I have built a OAuth2 client application using Spring security OAuth2 client library. Next, how to pass the jwt token as Authorization header while invoking a REST call to the Resource server. Is there any class which will inject the Auth code in the Request header seamlessly when building OAuth2 client application using Spring Security
A very basic authentication flow is as follows:
Login endpoint is accessible without any security.
Upon successful login server sends HTTP response with "SET-COOKIE" header
by specifying an auth cookie.
This cookie is stored by the browser for the domain that set it. Usually this is an HTTP cookie this means that we cannot access it via Javascript API.
For every subsequent request to the same domain, browser adds the cookie by itself.
Summary: All we need to do is to send the set-cookie header along with the token, browser will make sure it is sent for subsequent requests. In production make sure this cookie has secure and httpOnly attributes.
Image reference: https://demey.io/jwt-tokens-for-distributed-authentication/
Related
I'm implementing a SSO solution. Got a general question regarding authorization code flow grant type as described here.
After a user login, the client app would get an ID token. But I cannot find anywhere how/when a JWT should be given to the browser such that it can set the bearer token in the request header for any subsequent request? Is it something not specified in the standard or I misunderstand something?
The browser does not set the Authorization request header automatically. You have to do it yourself using Javascript. This means that a request with such a header must be an AJAX call. If you want to send regular requests through the browser (by navigating to a URL), then you have to use cookies, as they will be automatically added by the browser. (You can keep the value of a token in a cookie and have your backend read a cookie instead of the Authorization header)
I`m new to OAuth 2.0 and am trying to develop a application using a third party OAuth provider with Authorization Code grant flow as ny Authorization Server and Spring Security.
This provider gives me two endpoints /authorize and /token and those two, after the user authorizes its access, will return a access token.
So far, I have secured the "/" endpoint, so the application redirect the user to the authorization page and then, in the callback endpoint, store the token so it can be validated by a filter in each request.
But, as the application is mainly a set of REST API's, we want to be able to test it using Postman, with that said, on Postman, I am getting the token by setting the Authorization as OAuth 2.0 and requesting the token directly from the third party endpoints but, as Postman have its own callback URI, my application doesn`t store the token generated.
So, my two questions on this are:
Using /callback endpoint to store the token and validating it before each request by a filter is the common way of doing it?
To use Postman, should I create an endpoint for storing the token generated outside the application context or should I create an Authorization Server of my own as an additional layer on top of this third party AS?
Since your application is a set of REST API's, you need to make it as a Resource Server (in terms of OAuth2).
Resource Server doesn't perform authentication itself, it only validates a token from Authorization header (Resource Server in a nutshell).
You can find an example in Spring Security samples: oauth2resourceserver
I eventually come to the conclusion that I was using Postman wrong the whole time.
So, by the end, we got the Token saved on the database when the user logs in and, then, return it to the caller, whether it is the Front-end application, or Postman itself.
Then, in every call to the API's, the caller should include the token as Authorization on the header and a Filter on Spring will check the token against the Database.
After having developed my first web portal (using railstutorial.org), I'm now making my way in building my first API (with some help).
Authentication for the web portal works with session as well as with a cookie (if the user wants his log in to be remembered).
For the API I understand that using session is insecure; you need to work only with a token. So, just as for the web portal, when a user logs into the API his credentials get checked, and if they are valid a token is generated of which the digest is stored to the database.
But then: I understand there are then three options what to do with the token: to store the token on the user's computer using a cookie, include the token as parameter or use the HTTP header. I read for APIs using the HTTP header is the preferred option.
If using the cookie, it is the same as the 'remember me' option for the web portal: the token is stored in the cookie and a digest of the token is stored in the database. With each API request the cookie is read and it is checked if it's token matches the digest.
Each time the API sends data to the user or the user makes a call to the API, the token is included as a parameter. I understand that this displays the token in the URL, which is not desirable.
My understanding of using the HTTP header fails.
What does it mean to use the HTTP header to send the token, instead of a cookie? What is the process/logic behind it? When to use a cookie, a parameter or the HTTP header?
Am I correct in my understanding that each time the API sends data to the user, it should include the token in the HTTP header? And each call the user makes to the API should include that same token?
I think this link is a good place to start : http://devcenter.kinvey.com/rest/guides/security
Also, reading up on some documentation of HttpAuthentication::Token should give you a basic overview of how/when you should utilize it.
http://api.rubyonrails.org/classes/ActionController/HttpAuthentication/Token.html
You should look into how a cookie works. Setting a cookie is also sending a standardized http header to the client. When client sends a request, they can send cookie along with the request.
There is also a standard for http token in rails: Link Which is also setting a specific header in the request
Between the Authorization Request (3.1.2.1) and the Authentication Response (3.1.2.5) the authorization server is responsible for validating the request, authenticating the user, and get user-consent before sending the response.
http://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth
How is that supposed to work in a SPA application?
If I issue an ajax request the authorization server can't authenticate the user (I don't see how since there's no cookie, http-header or url fragment telling the Authorization Server who the user is). If I redirect the user to the authentication endpoint my SPA is unloaded. Since I don't have a server redirect_uri (which I've understood is the whole point of the implicit flow?) the endpoint can never reach my SPA again.
Obviously I'm missing something. How is the authentication and user-authorization chrome supposed to be shown to the user in the implicit flow?
OAuth 2.0/OpenID Connect separate the authentication from the application. You would redirect unauthenticated clients/users away from your application before anything is loaded and only handle the authorization response in the SPA. Your redirect URI would point to the SPA. In any case, you would not handle the OAuth 2.0/OpenID Connect dance in Ajax but in a full browser.
I have a rest API made with Grails, I can use spring security via Ajax auth, and store the jsessionid cookie in the client, but when i login with 'j_spring_security_facebook_json?access_token=' it doesn´t create the jsessionid cookie... and i can´t store the session in the client.
Does exist any solution for this problem? thanks.
As you're using an external client (mobile app), in most cases you have to use something different for authenticating your requests. Not a cookie. Usually it's OAuth2 or just a custom signature based on a shared key.
j_spring_security_facebook_json auth is supposed to be used as an exchange point, where server can pass a key/token for mobile client that have valid fb token. Then this token could be used for authentication of following requests.
See "How to extend JSON response" at http://splix.github.io/grails-spring-security-facebook/guide/3%20Usage.html#3.5%20Json%20Authentication