Does Spring Authorization Server or the Spring Security OAUth2 client support passing request Parameters as JWTs (see https://openid.net/specs/openid-connect-core-1_0.html#JWTRequests). Searching the apis, docs and code (checked out the code and searched for buzzwords like request_parameter_supported) didn't turn up anything.
Related
I`d like to use redirect_uri as a dynamic parameter in Code Grant but I know that the redirect_uri must be static for security reasons. If I implement PKCE flow and leave validating of the client_secret parameter, will using dynamic redirect_uri be securer then? It seems to me that I will add a new step of authentication (using PKCE).
Thanks!
TL;DR
Not really
Explanation
PKCE was originally designed to protect the auth code flow from CSRF and auth code injection attacks. PKCE RFC-7636
In the PKCE RFC it strongly suggests following the OAuth 2.0 Security recommendations. RFC-6819 section 5.2.3.3 states the reason for a static redirect_uri is to prevent:
XSS attacks
Impersonation of public client applications
Dynamic redirect uri's open a potential vulnerability to a client providing the code_challenge as well as the auth token to a malicious actor.
Example:
*.example_domain.com
Some websites such as Google give users the ability to create their own sites as subdomains. A malicious actor can take advantage of this. It may not be simple or easy, but it does expose a vulnerability.
subdomain.*
This is even worse. Any site with a subdomain that matches would be valid.
In either of the above scenarios PKCE does nothing to prevent impersonation, which could allow an attacker to gain an access token. It is an excellent tool in preventing exploitation in an environment where the token endpoint is trusted.
Openid-Connect
Your question was tagged with Openid-Connect. OIDC requires that a redirect_uri be pre-registered with an OpenID Provider Openid-connect-core. It is possible for you to create a very long whitelist of redirect uris to use.
We have use case where we need show user credential params such as username and password and based on user name value and password validation on backend side we have to render swagger APIs.
Not able to figure out how i can render swagger APIs based on result of authentication result.
Any pointer will be highly appreciated.
You didn't mention which version of swagger you are using, but it looks like there is support for protecting endpoints via some kind of authentication using Swagger 2.0 and 3.0.
From the 2.0 docs:
Swagger 2.0 lets you define the following authentication types for an API:
Basic authentication
API key (as a header or a query string parameter)
OAuth 2 common flows (authorization code, implicit, resource owner password credentials, client credentials)
From the 3.0 docs:
OpenAPI uses the term security scheme for authentication and authorization schemes. OpenAPI 3.0 lets you describe APIs protected using the following security schemes:
HTTP authentication schemes (they use the Authorization header):
Basic
Bearer
other HTTP schemes as defined by RFC 7235 and HTTP Authentication Scheme Registry
API keys in headers, query string or cookies
Cookie authentication
OAuth 2
OpenID Connect Discovery
Each of those sets of documents has links to examples and further documentation.
After reading the article How To Control User Identity Within Microservices I've been trying to implement such access control scheme (Value and Reference Tokens), but after going through multiple other topics and examples in GitHub related to Spring Security + OAuth + Zuul, I couldn't find concrete examples on how this can be achieved. All the examples that involve JWT return User Details when the token is returned, and that is what I would like to avoid. The User Details should never reach the Client directly but should be passed to the backend services instead. The tutorial Spring Security + AngularJs has a lot of information on how to evolve an application towards a secure one, but uses an Access Token or mentions the possibility of getting the User Details directly via JWT.
This SO question, Using Zuul as an authentication gateway by #phoenix7360, is exactly the approach I've been trying to implement but it only supplies a brief overview of the configuration required to carry out this kind of security approach for microservices. Please refer to the image in this question for a clear picture of how it would go.
I can't fully get my head around how the Zuul Pre-Filter should be configured and what the Authorization Server's configuration should look like. As stated in both the article and the SO question, the flow would go something like this:
External (HTTPS)
The client authenticates against OAuth2 Server
OAuth Server returns an opaque Access Token (a UUID with no other information)
The client sends the request to the API Gateway with the Access Token in the Authorization header
API Gateway requests User Details to the OAuth Server with the Access Token in the Authorization header
OAuth Server checks the Access Token is valid and returns User Information in JSON format
Internal (HTTP/S)
API Gateway creates a JWT with User Details and signs it with a private key
API Gateway adds the JWT to request and forwards it to Resource Server
Resource Server verifies the JWT using API Gateway's public key
Note: API Gateway should return an error if OAuth Server indicates Access Token is no longer valid.
How would the ZuulFilter work? Does a new request need to be issued against the OAuth Server (for instance, via RestTemplate), or are these schemes supported with the current implementation? Is there any particular configuration required for the JavaConfig classes for both OAuth and Zuul? If someone knows of a working example that would be really helpful and would be great for future reference regarding this topic.
I'm using Spring Boot (1.4.0-M3) + Spring OAuth + Spring Cloud (Eureka, Ribbon, Zuul)
I know this question is very similar to the one linked previously, and if this is not the right way of doing it I apologize, but I thought a new thread would be better than asking for help on a SO thread that aimed at solving another problem.
Thanks in advance!
JHipster does a pretty good job in handling this issue. If I want to tell the login process briefly, first you do login, in time you fetch every information you need to pass to your below services (such as username,email,etc) then you pass them to your microservices.
you can see the link below from okta for more information
https://developer.okta.com/blog/2018/03/01/develop-microservices-jhipster-oauth
I'm trying to use Spring Security OAuth2 to access the github api. The problem I'm having is that once you get a response from their authorize api, you don't get back a token, you get back a code that needs an extra verification step.
I don't see how I can plug this into spring's oauth 2 framework. Am I missing something?
Here's the flow github wants:
github oauth
This step specifically:
If the user accepts your request, GitHub redirects back to your site with a temporary code in a code parameter as well as the state you provided in the previous step in a state parameter. If the states don’t match, the request has been created by a third party and the process should be aborted.
Exchange this for an access token:
POST https://github.com/login/oauth/access_token
You can plug that in Spring Security. That is called the authorization code and Spring Security supports that.
Here is the chapter in the specs where this extra-step flow is described: https://www.rfc-editor.org/rfc/rfc6749#section-4.1
You don't have to care about this. Spring will automagically handle that behind the scenes. Here is the class in Spring Security that handles that flow: AuthorizationCodeAccessTokenProvider
I successfully completed login module of my application using spring security's inbuilt authentication & authorization mechanism.But later i was told to check if i can integrate WSO2 (SOA solution as external Authorization mechanism) with Spring security so that i can use Spring security's authentication mechanism alone and WSO2 for authorization instead of using Spring security provided Authorization.
I did search & read the documentation and i could get details about using External authentication with Spring security & nothing about External authorization.I would like to know if i can do the same and also how i can do it.Any pointers will be really helpful for me.