I am working on securise the "WebFlux" endpoints of my application using Spring Security 5.1.1.RELEASE. What I would like to achieve is the following scenario :
Authentication Server : I am using Keycloak as an authentication server
Resource server : I am using spring-security-oauth2-resource-server package to provide JWT authentication on specific paths
Client : I need to use an OAuth2 authentication based on "client credentials"
When I am using curl, it is pretty easy :
Request a new token from my authentication server using "token" endpoint and "client_credentials" grant type
Extract the "access_token" from the JSON answer
Use the JWT in the -H "Authorization: Bearer $JWT" option of curl to embed the token in my request
Now, I want to Spring injections in order to use a WebClient bean configured to request automatically the JWT token and then use it to access the securised endpoint of my application.
I have tried to implement the example shown in the documentation Spring Security - WebClient but with no success.
I am looking for Application to Application authentication example. One is the Resource Server and the other one is the Client, connecting to the WebFlux API with a WebClient.
I finally manage to perform an implementation of a OAuth2 authentication process using Spring Security OAuth2 libs (client and resource-server) for a machine-to-machine scenario.
Please find the demo sources and some explanation at this link : https://github.com/Brico87/spring-security-oauth2-m2m.
Spring Security with OAuth2 support is quite quick and efficient to use if you manage to find the good combination between the components instanciation !
Related
Currently I have an SPA with multiple springboot microservices at the back (Resource Servers). Authentication and Authorization happens in the back using a Spring Oauth2 Server that serves a "Login Page" (Consent Screen) . Inside the Oauth server there is a ldapAuthentication provider that delegates authentication to an Active Directory and the rest (user detail and authorities) is fetched from a jdbc source from a custom data model (groups and privileges).
I have the requirement to start using Okta (enterprise). Conceptually speaking, do I have to remove completely the Spring Oauth Server and do everything with Okta regarding Authentication and Authorization? What would be the flow? What happens with the Bearer Token that I currently use? What happens with the introspection of each resource server when applying security access to requests? I am pretty confused what should be the Spring solution for Okta comming from a Spring Oauth Server.
Yes, Okta and Spring OAuth server are both authorization-servers, so you'll probably replace one with the other. The flow will be the same standard OAuth2 authorization-code flow:
"rich" client redirects users to authorization-server for authentication (Okta instead of spring authorization-server)
authorization-server redirects users back to "rich" client with authorization code
"rich" client exchanges authorization-code for access and optionally refresh and ID tokens
"rich" client sends request to resource-servers with access-token as Bearer Authorization header
resource-servers validate access-tokens and retrieves token claims (either with JWT decoder or introspection) and then evaluates if access should be granted based on token claims
You'll have to refer to Okta docs to add required roles (or groups or authorities and whatever you need in your resource-servers security expressions and that is stored in your LDAP and "JDBC storage") to Okta access-tokens.
If you really have configured your resource-servers with token introspection, you might have to switch to JWT decoding (I haven't search much, but it seams that Okta's introspection endpoint just returns a boolean: isTokenValid). You'll save a lot of resources in the process as JWT validation & decoding happens on resource-server only (it does not require a round-trip to authorization-server for each request as introspection)
You can replace your Spring OAuth server with Okta Authorization Server, which will require all your micro-services to change their configuration to do the introspection against Okta endpoints. Bearer tokens would be minted by Okta too.
I've been looking for ways of how to consume a web api with an oauth2 authorization using ASP.Net MVC. Any suggestions?
I have already tried sending a request to the web api and recieve a response. But I'm having a hard time when it involves Oauth2 authorization because i don't know how to send headers like the clientsecret and clientid and also on how to send a raw json data to the web api. I've already tried testing my api on postman and it's working properly.I wanted to know now how can i make an ASP.Net MVC application that can POST and GET to that web api with Oauth2 authorization.
There is answer for client_credential oauth2 gran type
How to write OAuth2 Web API Client in Asp.net MVC
and I think that's commonly used between services. However, if it's not your case then you need to take a look OAuth2 grant type and understand how those are working and different from each other.
If you want to know what to set in http header regardless of what language/framework you use, you need to set "Authorization" http header with "Bearer " value.
In order to get your access token from oauth2 provider, you need to send a request to oauth2 provider with grant type you'd like to use along with your clientId and secrets.
It will be look like below if you use client credential grant type.
https://oauth.example.com/token?grant_type=client_credentials&client_id=CLIENT_ID&client_secret=CLIENT_SECRET
I've been going through this tutorial which shows how to secure a single page application using several scenarios going from simple to our own Authorization Server that delegates authentication to a provider. The first scenario uses the Authorization Code Grant to log the user in.
Suppose we replace Facebook's OAuth Server with our own in this case and configure it to return a JWT token.
Which OAuth flow should the SPA use if it wants to use the JWT token to secure requests through an edge server that load balances between resources servers?
Also how should spring boot / spring security be configured if we want to use the JWT token to replace the replace the default JSESSION and CSRF support in spring? IIUC the JWT token can be used as a replacement to both of these features.
Update
Based on Manish's answer assuming we are using OAuth 2 implicit flow we:
Put the #EnableResourceServer annotation on the Resource Server
Use an OpenID Connect client to implement the implicity flow
So once this is done are POST request secure assuming each request includes the JWT token as a Bearer Header, or do we need to also configure CSRF?
It will depend on how much your application is sensitive to security but Implicit flow is recommended for pubic client (SPA).
Tutorial is based Authorization Code flow and if you will replace Facebook with your STS, it will still use Authorization Code flow because #EnableOAuth2Sso store the JWT token on server and send the cookie to browser and it also uses refresh token to get the new JWT token. It is a customize flow to implement the Authorization Code flow with public client (SPA) based on API gateway pattern.
To implement the implicit flow - Do not use the #EnableOAuth2Sso at server side, just expose the REST API and secure it with #EnableResourceServer. And you need to use the oidc-client to implement the implicit flow link is here https://github.com/IdentityModel/oidc-client-js
CSRF protection is only required if you will store JWT token or session identifier in the browser's cookie.
We have planned to implement authentication in our API using OAUTH. For this purpose I read so many articles on web to explore it. After read these articles what I am understanding is
Send credentials to authorization server and after successful
authentication it will send you the access token.
Use this access token for further calling of your api methods.
To authenticate our api user needs to pass the following parameters.
Authorization Token
Employee ID
What I am thinking is to pass these values via request headers. Problem is that these request headers can easily be viewed in browser console and someone can misused it easily. Please suggest Is this the right way to authenticate api or we used something else for this purpose?
I've read articles and seen example projects. I know owin allows to decouple application from web-server specific code, oauth allows third party clients to get access to application resources, and bearer token - client can get security token by login and password and use it as key for access to application resources.
I know that for simple cookie authentication using owin it's enough UseCookieAuthentication. But owin has this extensions: UseOAuthAuthorizationServer, UseOAuthBearerAuthentication, UseExternalCookieAuthentication, UseOAuthBearerAuthentication and I don't understand the full picture.
Could I use oauth without oauth bearer token (does it make sence)?
What are use cases for external cookie?
What are use cases for oauth (is it required only in case of client and server work in different domains using some api)?
What are use cases for oauth bearer token authentication?
Is it required oauth and bearer token authentication for web api only and for classic asp.net mvc applications it's no need?