I am trying to authorize user from ldap without import users from ldap to keyclaok.
The documentation says:
You can use LDAP with Keycloak without importing users into the Keycloak user database. The LDAP server backs up the common user model that the Keycloak runtime uses. If LDAP does not support data that a Keycloak feature requires, that feature will not work. The advantage of this approach is that you do not have the resource usage of importing and synchronizing copies of LDAP users into the Keycloak user database.
There is my spring security config:
#Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/vaadinServlet/UIDL/**").permitAll()
.antMatchers("/vaadinServlet/HEARTBEAT/**").permitAll()
.antMatchers("/api/gui**")
.permitAll()
.and().exceptionHandling().accessDeniedHandler(accessDeniedHandler())
.and().logout().logoutUrl("/api/logout").logoutSuccessUrl("/api/").deleteCookies("OAuth_Token_Request_State", "JSESSIONID").invalidateHttpSession(true);
}
But keycloak cant find user from ldap when it trying to login.
Is there any way to authorize user from ldap without importing it to keycloak users?
Related
I have an application set up as follows:
Angular UI -> Spring Cloud Gateway -> Spring Boot-based Service
I am attempting to authenticate my application against a limited Oauth SSO server with ONLY the following endpoints:
/authorize
/token
/userdata
The SSO does not provide an /introspect endpoint, nor does it issue JWTs.
What I would like to do is have Spring Cloud Gateway handle the authentication, but based on the result from /userdata, I would like to generate my own JWT to relay to the service.
My questions:
Is this possible?
If so, can someone give pointers or guide me to the resources that will get me started?
Spring Security OAuth2.0 Client and Spring Cloud Gateway combination works well in this case.
Client(Angular UI) requests to the Gateway service with OAuth2.0 login URL
The Gateway redirects the request to Identity Provider(Such as Google) login page.
After user login successful Identity Provider redirects the request to the Gateway with user info.
On Authentication success handler(Gateway service)
Parse user info and save it to somewhere
Create access token and refresh tokens. Set them to request cookies
Redirect to client(Angular UI)
I don't know the reason to pass the token downstream services at this point. If there is no specific requirement then I would implement all the security related operations on the Gateway service. Such as token generation, validation etc. This way new services can be easily added without concerning about authentication and authorization.
Here is a sample project.
Is it possible to have a login rest service that authenticates with Spring Security the container security and if successful then returns a JWT Token. Call to other services then would use JWT Filter.
The basic idea is this.
I have React Application that has a login Page. It sends a login request (via rest service) with username and password. The security is container based (an example would be Tomcat users). Spring security should authenticate via container and if the username and password are ok, then the login service returns a JWT Token.
All other services use Spring Security JWT Token Filter security.
I can't find examples of this situation when I google.
What you are trying to find is what Spring Security calls Pre-Authentication.
You can enable it for different scenarios, I will show an example Java EE container.
#Bean
SecurityFilterChain appSecurity(HttpSecurity http) throws Exception {
http
...
.jee(Customizer.withDefaults())
...
return http.build();
}
What the jee() will do is registering a J2eePreAuthenticatedProcessingFilter in your SecurityFilterChain, and the filter itself will extract the Principal from the HttpServletRequest and call the PreAuthenticatedAuthenticationProvider to authenticate it.
Then, in your controller, you can inject the Principal and build the JWT using the Principal's details.
I have created 2 JHipster applications (JHipster v6.3.1):
Microservice Gateway
authenticationType: oauth2
Microservice Application
authenticationType: jwt
I have configured Okta with the gateway app and this works fine, I can log in with my user. I can also see that the ROLE_ADMIN and ROLE_USER authorities are being correctly assigned in Spring Security.
However I get the following error from the Microservice Application when I attempt to add/view an entity:
Unsupported JWT token.
Unauthorized: Full authentication is required to access this resource
Is there some configuration I need to do to get the JWT token passed in to the Microservice Application?
You cannot mix authentication types between microservice apps. You have to use either OAuth 2.0 or JWT in all of them. FWIW, JHipster's OAuth 2.0 support does use JWTs.
I'm trying to create an application that allows an authenticated user to create OAuth2 bearer tokens for use with APIs published by the organization. The idea is to allow the user to self generate / revoke such tokens, similar to GitHub's Personal API tokens. The user can then use the issued tokens to gain programmatic access to protected resources exposed by the same organization.
This application requires:
A UI to authenticate a user and allow the user to generate and revoke tokens
A server-side RESTful API that allows user authentication and token generation, revocation and storage
Ideally this application would be stateless and not require sessions, using a SPA.
Some questions surrounding the implementation:
Should the exposed API be the #EnableAuthorizationServer /oauth/token endpoint using the Resource Owner Password Credentials Grant type? If so, is it insecure to expose the Client Credentials to the UI? Can this be avoided?
Should the API expose a new, dedicated endpoint which directly calls AuthorizationServerTokenServices? If so, how might this be achieved?
Is there a reference implementation using Spring Boot and Spring Security OAuth2?
Any suggestions or references would be greatly appreciated.
I have implemented UserDetailsService and overriden loadUserByUsername(String username), here i need User entered password.
I want to authenticate against LdapTemplate authenticate(username,password).
I have searched a lot but dint get it.
Please help me.
Either use spring-security-ldap for LDAP based authentication or implement your own AuthenticationProvider instead of DaoAuthenticationProvider.
There are multiple authentication scenarios when using Spring Security LDAP:
either you can retrieve the user entry via connection authenticated by the provided credentials (probably scenario you are looking for)
or you can authenticate via technical account (usually you need to make LDAP search to get user's DN)
For more information check Spring Security LDAP documentation.