We are currently working on a POC of Spring Cloud Dataflow, deployed in an Azure Kubernetes Service.
One of our requirements is to integrate it with an Azure Active Directory.
The authentication part went smoothly, but for the authorization, we need SCDF to be able to recognize appRoles of users (RBAC). But the behaviour so far seems to be that only the scopes are exposed, and if all scopes were exposed, then the user has all the service-roles (ROLE_VIEW, ROLE_DESTROY, ROLE_DEPLOY,...).
For instance, we'd like one user to have ROLE_VIEW only, and another user to have both ROLE-VIEW and ROLE_DESTROY.
What we've done so far:
Following the documentation, we created an App Registration (dataflow-server) exposing the following scopes & API permissions:
api://dataflow-server/dataflow.destroy
api://dataflow-server/dataflow.view
api://dataflow-server/dataflow.deploy
api://dataflow-server/dataflow.manage
api://dataflow-server/dataflow.schedule
api://dataflow-server/dataflow.create
api://dataflow-server/dataflow.modify
We created 2 appRoles, "role_reader" and "role_writer", to grant to specific users.
And we updated the configmap of the SCDF server to include these configurations:
spring:
cloud:
dataflow:
security:
authorization:
provider-role-mappings:
dataflow-server:
map-oauth-scopes:true
role-mappings:
ROLE_VIEW: role_reader
ROLE_DESTROY:role_writer
ROLE_DEPLOY: role_writer
ROLE_CREATE: role_writer
ROLE_MANAGE: role_writer
ROLE_SCHEDULE: role_writer
ROLE_MODIFY: role_writer
And:
spring:
security:
oauth2:
client:
registration:
dataflow-server:
provider: azure
redirect-uri: '{baseUrl}/login/oauth2/code/{registrationId}'
client-id: <client_id_from_the_azure_app_registration>
client-secret: <client_secret>
scope:
- openid
- profile
- email
- offline_access
- api://dataflow-server/dataflow.view
- api://dataflow-server/dataflow.destroy
- api://dataflow-server/dataflow.schedule
- api://dataflow-server/dataflow.manage
- api://dataflow-server/dataflow.create
- api://dataflow-server/dataflow.deploy
- api://dataflow-server/dataflow.modify
provider:
azure:
issuer-uri: https://login.microsoftonline.com/<tenant-id>/v2.0
user-name-attribute: name
resourceserver:
jwt:
jwt-set-uti: https://login.microsoftonline.com/<tenant-id>/v2.0/keys
My understanding after reading the docs was that this should be sufficient to map the service roles (ROLE_VIEW) with the Azure AppRoles (role_reader) and allow to use RBAC.
Where did I go wrong ?
Thanks in advance for taking the time to read !
Related
I am getting invalid credentials while implementing the Auth Code Flow with Oauth2 Spring Security. Below is the microservices flow:
Eureka Service - Gateway - Custom Spring Authentication Service
- AM Service (pulls AM business data)
- SM Service (pulls SM business data)
I am able to authenticate and auth code is getting generated as show below
http://127.0.0.1:8060/login/oauth2/code/test-client?code=J5Qvmk&state=HLD0vIaz6GzJl4dK_HJCtt7CGojuPSBVj23bu9fL38s%3D
But then when trying to get redirected to original API call, it fails stating "Invalid credentials"
Below is the error:
enter image description here
Below is the configurations on gateway:
spring:
application:
name: gateway-service
cloud:
gateway:
default-filters:
- TokenRelay
routes:
- id: CdsaiAMServiceApplication
uri: http://127.0.0.1:8082
predicates:
- Path=/ams/**
filters:
- TokenRelay=
- StripPrefix=0
- name: Retry
args:
retries: 1
statuses: UNAUTHORIZED
methods: GET,POST,DELETE
backoff:
firstBackoff: 10ms
maxBackoff: 50ms
factor: 2
basedOnPreviousValue: false
- id: CdsaiSMServiceApplication
uri: http://127.0.0.1:8866
predicates:
- Path=/sms/**
filters:
- TokenRelay=
- StripPrefix=0
- name: Retry
args:
retries: 1
statuses: UNAUTHORIZED
methods: GET,POST,DELETE
backoff:
firstBackoff: 10ms
maxBackoff: 50ms
factor: 2
basedOnPreviousValue: false
discovery:
locator:
enabled: true
sleuth:
sampler:
probability: 1
zipkin:
baseUrl: ${ZIPKIN_BASE_URL:http://127.0.0.1:9411}
security:
oauth2:
resource:
user-info-uri: "http://127.0.0.1:8383/user"
client:
registration:
test-client:
provider: spring
client-id: clientId
client-secret: client-secret
authorization-grant-type: authorization_code
redirect-uri: '{baseUrl}/login/oauth2/code/{registrationId}'
client-name: test-client
user-info-authentication-method: header
provider:
spring:
authorization-uri: "http://127.0.0.1:8383/oauth/authorize"
token-uri: "http://127.0.0.1:8383/oauth/token"
token-info-uri: "http://127.0.0.1:8383/oauth/check_token"
user-name-attribute: preferred_username
Can someone please help.
My spring cloud gateway cors configuration:
gateway:
globalcors:
cors-configurations:
'[/**]':
allow-credentials: true
allowedHeaders: "*"
allowedOrigins: "*"
allowedMethods:
- GET
- POST
- DELETE
- PUT
- OPTION
max-age: 3600
I think this configuration should be able to fix this problom, But it's not what I expect. The backend service api /oauth/token still return "401 Unauthorized".
BTW: My backend service integrate with spring sercurity.
I am trying to authorize a user using code grant flow in Keycloak to a Quarkus application.
Here is the Quarkus configuration
# OIDC Configuration
quarkus.oidc.auth-server-url=http://localhost:8180/auth/realms/quarkus
quarkus.oidc.client-id=web-application
quarkus.oidc.credentials.secret=ca21b304-XXX-XXX-XXX-51d38ef5da02
quarkus.oidc.application-type=web-app
quarkus.oidc.authentication.scopes=email
The client configuration for "web-application" has only Standard Flow enabled (for Code Grant Flow)
I access http://localhost:8080/
I'm redirected to Keycloak (url looks good with scope=openid+email&response_type=code&client_id=web-application
I log in with sample user account
I'm redirected back with the code
Then I get an exception in Quarkus
Caused by: org.keycloak.authorization.client.util.HttpResponseException: Unexpected response from server: 401 / Unauthorized / Response from server: {"error":"unauthorized_client","error_description":"Client not enabled to retrieve service account"}
at org.keycloak.authorization.client.util.HttpMethod.execute(HttpMethod.java:95)
at org.keycloak.authorization.client.util.HttpMethodResponse$2.execute(HttpMethodResponse.java:50)
at org.keycloak.authorization.client.util.TokenCallable.obtainAccessToken(TokenCallable.java:121)
at org.keycloak.authorization.client.util.TokenCallable.call(TokenCallable.java:57)
at org.keycloak.authorization.client.resource.ProtectedResource.createFindRequest(ProtectedResource.java:276)
at org.keycloak.authorization.client.resource.ProtectedResource.access$300(ProtectedResource.java:38)
at org.keycloak.authorization.client.resource.ProtectedResource$5.call(ProtectedResource.java:205)
at org.keycloak.authorization.client.resource.ProtectedResource$5.call(ProtectedResource.java:202)
at org.keycloak.authorization.client.resource.ProtectedResource.find(ProtectedResource.java:210)
The error in Keycloak is:
09:58:25,420 WARN [org.keycloak.events] (default task-30) type=CLIENT_LOGIN_ERROR, realmId=quarkus, clientId=web-application, userId=null, ipAddress=172.17.0.1, error=invalid_client, grant_type=client_credentials, client_auth_method=client-secret
Question:
Why Quarkus tries to use "grant_type=client_credentials"? It should use the grant type = "authorization_code". This looks like a bug in Quarkus, but maybe there is a flag.
"Service Account Enabled" is off. Enabling it should fix the issue.
Could you try:
quarkus.oidc.client-type=web-app
instead of:
quarkus.oidc.application-type=web-app
Source: https://quarkus.io/guides/security-openid-connect-web-authentication
Has methods secure Config Server by oauth2 token ?
I plan to implement spring cloud config-server by oauth2 token,so client-server can fetch property by :
cloud:
config:
uri: http://user:password#localhost:8888
Is it feasible ?
but ... i met some problems .
I start a demo https://github.com/keryhu/spring-oauth2-config-server.git
It contains four services :
1 : eureka : start first,and can implement service register and discovery,it has no oauth2 enviroment.
2 : auth-server : JWT OAuth2 server configuration ,start secondly.
#SessionAttributes("authorizationRequest")
#EnableResourceServer
#EnableDiscoveryClient
and inmemory user :
security:
user:
password: password
3: config-server : start thirdly
#EnableDiscoveryClient
#EnableConfigServer
#EnableResourceServer
and in application.yml :
spring:
cloud:
config:
server:
git:
uri: https://github.com/keryhu/cloud-config
security:
oauth2:
resource:
jwt:
keyValue: |
-----BEGIN PUBLIC KEY-----
....
-----END PUBLIC KEY-----
4: pc-gateway : is a client-server,also a ui server. start lastly
When i test the secured uri: http://localhost:8080/hello, the page was redirected to
http://localhost:9999/uua/login
After entering "user:password",it redirects back
http://localhost:8080/hello
So i think the oauth-server and oauth-client is fine.
but.. i also set the following configuration in bootstrap.yml
cloud:
config:
uri: http://user:password#localhost:8888
When starting pc-gateway service, Fetching config from server has 401 Unauthorized errors :
INFO 954 --- [main] c.c.c.ConfigServicePropertySourceLocator : Fetching config from server at: http://localhost:8888
WARN 954 --- [main] c.c.c.ConfigServicePropertySourceLocator : Could not locate PropertySource: 401 Unauthorized
Need help ! thanks !
i am registering the account from android on ejabberd server but i am getting 403 auth error while creating account.
here is my ejabberd.yml. can anyone tell me where i am missing code
admin:
user:
- "xyz": "my-ip"
loopback:
ip:
- "127.0.0.0/8"
-"my-ip"
register:
all: allow
trusted_network:
all: allow
I have found solution. In your configuration file, ejabberd.yml, you need:
mod_register:
access_from: allow
access: register