I need to know what happens when a POST request is sent to the /login endpoint of a Spring application.
For other endpoints like /oauth/authorize there are "DefaultEndpoint" classes, but I cant seem to find one for /login.
Does anyone have suggestions?
No. In OAuth 2.0 You need to obtain the endpoints from the Authorization server provider.
OpenID Connect provides discovery.
Related
I have 2 secured resource microservices and 1 authentication service and another API Gateway.
Authentication service can generate JWT Token given username and password. It also can validate a JWT token.
So, I want to implement security at the API Gateway only such that on receiving a request, it will first fetch a bearer token from the authentication service and forward the request to the secured resource service. I would like to get some idea how to implement that in API Gateway. Should I make it just in an aggregate fashion, like it would be a sync call which will first make a request to auth service and next forward the request to resource service?
Now, if I want to add the support of OAuth as well, which I know the spring cloud API Gateway already has the support for this via global filters.
But, I am wondering about the legacy bearer token which is generated by the custom authentication service.. How do I ensure this?
Any suggestion would be appreciated.
Thanks in advance!
I've been creating an OAuth2 Login application with Spring Security and have been making good progress, The Identity Provider I am working with requires that their /authorization endpoint be triggered with an HTTP POST.
I've been doing some testing and it seems that Spring Security triggers the /authorization endpoint by a GET request.
From looking at the OAuth RFC documentation, I see the following.
https://www.rfc-editor.org/rfc/rfc6749#section-3.1
The authorization server MUST support the use of the HTTP "GET"
method [RFC2616] for the authorization endpoint and MAY support the
use of the "POST" method as well.
So before I implement anything custom to trigger a POST request to the authorization server I am integrating with, I was just curious if anyone knew of a way to get Spring Security to trigger a POST for the /authorization instead of a /GET.
Curious if I'm missing where that functionality is supported, if at all.
Thanks for your time.
You can use springsecurity and oauth2server to configure your login model and through this interface to login
POST:
http://your_ip:port/auth/oauth/token?grant_type=password&username=username&password=password&client_id=yourclientid&client_secret=yoursecret
As we know the Spring Security OAuth 2.0 project has bee depreciated and now it's Spring Security 5.
My question is related with Authorisation Server for grant_type: authorization_code. Spring team is also working on standalone project for Authorization Server. So most of the codebase in Spring Security project is depreciated for Authorization Server.
Still, I've couple of questions for endpoints with authorization_code flow in Spring Security 2.0/5.
OAuth 2.0:
Can you please let me know, which endpoints are supported for below use cases in Authorization Flow:
Login Button: ask the customised authorization url from Authorization Server.
User logged-in: once end-user logged-in (authenticate), need to authorise with registered client application and provide the code in the callback URI.
Request For Access Token: once the code has been received in previous step, it should use the code to get the access token.
Please let me know which endpoints are meant to be used in Spring Security OAuth 2.0/5 for above use cases. Based on my research, I've found these endpoints:
/oauth/token: get the access token
/oauth/token_key: produces JWT encoded token values
/oauth/check_token: validate the access token
Can you please let me know which endpoint dedicated for authorisation before end-user authenticate in use case #1. And after end-user authentication in use case #2.
Any help would be appreciated.
Many Thanks,
Adnan
I want to use Keycloak in a microservices based environment, where authentication is based on OpenID endpoints REST calls ("/token", no redirection to keycloak login page), a flow that I thought of would be something like this:
1. Front-end SPA retrieves the tokens from the "/token" endpoint and stores in browser's localStorage, then sends it with every request.
2. Gateway-level authentication: Acess Token is passed from the front end to the gateway, gateway consults Keycloak server to check if the token is still valid (not invalidated by a logout end-point call).
3. Micro-service based authorization: Acess Token is passed from the Gateway to the microservices, using Spring Boot adapter the microservices check the signature of the token offline (bearer-only client?) then based on the role in the token do the authorization.
My questions are: Does this flow make sense or can you suggest another flow? What type of Keycloak clients to use? What's an ideal way to pass Tokens using Spring Boot Adapter, and should it be done like that in the first place? Please keep in mind that I am not a Keycloak expert, I've done my research but I still have doubts.
Your Front-end SPA should be public-client and springboot micro service should be Bearer only Client and Gateway could be Confidential Client.
You can check the Keycloak provided oidc adapters. For springboot you use the keycloak provided adapter
Similar solution using api gateway is discussed here
I have to implement a OAUTH 2.0 server application , i know how oauth 2.0 works but when i have googled on how to implement, everywhere i am getting spring boot with oauth 2.0 and my requirement is i should give two URL's to the client
one to get the access_code and second rest call to get the access_token, is there a way that i can get this from spring boot or spring security ? in Memory storage for tokens.
I tried using spring boot oauth examples but none of them are giving separate URL's for access_code and access_token.
I think you mean you are delivering the API part:
* Client authenticates against an OAuth endpoint and gets an access token
* Client calls API with an access token
* API must validate access token
Typically you'll code the API - and use an out of the box Authorization Server for the OAuth endpoint
To answer your question properly it would help to know what type of client (partner back end / UI etc)
There will be a bunch of messages between client, API and Authorization Server - this post may give you some ideas:
https://authguidance.com/2017/09/26/basicspa-oauthworkflow/
I may be able to help you with the spring boot stuff once I understand your scenario better