I'm including micronaut oauth2 authentication in my project calling Amazon cognito feature.
It is working fine but I want to include metrics about authentication errors/success so I need something like an interceptor class to be called so I can save the success and errors inside the authentication.
Any suggestion?
Regards
Related
I am trying to protect my swagger with Basic Auth. But also, the Doorkeeper with Bearer authentication is used.
If I send the basic and bearer in one query, doorkeeper doesn't authorize me.
Is it possible to make doorkeeper ignore basic auth and only accept Bearer?
If I understood you correctly, you can try to play with client_credentials and access_token_methods configuration options and set desired way of getting authorization data from the request.
You can find more info in project wiki, Changing how clients are authenticated (but it actually a stale one), or check the configuration initializer (in your project or in Doorkeeper repo)
When I am trying to understand OAuth2 client, I am confused about why we have two different filters
I attempted to integrate with Github. Here are my observations
OAuth2AuthorizationCodeGrantFilter sound like a filter that exchanges authorization code for access token, but when I keep debug point it does not do that
OAuth2LoginAuthenticationFilter sounds somewhat like it does login somehow, but this filter exchanges auth code to access token instead of above
I'm not sure why this is the case, as the first class name implies some strong correlation to authorization code
Also, Whats is the difference between OAuth2LoginConfigurer & OAuth2ClientConfigurer
Looks like OAuth2LoginConfigurer configures OAuth2LoginAuthenticationFilter, while OAuth2ClientConfigurer configures OAuth2AuthorizationCodeGrantFilter
Can someone explain what each of them does & in which scenarios they are applicable?
Thanks
This is well documented in the Spring Security reference.
OAuth 2.0 Login
OAuth 2.0 Client
As well, in the javadoc:
OAuth2LoginAuthenticationFilter
OAuth2AuthorizationCodeGrantFilter
At a high level:
http.oauth2Login() is an implementation of OpenID Connect Authentication using the Authorization Code Flow
http.oauth2Client().authorizationCodeGrant() is an implementation of OAuth 2.0 Authorization Code grant
I'm working on a Grails project that needs to authenticate the user calling my SOAP service.
For the authentication, I'm using CXF and it's working fine, but when I have to authorize using #PreAuthorize with my own implementation of org.springframework.security.access.PermissionEvaluator, the user received by my implementation of PermissionEvaluator is grails.anonymous.user instead of the user authorized by CXF.
How can I get the user authorized by CXF in my implementation of org.springframework.security.access.PermissionEvaluator?
I think you need to setup the security context in SecurityContextHolder, #see: https://docs.spring.io/spring-security/site/docs/4.2.0.RELEASE/apidocs/org/springframework/security/core/context/SecurityContextHolder.html
I'm trying to use Spring Security OAuth2 to access the github api. The problem I'm having is that once you get a response from their authorize api, you don't get back a token, you get back a code that needs an extra verification step.
I don't see how I can plug this into spring's oauth 2 framework. Am I missing something?
Here's the flow github wants:
github oauth
This step specifically:
If the user accepts your request, GitHub redirects back to your site with a temporary code in a code parameter as well as the state you provided in the previous step in a state parameter. If the states don’t match, the request has been created by a third party and the process should be aborted.
Exchange this for an access token:
POST https://github.com/login/oauth/access_token
You can plug that in Spring Security. That is called the authorization code and Spring Security supports that.
Here is the chapter in the specs where this extra-step flow is described: https://www.rfc-editor.org/rfc/rfc6749#section-4.1
You don't have to care about this. Spring will automagically handle that behind the scenes. Here is the class in Spring Security that handles that flow: AuthorizationCodeAccessTokenProvider
This is a question regarding ASP.net MVC 4. You can assume SSL throughout.
I have a Web API which will be available to clients over SSL using HTTP Basic Auth.
I also have a CMS, on the same domain, which uses the Web API via jQuery.
The user logs into the CMS over Forms auth.
For this reason I would like that it be possible to login to the Web API using either HTTP Basic Auth or Forms auth.
I plan to implement this using a custom AuthorizeAttribute, which will first check the basic auth header against the database if present. If the basic auth header is not present, then it will delegate authorization to the base AuthorizeAttribute to handle Forms auth.
First of all, is this a good idea? Can anyone see any problems in allowing either type of auth? Can anyone see any implementation problems?
First of all, is this a good idea?
Yes, it seems like a good idea and I do not see anything wrong with implementing 2 types of authentication mechanisms:
Forms authentication for users that are already authenticated on the same domain
Basic authentication for users that are not yet authenticated but posses a username and password and want to directly invoke some method of your Web API