I'm working on a service that will accept an OAuth2 Bearer token and validate the token then relay that token to other backend services.
I can pull the token from the request and pass it along, but is there anything already in Spring's OAuth2 support for retrieving a token from the request and passing it along?
Or should I create a custom OAuth2ProtectedResourceDetails and OAuth2ClientContext to handle this?
Related
I have followed below URL to configure SAML SSO to the existing spring boot application, which already have User name - password authentication and JWT authorization for APIs.
https://github.com/pateluday07/saml-sso-and-slo-demo-idp-azure-sp-springboot
Also in onSSOSuccessHandler() I have generated custom JWT token and returned to the Angular front end as cookie. The JWT token expiry set for 1 Hour. The spring boot application is configured with stateless session policy.
On JWT token expiry how we can refresh the token by validating the SSO session? Do we have to call /saml/login endpoint on token expiry?
I have 2 secured resource microservices and 1 authentication service and another API Gateway.
Authentication service can generate JWT Token given username and password. It also can validate a JWT token.
So, I want to implement security at the API Gateway only such that on receiving a request, it will first fetch a bearer token from the authentication service and forward the request to the secured resource service. I would like to get some idea how to implement that in API Gateway. Should I make it just in an aggregate fashion, like it would be a sync call which will first make a request to auth service and next forward the request to resource service?
Now, if I want to add the support of OAuth as well, which I know the spring cloud API Gateway already has the support for this via global filters.
But, I am wondering about the legacy bearer token which is generated by the custom authentication service.. How do I ensure this?
Any suggestion would be appreciated.
Thanks in advance!
I would like to write OAuth2 access token to a cookie instead of writing to response. Since my OAuth request uses /oauth/token endpoint defined in TokenEndpoint.java of Spring Security OAuth2 module, the token is always written to response.
How can I remove this token from response and set to cookie? Should I implement my own TokenEndpoint?
We have implemented an SPA (Angular 5 with angular-auth-oidc) which requests an id_token and an access_token to from an OpenID Connect provider (for the moment we are testing with google), and then sends the id_token to the back-end (a REST API using Spring Boot 5)
My questions are:
what is the approach to send the access_token instead of the id_token ?
Once I am able to validate the access_token, how can I request another access_token and refresh_token ?
Does Spring Security provides a store (in memory) to keep temporarily the access_token and the refresh_token ?
I used the #EnableResourceServer to validate the id_token (jwt) and it works, but when I send the access_token (not a jwt), I get an exception, such as : Invalid characters (CR/LF) in header WWW-Authenticate.
on spring boot 1.4, using #EnableOAuth2Sso for sso client and a kong third party authorization server, i'm able to receive the authorization code but unable to retrieve the access token.
the authorization code is part of the redirect url after which is there any configuration or a process for retrieving the access token?
Once you get the Authz code, you need to make a server side call(so that access token flow doesn't go through end user browser) to Authz Server for access_token, Look at this section of OAuth 2.0 Spec.