I'm writing an application secured with Spring Security.
I want to achieve 2 objectives:
Application in the background is using Keycloak as auth server (this is under my control).
I want the user to be able to log in by default login form in the application, so the user doesn't need to be forwarded to the authentication page of Keycloak.
The desired solution is to use features of
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-client</artifactId>
</dependency>
The logins enabled are:
#Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests(authorize -> authorize
.anyRequest().authenticated()
)
.oauth2Login(withDefaults())
.formLogin(withDefaults());
return http.build();
}
I now how to obtain access token from Keycloak but don't know if I can use it to set OAuth2 context in spring security.
I could not find any example of how to do it with the AuthorizationGrantType password.
You are referring to "Password grant" flow and it has been deprecated. You should not use that (like REALLY not).
To authenticate users, use authorization-code flow (with the redirection to the authorization-server). There are several good reason for that:
security concerns
this the (strongly) recommanded way (because of above)
if you do not use your authorization-server screens, then you'll probably have to implement other features than just username / password form (registration, Multi Factor Authentication, profile édition,...)
If your concern is look and feel, consider defining a Keycloak theme. This will allow you to take control of all the Keycloak screens your users could see.
Related
The Oauth2 authorization code flow defines roles as they are shown in the top of the following graphic.
I allready have a client app writen with spring security and multiple resource servers.
Is it posible for a Vaadin app to only act as the UserAgent? I.e. have one java app which serves a Vaadin frontend but passes the login requests to another client app written in java with spring security (or any other oauth2 compliant program for that matter)?
I think read that it is favourable to separate front- and backend. Sofar I have only found tutorials which configure the java vaadin app as the Client App.
I.e. something like this in the applicaiton.yaml
spring:
security:
oauth2:
client:
registration:
keycloak:
client-id:
client-secret:
authorization-grant-type: authorization_code
redirect-uri: "{baseUrl}/login/oauth2/code/{registrationId}"
scope:
provider:
keycloak:
issuerUri:
And a security configuration like so
#EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
#Override
public void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/index.html", "/", "/login").permitAll()
.anyRequest().authenticated()
.and()
.oauth2Client()
.and()
.oauth2Login();
}
}
Alternatively:
Is it possible for a resource server to make API requests to another resource server? I.e. configure a web client / oauth2Client instance which can make authorized rest-requests?
If you are trying to separate the UI from the backend in the essence of the separate codebase and separate deployment for huge clustering and load-balancing purposes you may consider a Microservice architecture.
In a Microservice architecture, each service (including the OAuth service and maybe the UI itself) registers itself in a service registry, so it is possible for other services to find and call each other through that registry. This is a very abstract explanation and for implementing such architectures and you should dive deeper into the details.
So many applications would never reach that point where they need to separate UI from backend, and the gain from that separation may or may not worth solving other problems it raises.
Anyway, Vaadin Fusion introduced recently as an alternative to the pure Java version (or the Java + HTML Template version), to create UI applications by Typescript and HTML. So the UI resides completely on the browser somehow similar to Vue, Angular, and React.
Although Vaadin Fusion designed in a way that can automatically connect to backend services within the same project, I believe you can do what you want by applying some tweaks for calling other backend services (such as OAuth or your existing java apps). However, you should deal with some other problems such as handling CORS or user sessions, etc. (Which also are the existing issues when you use other frontend frameworks and libraries).
You can find out more about Vaadin Fusion here. For a quick start, you may also want to see this short video.
I am currently writing a Spring Boot 2.x application that by default is authenticated by the app's oauth2 authorization server. However, I would like to add support such as the user could configure the app to use their SAML identity provider/asserting party (like Active Directory) as an alternative to the default OAuth2 authentication server.
What I can see is that developers would write a WebSecurityConfigurerAdapter with .saml2Login() or .oauth2ResourceServer(o -> o.jwt()) but I would switch between the two at runtime.
Note that I will secure the same set of URLs/APIs. It's just that I want the user to be able to choose what to use. Also as a disclaimer, I do not have experience with SAML.
Would this be possible to do in Spring Boot? Hope someone could say definitively if this is possible or not.
Spring Boot Security,
My Application is already running using Spring Security. Now I want to authenticate the users through OAuth. Is there any way to build a custom servlet to achieve this?
You can add a new Filter to intercept and authenticate OAuth requests in which it should call the authenticationManager.authenticate method and save the result of the authentication token in the SecurityContextHolder. This way the user is fully authenticated.
Note, that this way you don't "override" or "bypass" the Spring Security. You just use it to perform a different authentication.
I am trying to enable OIDC authN and authZ workflow for my spring-java-web application. Ideally I wanted to do it in a IDP agnostic way.i.e.This application could be integrated with only and any one of the Azure AD,OKTA,AWS SSO,Google-auth by deployment admin.And I want users to be redirected to whatever provider the application is integrated with.
With OIDC as a standard, my understanding is i should be able to write a OIDC auth processing filter that should work with any of the providers. The necessary config that varies per provider ( auth url,client id,secret,JWKS url to get the provider keys etc) will be passed to this filter/rest template as parameters.
Q.1 Is it possible to implement provider agnostic OIDC filter? Can someone give any pointers?
I am aware that Spring natively provides Oauth2 libraries/apis like AuthorizationCodeResourceDetails, OAuth2ClientAuthenticationProcessingFilter . However I do not see any OIDC native processing filter in built. Is there any?
I tried and understood the workflow as given in https://www.baeldung.com/spring-security-openid-connect .However when i try to tweak this code to make it work with Azure AD it fails. Thats because Azure AD requires
The response_type parameter must include id_token.
The request must include nonce parameter to be set in request.
AuthorizationCodeResourceDetails does not support such param. Given that OIDC is a common standard ,
Q-2. I fail to understand why every provider still has different requirements? Doesn't it defeat the purpose of OIDC . Infact I read that google throws error if you pass nonce
Q-3. Are there any spring native ways to configure these additional provider specific params like nonce , promt, additional response-type ,preferable with examples?
I think your problems with Spring Security OIDC are that you're using the legacy OAuth library (at least that's what the baeldung article is illustrating). OAuth2 and OIDC are part of Spring Security 5.x now and not a separate project. There's an OIDC client "login-client" in this example: https://github.com/jgrandja/oauth2-protocol-patterns that might show different. Yes, OIDC should allow you to swap providers in and out although not all OIDC providers will implement everything (e.g. discovery, etc.)
Has anyone actually used OAuth2 for SSO within Spring Security 3?
Scenario:
I need my users to be redirected to an OAuth2 URL when they try to access any URL on my site for the first time. Once they are authenticated there, it will redirect them to a URL on my site, where I need to authorize them and create a session so that they will stay authorized on my site until they log out or time out.
I have tried several configurations in Spring Security using custom pre-auth filters, custom user details services, etc., but I cannot get the flow to work properly. I've not attached any code because I've gone through so many possibilities that I'm not even sure what to post.
I'd appreciate any direction anyone can give. Thanks!
OAuth2 isn't intended as an SSO solution. It's primarily about delegating the right to access resources on your behalf to other parties (applications, for example). So if that's not something you need then perhaps you should be looking at a simpler solution.
It's possible to use OAuth2 to allow access to a resource which provides information on your identity, in which case it can be expanded for authentication use. This is how OpenID connect uses it (by adding a userinfo endpoint resource).
You might want to take a look at the UAA project within CloudFoundry which is built on Spring Security OAuth and uses OAuth2 in this way to provide authentication services and to issue access tokens to applications within the system.
This appears to be a somewhat dead question but here are some resources that may prove useful to future searches:
#EnableOAuth2Sso
#EnableOAuth2Resource
Spring Cloud oauth2 SSO sample
Spring oauth2 SSO with a whole bunch of other stuff too
Who is your Oauth2 provider? In a case of some public one like Facebook, Twitter, Google and many others you can take a look at Spring Social project. Even if you use some private provider you can add it very easy (http://blog.springsource.com/2011/03/10/extending-spring-socials-service-provider-framework/, Developing a Netflix Service Provider Implementation section).
Spring Social is designed to cover your main case with some minor difference: by default you must submit a form to start authentication process. I think this difference may be easy customized to feet your needs.
You can play with Spring Social Showcase sample to have an idea about authentication workflow.