Allow Authentication server access to Resource server - spring

I'm working with the Spring OAuth2 sparklr and toner examples. I've broken up sparklr into two applications to separate the Resource server and Authentication server. They're both running on Spring Boot and Java Config.
The Resource server (API) has a /account resource I would like to expose to the Authentication server (MVC) so that the Auth server can create accounts, but of course the resource is protected.
How can I grant the Authentication server access to the /account on the Resource server?

If your /account resource is an oauth protected resource then your auth server is now a client. I don't see any in principle problem with that (copy the client side config from tonr and use an OAuth2RestTemplate like it was a vanilla RestTemplate). You haven't really provided enough information to know what kind of client and grant type should be used (maybe client_credentials?).

Related

How to secure springboot Resource server API's where Authitication is done on differnt service?

I am new to Spring Security. I am facing an issue to secure the resource server APIs. flow diagram . I need to authenticate and authorize users using the LDAP server which is written in a different microservice and all the data resources are written in a different microservice. How to secure resource server APIs. I cannot use Keylock or any other external sso software to be installed in our environment nor we can share our credentials with an external server.
I have gone through various designs. OAuth2 using keylock, Embedded keylock, Springboot authorization server, etc. Is this the right approach or do I need to flow a different flow?

Spring OAuth2.0 : Authorization and Resource server in 1 Spring Boot app

The old spring security oauth can do this by spring-security-oauth2-autoconfigure
How can it be implemented using the latest spring security 5.7.x?
It seems that you have to create separate authorization server, resource server, and client...unlike the previous, you just have to enable configuration for authorization and resource server
But I am curious if there is a way to do libe the old way?
I discover this on my own.
Both the authorization and resource server can be in 1 springboot app and both can use same port.
It is the security configuration filter chain that you have to restrict both the "/login", "/oauth2/authorize"
Authorization server configuration is configured the basic way and so is the Resource server.

Resource Owner Password Credentials with Spring Boot

I have a legacy desktop application that communicates with a Spring Boot server (latest version 2.2.2.RELEASE). I'm using OAuth2 for authentication (provided by spring-boot-starter-oauth2-client). I want to avoid changing the client because is a legacy application. It is capable of collecting the credentials and start the session via HTTP Basic Authentication, and then keep the cookies for the session in the following requests.
Given this scenario, I think best option is to make use the OAuth2 Resource Owner Password Credentials grant. With this, we can exchange the collected credentials by the OAuth2 Tokens. We have two options:
Option 1:
Modify the client application to use the access tokens via the Authorization header. This will require to make an initial call to the Authorization Provider to exchange the collected credentials by the tokens.
Option 2:
Keep using the Spring session and store the information about the OAuth client in the server.
I found this project ALMOST does that: https://github.com/jgrandja/spring-security-oauth-5-2-migrate. It has a client (messaging-client-password) defined with authorization-grant-type: password which will activate the OAuth2 Resource Owner Password Credentials grant in Spring Boot.
It creates an OAuth2 client and stores its information in the session, then Spring is able to use that client in further requests. The problem with this project is it seems to only work as when the OAuth client is used to make HTTP requests (e. g. an endpoint that makes a call to another service) and not provide authentication to the controller. You can find more information about this in here:
Spring Security 5.2 Password Flow
Github related issues: link1, link2, link3
Exception thrown when we try to use the password client as authentication
The natural idea to overcome this is to implement a proxy and use the OAuth2 client in the requests. Well, Spring already offers a proxy solution, the Spring Cloud Gateway. But I don't know to accomplish that with this setup.
Any insights? Am I thinking correctly or should I follow a different approach?

Client Application using Basic Auth with Spring Security and Keycloak

I have an architecture where my user application wants to use a basic authentication when accessing a spring service. This service has to use a Keycloak instance to verify the user/pass of the user application. I don't succeed to configure it (and don't know if its possible).
Yes, it is possible. Keycloak has Spring Security adapter that can be configured for Client and/or Resource Server.
https://www.keycloak.org/docs/latest/securing_apps/index.html#_spring_security_adapter
And also a working example here:
https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-spring-security

Spring zuul proxy to OAuth2 server password grant

I'm trying to implement a Zuul reverse proxy with #EnableOAuth2Sso so I can relay the access tokens obtained from the authentication server to my resource server.
The question is how do I configure the Zuul proxy to forward the username and password to the authentication server, since I am using the password grant flow to obtain the tokens.
If the question is still relevant...
I had a task to configure Authorization and Resource servers behind Zuul using password grant type.
This article and example on github helped me a lot, but mostly I've used debug to configure the environment.
Please check my example of configuration OAuth2 Password Grant Type behind Zuul.
To run the example, inside every service folder run mnv spring-boot:run
In browser go to http://localhost:8765, credentials user/user, admin/admin
http://localhost:8761/ - eureka
I have not used #EnableOAuth2Sso, but instead #EnableOAuth2Client and configure only ResourceOwnerPasswordAccessTokenProvider (more details here).
#EnableOAuth2Sso is configured all token providers, but I need only password provider.
Example uses JwtTokens.

Resources