I can build REST services with spring-security-oauth2
I can build website security with spring-security
And as you know, oauth2 has oauth-server, resource and client side. But I cannot put them together. I want to know how to build oauth2 website that I can login(session) with browser and I can use it as secure REST services(with access token). Any help? Thanks very much.
I'm not expert in Spring, but Spring security examples link has some examples how to implement OAuth2.0 servers and resource servers.
Related
What is the best way to integrate my Spring Boot app with OAuth2? It already has login functionality with issuing a JWT token. What I want to achieve: perform login using OAuth2 and issue the same JWT to access my app.
What should I use:
Keycloak auth server + make my app a resource server
Write my own auth server using spring-security-oauth2-autoconfigure and spring-boot-starter-oauth2-client + make my app a resource server?
Any other approach you can suggest...
Maybe, this link can help you: https://stackshare.io/stackups/keycloak-vs-spring-security
It really depends on your scenario.
But, in my opinion, the first option has more advantages. The main one is the maintenance effort. With your own oauth server, you must maintain one more service. Keycloak is mature and open source, with many developers maintaining it.
I'm trying to extend my home made OAuth2 Authorization Server with the OpenID Connect. At the moment, the Server works fine and successfully issues an access token.
What I need is that the token endpoint returns an id_token along with the access_token.
The Authorization Server is a Spring boot (2.5) app, which implements the authorization code flow using following oauth dependencies.
spring-security-oauth2
spring-security-oauth2-autoconfigure
spring-security-jwt
spring-security-oauth2-jose
Is there some standard way to configure an OAuth2 Spring Server so it provides the OpenID Connect features?
Thanks in advance for an example code and/or useful documenation.
The Spring team are working on a new OAuth server, that provides OIDC capability. It's still very early days, but it is useable.
See here for the code, that includes a set of samples:
https://github.com/spring-projects/spring-authorization-server
I am developing a spring boot application that integrates with multiple Idp's. I have checked many examples over the internet on integrating Spring application with SAML, all of them show how to integrate with IDP's via application properties.
In the case of OAuth 2.0, we had Clients provided by MSAL libraries, we integrated as below.
ConfidentialClientApplication
.builder(decryptCredential(adClientId), clientSecret)
.authority(authorityURL).build();
clientApplication.getAuthorizationRequestUrl(parameters).toString();
clientApplication.acquireToken(authorizationCodeParameters);
Is there a similar way in Spring boot, to have a Client call to ADFS SAMLIDP and get the user authenticated?
Based on the request, fetch IDP details from Database and invoke a call to the appropriate IDP to get the user authenticated.
thanks in advance.
I explored coveooss library, which has clients and it is easiest one to invoke ADFS to fetch SAML assertions. Here is the link for COVEOOSS git link
I'm just wrapping my head on Oauth2. I have a Spring boot app with its own users and roles system handled by Spring Security 5. Internally I use email to identify users, I want people who registered with their gmail addresses to be able to log in through Oauth2. Or, more generally, how do I make one of my users log in to my app using Oauth2? If you need code or more information just ask. Thanks in advance.
As far as I understood your question, you are looking for a general approach to authenticate users for using your Spring Boot application with the help of OAuth2 protocol.
In your case you will probably use Google as an authentication provider and your application as resource server, according to the OAuth2 standard wording. First at all to answer your general question, there are different ways of using OAuth2 to authenticate users. A good starting points are these links:
https://www.rfc-editor.org/rfc/rfc6749
https://auth0.com
To find the proper way of implementing OAuth2 for your usecase I recommend using this decision tree: https://auth0.com/docs/api-auth/which-oauth-flow-to-use
For starting to implement OAuth2 in Spring Boot you can use several Spring Security projects with further documentation:
https://docs.spring.io/spring-boot/docs/current/reference/html/boot-features-security.html#boot-features-security-oauth2
https://docs.spring.io/spring-security-oauth2-boot/docs/current-SNAPSHOT/reference/htmlsingle/
I was wondering if Spring Boot SSO implementation is based on JWT or keeps the session open in the server memory?
Thanks in advance.
The answer would depend on which Spring implementation you are referring to
Spring Security SAML
Spring Security OAuth
I would discuss more on the latter i.e. OAuth and in that you have multiple options. You can use the in-memory token store to debug and test it out, but for production implementations, you can use different token stores. JWT and JDBC are pretty popular in my experience.