I'm using Spring Boot with web and security starter dependencies, and spring-security-oauth2. I'm trying to secure a REST API with a remote (Openstack Keystone) OAuth2 provider.
So far I've managed to correctly fetch an access_token but when it comes to getting the user information I get a 404 not found, as it seems that the OS provider expects the access_token to be provided in the request parameters.
I can't figure out how to persuade the OAuth2RestTemplate class to append the access_token to the security.oauth2.client.resource.user-info-uri endpoint.
Figured out that setting security.oauth2.client.client-authentication-scheme to query will make the RestTemplate append the access_token to the subsequent requests for user information.
Related
I'm developing an app.
Front/bff/api.
I'm using an open id provider that allows to check token remotely.
The bff intercepts the front requests and sends them to the API with the jwt token in the header.
The api should ask the open ip provider if the token is correct (but remotely, not using the offline mode with the public key ).
The api is a spring boot 3.0.1 project.
How to configure security in spring boot 3.0.1 to do that check?
Thank you in advance.
You do that with access-token introspection. In spring-security conf, that means using opaqueToken() instead of jwt() (the first configures a resource-server with introspection and the second with a JWT decoder).
Be aware that token introspection is far less efficient than using a JWT decoder as a request is sent to the authorization-server for each and every request to a resource-server. Tutorial there.
My application has frontend build with angular and backend build with spring boot, and I use openam by Forgerock as an authentication server. I got the access_token in frontend and pass this access_token to backend through Bearer authentication, But now I have to check if the token is valid in backend by calling /userInfo endpoint. My question is how to config in spring boot to call this endpoint everytime when get the request? Thanks
I may case I didn't had any explicit configuration for access token. You just have to call end points and the tokens will be stored in the header for authentication. Though you can set the timer for it.
I need some understanding on over all flow of spring security.
I have implemented oauth2 Authorization Server and a Resource server in the same Spring Boot App.Where i am able to generate JWT tokens. And sample Rest api in this app is secured and accessible only with token.
I have another spring boot app which should be secured? What should i do in this. Also i need to read the token in this service to know the role of user.
Please clarify me how to implement the step2.
You can create a module where your spring security config is implemented.
In this module is the class that is annotated with the #EnableWebSecurity annotation, where you define the open routes. I guess you already have a class like this for your sample rest API, mentioned in step 1.
Now every microseconds that has to be secured uses this module by importing it, eg as maven dependency. By this it's api is automatically secured via spring security.
Your auth service serves a jwk endpoint where every microservice can verify a token via public key.
I am creating a project with microservices architecture using spring. I have zuul for centralized security management, and some other microservices.
To access current authenticated user, in zuul i use this line of code :
SecurityContextHolder.getContext().authentication
But to get the user from other microservices, i extract the token (jwt) from the header in each request, and then i extract user info from the claims, but i find this method is a little annoying.
So, is there another more pretty method?
I tried to add the dependencies of spring security in the other microservices to use :
SecurityContextHolder.getContext().authentication
but every time i execute a request through zuul, even if the authentication is done from there, i get an unauthorized error message, despite having disabled the security autoconfiguration from these microservices.
Any suggestion?
Using SecurityContextHolder.getContext().authentication won't work in other microservices until you set the principal object in the Spring SecurityContext.
I don't know why you are setting the principal in security context at Zuul and extracting the same there, But yes Authentication and token validation should be done at Zuul and same jwt should be sent to backend microservices in header.
Now in backend microservices, By using spring security, extract the required claims from jwt and put in the SecurityContextHolder once, So that you can utilize it further for request authorizations or method level authorizations too.
I have read some articles for Keycloak spring implementation (eg: easily-secure-your-spring-boot-applications-with-keycloak) but no one mention how to use with JWT.
I have created zuul api gateway and add Keycloak adapter as described in the previously linked article. That's ok, but I want to use JWT with keycloak.
Mentioned elsewhere set the client access type to bearer-only and the session strategy to NullAuthenticatedSessionStrategy. That's enough or need something else for JWT?
So my questions:
How do I configure client on Keycloak admin for JWT?
How do I configure Keycloak in backend config file for JWT?
How do I configure Keycloak adapter for JWT?
How do I pass user info to microservice? Create filter in gateway? But how I get user info from request?
Keycloak access token is a JWT. It is a JSON and each field in that JSON is called a claim. By default, logged in username is returned in a claim named “preferred_username” in access token. Spring Security OAuth2 Resource Server expects username in a claim named “user_name”. So, you need to create mapper to map logged in username to a new claim named user_name.
In order to provide access to client (micro-service), respective role needs to be assigned/mapped to user.
In your spring boot application, then you need to configure connection to keycloak server, providing, auth url, token url, scope, grant-type, client-id and client-secret.
Afterthat, your app be able to parse JWT token, you need to create some JwtAccessTokenCustomizer. This class should extend DefaultAccessTokenConverter and implement JwtAccessTokenConverterConfigurer classes. The main logic lays in public OAuth2Authentication extractAuthentication(Map<String, ?> tokenMap) method.
Then you need to configure OAuth2 Resource Server to provide access for other micro services. For that you define here - Oauth2RestTemplate Bean.
And in the end, secure your REST API, via the standard configuration Component.
So, you can see that, it is a large work, and couldn't be described with code, show some of your work, divide it to the chunk, and ask interesting your questions.