Good morning, do you know if Spring currently supports OpenIDConnect in the cases where Authentication Request needs to provide the JWT "request" parameter and "code_challenge"? Please see the openIDConnect specs for the sample provided at section 6.1.1: http://openid.net/specs/openid-connect-core-1_0.html#rfc.section.6
I found this great sample that helped me to take off but still need to work on getting those additional parameters added: http://www.baeldung.com/spring-security-openid-connect
Please see this pull request for details: https://github.com/eugenp/tutorials/issues/2279
Thank you!
To support request request parameter, an authorization server / OpenID provider implementation must be able to manage the following client metadata (OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata).
jwks
jwks_uri
request_object_signing_alg
request_object_encryption_alg
request_object_encryption_enc
To support code_challenge request parameter, the database table that manages authorization codes must have columns for the following data.
code_challenge
code_challenge_method
APIs of Spring Security OAuth such as ClientDetails and definitions of database tables don't have properties / columns for these data.
As for database tables, "OAuth 2 Developers Guide" of Spring Security OAuth is saying as follows:
NOTE: the schema for the JDBC service is not packaged with the library (because there are too many variations you might like to use in practice), but there is an example you can start from in the test code in github.
The "test code in github" implies that Spring Security OAuth does not support request and code_challenge.
Related
I have noticed that when authenticating with my auto-generated Swagger UI client, I do not have access to custom Auth0 permissions—and, in fact, the access token being used to make authenticated requests to my resource server is actually "opaque" (not a valid JWT).
I am using Auth0 as my authorization server abstraction. According to Auth0's docs, one must always pass audience in the POST request body when generating a JWT via the client credentials flow.
Going through the the flow by making the various API calls manually, I can generate the JWT correctly. The issue lies in there not being an obvious way to pass the audience to Auth0 when using the auto-generated Swagger UI client—any ideas?
Library versions:
Spring Boot starters (e.g., rest, jpa, web)
org.springdoc:springdoc-openapi-ui 1.3.9
org.springdoc:springdoc-openapi-data-rest 1.4.0
Update
I have realised that it is possible to provide a default audience for an entire Auth0 tenant, so I set this to be the same audience for my lone API. I am also able to obtain a valid token with scopes included on behalf of the Swagger UI application if I specify the grant type as client credentials (normally reserved for machine-to-machine auth). However, I can see from the Auth0 logs that the flow being used by the Swagger UI client is authorization code.
As we know the Spring Security OAuth 2.0 project has bee depreciated and now it's Spring Security 5.
My question is related with Authorisation Server for grant_type: authorization_code. Spring team is also working on standalone project for Authorization Server. So most of the codebase in Spring Security project is depreciated for Authorization Server.
Still, I've couple of questions for endpoints with authorization_code flow in Spring Security 2.0/5.
OAuth 2.0:
Can you please let me know, which endpoints are supported for below use cases in Authorization Flow:
Login Button: ask the customised authorization url from Authorization Server.
User logged-in: once end-user logged-in (authenticate), need to authorise with registered client application and provide the code in the callback URI.
Request For Access Token: once the code has been received in previous step, it should use the code to get the access token.
Please let me know which endpoints are meant to be used in Spring Security OAuth 2.0/5 for above use cases. Based on my research, I've found these endpoints:
/oauth/token: get the access token
/oauth/token_key: produces JWT encoded token values
/oauth/check_token: validate the access token
Can you please let me know which endpoint dedicated for authorisation before end-user authenticate in use case #1. And after end-user authentication in use case #2.
Any help would be appreciated.
Many Thanks,
Adnan
I want to implement in backend rest safely in oauth2 + jwt.
I want to implement the following authentication flow in spring boot, but I am not sure how to do it:
1. The user is authenticated.
2. That request is received and with that login and password a ws that validates the credentials is attacked.
3. If it is correct, a series of data and permissions are searched in the database
4. If it is correct, access is granted and the jwt token is generated
I'm lost with this and as much as I read I can't know how I can do it.
Any manual or post I can follow?
Are you running your own (a custom) Auth server or is the plan to allow users to authenticate via a provider such as Google, Facebook etc? If its the later, then you cannot expect to receive user / password credentials at all so you might have misunderstood the OAuth flow. You will typically receive an 'Authorization code' from the provider (e.g. Google).
Also, what do you mean by "a ws that validates the credentials is attacked"?
This Google use-case diagram depicts a common flow. It's part of this guide.
Either way, Spring Boot does not itself deal with OAuth / security, but it has a tight
integration with Spring Security which is a good security framework to use, especially as you're already using Spring. Spring Security can handle OAuth, JWT etc.
A couple of guides that may help to get you started:
https://www.baeldung.com/spring-security-oauth-jwt
https://spring.io/guides/tutorials/spring-boot-oauth2/
The real question, I could have asked, why am I only getting an id_token in my response to the authorization endpoint? And, probably best created in an azure stackoverflow space.
For context, the original question was more about customization strategy. Which, further research determined was not necassary.
I've been reading through the OAuth2/OIDC features of the Spring Security Reference Guide - 5.7 OAuth 2.0 Login, 31. OAuth 2.0 Login — Advanced Configuration, and the github OAuth2 Login Samples trying to figure out how to extend or create a custom implementation for Microsofts Azure OIDC API - Authorize access to web applications using OpenID Connect and Azure Active Directory.
These are observations. And generally, what I’ve seen based on my experiment and what I believe to be true based on the spring security behavior and the Microsoft Understanding OpenID Connect Protocol guide documentation.
Azure’s sign in request against the /authorization endpoint has 3 additional nuances to their sign-in request that are currently not supported in the Spring Security 5 code base.
“response_type” – The Microsoft OIDC API allows id_token or id_token+code … Spring Security supports “code” or “token” OOTB. (id_token gets you the id_toke, id_token+code will get you id_toke and code. The code you can exchange for an access token.
“response_mode” – The Microsoft OIDC API recommends use of response_mode=form_post … This is not supported OOTB Spring Security.
“nonce” – The Microsoft OIDC API recommends use of nonce=[unique_value] … This is not supported OOTB Spring Security.
I've created a fork to see what enhancements would be needed to support the above. I believe they would be.
spring-security-oauth2-core
OAuth2AuthorizationResponseType - to include additional types.
OAuth2AuthoriztionRequest - to include support for nonce and responseMode
oauth2-client
OAuth2AuthoriationRequestRedirectFilter
OAuth2AuthorizationRequestUriBuilder
And a mechanism to auto configure the appropriate options.
The changes to support these parameters at first glance appears to be trivial. However, the classes in spring security are final and thus the extension is much bigger.
Anyone have any advice on a customization strategy? What would be the recommended approach to creating a customized configuration to support the nuances without replicating the code base?
With juunas clue ... I realized my issues were related to the fact I had not created api scope when I registered my application in the azure b2c blade. Thus, the issue was not the spring security configuration. But, a result of the missing scope.
Incidentally, the Get Access Token section in Microsoft Understanding OpenID Connect Protocol guide states, "... By including permission scopes in the request and using response_type=code+id_token, the authorize endpoint ensures that the user has consented to the permissions indicated in the scope query parameter, and return your app an authorization code to exchange for an access token."
Per juunas, this happens when response_type=code as well. –
I've read about Oauth2 few days before, it has entities like Client, Resource Owner, Resource Server, Authorization Server and i understood the explanations too. but i don't understand the grant type's completely still i got confusion on following types. Oauth2 has 4 different grant types like,
Authorization code
Implict
Resource Owner Password Credentials
Client Credentials
please, give me some real time examples for the above types to differentiate the implementation. I need to know that what are the types of grant implementation spring security oauth2 has and full flow for spring oauth2 with security.
I have gone through some example implemented with oauth2 with spring mvc, spring security. but it's confusing me i don't get clear picture of the api implementation.
I'm looking for good Oauth2 flow and document with Spring mvc and Spring security. please help me.
In terms of understanding the flows and the differences between them, this presentation is the best resource I found online. After this, if you read the OAuth2 spec description, it'll be much easier to follow.
Unfortunately, in terms of code samples, there isn't good Spring Security OAuth2 sample code out there (the Sparklr and Tonr examples are okay but not super clear). Best resource there is to look at unit tests in Spring Security OAuth2 code on github.
One question I want to ask is - are you looking to create your own OAuth2 Provider or do you just want to connect to Facebook, Google, etc as OAuth2 client. If it's the second part, I would suggest skipping Spring Security OAuth2 and instead look at Spring Social project.
Edit:
For creating an OAuth2 Provider, check out this code by Dave Syer (he is the lead of Spring Security OAuth project) . It shows how you can create an OAuth2 Provider and Resource Server in 20 lines of code. This is the easiest way to create Spring Security OAuth code.
https://github.com/dsyer/sparklr-boot
It uses Spring Boot and Spring Security OAuth projects. Of course, you'll have to understand Spring Security, JavaConfig configuration and the OAuth2 protocol properly to understand how all of this works.
Authorization Code is redirection based flow, in most application when we login via Facebook or google we use this grant type.
Implicit is used mostly in mobile or single page application, Client confidentiality is not guaranteed here. This also has a redirect flow similar to Authorization Code. This does not support refresh token.
Password Grant Type is used when client application and resource owner belong to same application, this is goin to be case when your application is end to end working. Here we are sharing username and password. unlike the above two where we authenticate via Facebook or google.
Client Credentials: its a way to access it own service. like one microservice to access another microservice.
I also got into OAuth2 using spring last month.
I've read most of the OAuth2 spec and used the samples from the spring-security source, which are wonderful. That way I got a running application which I could use to play with and view it's sources next the the specs.