If i have an username of user then i want to produce authorization code for that user and using that authorization code need to able new accesstoken and refreshtoken from spring authorization server.
is this possible?
Related
Currently I have an SPA with multiple springboot microservices at the back (Resource Servers). Authentication and Authorization happens in the back using a Spring Oauth2 Server that serves a "Login Page" (Consent Screen) . Inside the Oauth server there is a ldapAuthentication provider that delegates authentication to an Active Directory and the rest (user detail and authorities) is fetched from a jdbc source from a custom data model (groups and privileges).
I have the requirement to start using Okta (enterprise). Conceptually speaking, do I have to remove completely the Spring Oauth Server and do everything with Okta regarding Authentication and Authorization? What would be the flow? What happens with the Bearer Token that I currently use? What happens with the introspection of each resource server when applying security access to requests? I am pretty confused what should be the Spring solution for Okta comming from a Spring Oauth Server.
Yes, Okta and Spring OAuth server are both authorization-servers, so you'll probably replace one with the other. The flow will be the same standard OAuth2 authorization-code flow:
"rich" client redirects users to authorization-server for authentication (Okta instead of spring authorization-server)
authorization-server redirects users back to "rich" client with authorization code
"rich" client exchanges authorization-code for access and optionally refresh and ID tokens
"rich" client sends request to resource-servers with access-token as Bearer Authorization header
resource-servers validate access-tokens and retrieves token claims (either with JWT decoder or introspection) and then evaluates if access should be granted based on token claims
You'll have to refer to Okta docs to add required roles (or groups or authorities and whatever you need in your resource-servers security expressions and that is stored in your LDAP and "JDBC storage") to Okta access-tokens.
If you really have configured your resource-servers with token introspection, you might have to switch to JWT decoding (I haven't search much, but it seams that Okta's introspection endpoint just returns a boolean: isTokenValid). You'll save a lot of resources in the process as JWT validation & decoding happens on resource-server only (it does not require a round-trip to authorization-server for each request as introspection)
You can replace your Spring OAuth server with Okta Authorization Server, which will require all your micro-services to change their configuration to do the introspection against Okta endpoints. Bearer tokens would be minted by Okta too.
need help, i need robotframework sample or example for bypassing the cloudflare authentication to access an url using service token (CF-Access-Client-Id: CF-Access-Client-Secret: ) passing in header
current case:
i have url - xx#yy.zz after access it.
(CloudFlare authentication) asks for email id and after inputing the email id it sends OTP to mobile
inputing the OTP then i am able to access the url
i found a way for bypassing authentication using service token.
https://developers.cloudflare.com/access/access-service-auth/service-tokens
but i am not sure how do i pass this service token in robotframework
I'm working on a project to setup oauth2 authorization. I already have brief knowledge on authentication process for spring security, but here when i setup oauth, i'm wondering how to do the authentication part? as here i both need to authenticate the clients credentials and also the user credentials( user authenticate will be do by LDAP), as the grant type would be 'password'. and after authentication, the final authenticated authentication object would be the user with his/her authorities, instead of the client.
If you either use Resource Owner Credentials or whatever other grant type that could potentially take client(program) credential and user's credential when issuing a access token, then Authentication instance you are going to get from AuthenticationManager#authenticate() will be OAuth2Authentication. And inside of OAuth2Authentication, you'll able to see another Authentication which includes user's authentication information.
With that OAuth2Authentication, you can either manaully add logic to check different stuff you'd like to by accessing OAuth2Authentication itself by getting it from SecurityContextHolder.getContext()and then typecasting to OAuth2Authenticaiton, or simply use existing PreAuthorized annotation with SpringEL.
In the OAuth authentication flow, if permission is granted by the service provider, the authorization redirects to a app-specified redirect URL with the access token (e.g. yourapp.com/redirect/?token=deadbeef).
Now the app has to store that token in some way – either directly store it in the database or start a session with the service provider. Doesn't this contradict the "laws" of HTTP methods, specifically that GET is supposed to be a read-only action?
I've begun an implementation using the OpenID Connect Implicit Flow - I've retrieved my access token and ID token in my browser based javascript app, and now I need to protect the resource on my ASP.NET Core Web API so it can only be accessed via a valid access token from a user with a specific claim.
What middleware do I use to validate the token(s) and determine the user and their claims so I can then allow or deny them access to the resource they are requesting?
I've looked at OpenIdConnectAuthentication middleware, however the only implementation examples I've seen use a SignInScheme of "Cookies", not the Bearer token that my js app is providing.
Thanks
What middleware do I use to validate the token(s) and determine the user and their claims so I can then allow or deny them access to the resource they are requesting?
If your authorization server issues JWT tokens, you can use the JWT bearer middleware developed by the ASP.NET team: https://github.com/aspnet/Security/tree/dev/src/Microsoft.AspNetCore.Authentication.JwtBearer.
app.UseJwtBearerAuthentication(new JwtBearerOptions {
Authority = Configuration["jwt:authority"],
Audience = Configuration["jwt:audience"]
});
You can find a sample here: https://github.com/aspnet/Security/tree/dev/samples/JwtBearerSample.