. For more information Check out these links: https://www.rfc-editor.org/rfc/rfc6749#section-4.4 and https://oauth.net/2/grant-types/client-credentials/
Spring provides an API (OAuth2RestTemplate) to automate client authentication process.
I am new to spring boot and trying to implement oauth2 client with facebook as oauth2 provider.
I already have a traditional JWT token authentication in place which is configured with in #EnableWebSecurity with default authentication manager and custome JWT token generator.
is it really required to configure AuthorizationServer and
ResourceServer in above scenario?
if not then why my code always returns me only Code and state from facebook to call back URL.
Please have a look into the code here
Oauth2 = Authorization delegation protocol NOT an authentication one.
If you want to use FaceBook and Google as identity provider then you must go with an identity federation protocol, ie OpenId Connect (OIDC).
This last add an authentication layer (using JWT id token) above oauth2 authorization layer.
Regarding more specifically your question (which is not very clear) about the spring security configuration part , it seems that the current oauth2 server implementation (AuthorizationServer and ResourceServer you're talking about are part of it) is not suitable as it is to implement an OIDC identity provider)
Regarding the code and state returned to the callback URL, it's part of the oauth2 authorization code flow and it's perfectly normal, you then have to exchange the retrieved code against an access token using the authorization server token endpoint.
(state is just here to allow to transmit an information for example a tenant id, across the oauth2 whole flow).
Here is really well written oauth2 vulgarization article.
I need to create a SpringBoot RESTful API to be consumed either by a web project or a mobile app.
My question is how to secure it without the typically basic authorization that returns you a "jsessionid" to the web browser and mantains the session with it. It's not a problem for the web project, because it could store that jsessionid. But how about to secure the mobile app request to the API?
Sorry for my english. Thanks.
One of the architectural constraints of REST is that it must be stateless.
Your REST API must not have sessions that authenticate the client. Instead, the client should pass some sort of token, commonly placed in the Authentication HTTP Header.
JWT and OAuth 2.0 are both very popular ways of doing this, and you can absolutely use HTTP Basic Authentication with OAuth 2.0 if you wish.
Here's an article called Stateless Authenticaiton with Spring Security and JWT. Hopefully that will help!
You can use basic authentication. It work sending username and password on each request but don't need save the sessionid in the client.
Here are a sample application with basic authentication:
http://www.baeldung.com/spring-security-basic-authentication
If you don't save anything in the server session you don't need save the jsessionid in the client.