My spring cloud gateway cors configuration:
gateway:
globalcors:
cors-configurations:
'[/**]':
allow-credentials: true
allowedHeaders: "*"
allowedOrigins: "*"
allowedMethods:
- GET
- POST
- DELETE
- PUT
- OPTION
max-age: 3600
I think this configuration should be able to fix this problom, But it's not what I expect. The backend service api /oauth/token still return "401 Unauthorized".
BTW: My backend service integrate with spring sercurity.
Related
We are currently working on a POC of Spring Cloud Dataflow, deployed in an Azure Kubernetes Service.
One of our requirements is to integrate it with an Azure Active Directory.
The authentication part went smoothly, but for the authorization, we need SCDF to be able to recognize appRoles of users (RBAC). But the behaviour so far seems to be that only the scopes are exposed, and if all scopes were exposed, then the user has all the service-roles (ROLE_VIEW, ROLE_DESTROY, ROLE_DEPLOY,...).
For instance, we'd like one user to have ROLE_VIEW only, and another user to have both ROLE-VIEW and ROLE_DESTROY.
What we've done so far:
Following the documentation, we created an App Registration (dataflow-server) exposing the following scopes & API permissions:
api://dataflow-server/dataflow.destroy
api://dataflow-server/dataflow.view
api://dataflow-server/dataflow.deploy
api://dataflow-server/dataflow.manage
api://dataflow-server/dataflow.schedule
api://dataflow-server/dataflow.create
api://dataflow-server/dataflow.modify
We created 2 appRoles, "role_reader" and "role_writer", to grant to specific users.
And we updated the configmap of the SCDF server to include these configurations:
spring:
cloud:
dataflow:
security:
authorization:
provider-role-mappings:
dataflow-server:
map-oauth-scopes:true
role-mappings:
ROLE_VIEW: role_reader
ROLE_DESTROY:role_writer
ROLE_DEPLOY: role_writer
ROLE_CREATE: role_writer
ROLE_MANAGE: role_writer
ROLE_SCHEDULE: role_writer
ROLE_MODIFY: role_writer
And:
spring:
security:
oauth2:
client:
registration:
dataflow-server:
provider: azure
redirect-uri: '{baseUrl}/login/oauth2/code/{registrationId}'
client-id: <client_id_from_the_azure_app_registration>
client-secret: <client_secret>
scope:
- openid
- profile
- email
- offline_access
- api://dataflow-server/dataflow.view
- api://dataflow-server/dataflow.destroy
- api://dataflow-server/dataflow.schedule
- api://dataflow-server/dataflow.manage
- api://dataflow-server/dataflow.create
- api://dataflow-server/dataflow.deploy
- api://dataflow-server/dataflow.modify
provider:
azure:
issuer-uri: https://login.microsoftonline.com/<tenant-id>/v2.0
user-name-attribute: name
resourceserver:
jwt:
jwt-set-uti: https://login.microsoftonline.com/<tenant-id>/v2.0/keys
My understanding after reading the docs was that this should be sufficient to map the service roles (ROLE_VIEW) with the Azure AppRoles (role_reader) and allow to use RBAC.
Where did I go wrong ?
Thanks in advance for taking the time to read !
By default looks like Traefik terminates the SSL and webserver only sees the http request. As a result I'm getting this error below when trying to set Auth cookie on asp.net form
These cookies require the browser to issue the request over SSL (https protocol)
I tried below on web site label but no luck. How do we stop Traefik terminating SSL?
labels:
- "traefik.enable=true"
- "traefik.http.middlewares.force-STS-Header.headers.forceSTSHeader=true"
- "traefik.http.middlewares.force-STS-Header.headers.stsSeconds=31536000"
- "traefik.http.routers.cm-secure.entrypoints=websecure"
- "traefik.http.routers.cm-secure.rule=Host(`${CM_HOST}`)"
- "traefik.http.routers.cm-secure.tls=true"
- "traefik.http.routers.cm-secure.middlewares=force-STS-Header"
- "traefik.tcp.routers.cm-secure.rule=HostSNI(`${CM_HOST}`)"
- "traefik.tcp.routers.cm-secure.entrypoints=https"
- "traefik.tcp.routers.cm-secure.tls.passthrough=true"
- "traefik.tcp.routers.cm-secure.service=cm"
- "traefik.tcp.services.cm-secure.loadbalancer.server.port=443"
In order to add a route for a websocket based micro-service I have
Configured my application as per Spring cloud gateway documentation
- id: sample_service_web_socket_handshake_url
uri: lb:ws://sample-service
predicates:
- Path=/notification-service-ws/**
above notification-service-ws is the handshake url of websocket-service
upon accessing this websocket endpoint directly( without spring-cloud-gateway ) session has been connected with no issue
but upon trying to connect using spring-cloud-gateway the gateway gives following warning log
2020-01-09 10:44:02.923 WARN 5155 --- [-server-epoll-5] .a.w.r.e.DefaultErrorWebExceptionHandler : Failed to handle request [GET http://192.168.10.44:4260/notification-service-ws]: Response status 400 with reason "Invalid 'Upgrade' header: {Sec-WebSocket-Version=[13], Sec-WebSocket-Key=[0EJxcMdBmRhZ5suS/INKnQ==], Sec-WebSocket-Extensions=[permessage-deflate; client_max_window_bits], Host=[192.168.10.44:4260]}"
I have verified no HTTP request is being sent to websocket service
Issue resolved after adding following properties to spring-cloud-gateway application.yml file:
spring:
application:
name: burraq-api-gateway
profiles:
active: dev
cloud:
gateway:
filter:
remove-non-proxy-headers:
headers:
- Proxy-Authenticate
- Proxy-Authorization
- Keep-Alive
- TE
- Trailer
- Transfer-Encoding
This issue occurred because spring cloud gateway by default request headers as mentioned here
I am trying to authorize a user using code grant flow in Keycloak to a Quarkus application.
Here is the Quarkus configuration
# OIDC Configuration
quarkus.oidc.auth-server-url=http://localhost:8180/auth/realms/quarkus
quarkus.oidc.client-id=web-application
quarkus.oidc.credentials.secret=ca21b304-XXX-XXX-XXX-51d38ef5da02
quarkus.oidc.application-type=web-app
quarkus.oidc.authentication.scopes=email
The client configuration for "web-application" has only Standard Flow enabled (for Code Grant Flow)
I access http://localhost:8080/
I'm redirected to Keycloak (url looks good with scope=openid+email&response_type=code&client_id=web-application
I log in with sample user account
I'm redirected back with the code
Then I get an exception in Quarkus
Caused by: org.keycloak.authorization.client.util.HttpResponseException: Unexpected response from server: 401 / Unauthorized / Response from server: {"error":"unauthorized_client","error_description":"Client not enabled to retrieve service account"}
at org.keycloak.authorization.client.util.HttpMethod.execute(HttpMethod.java:95)
at org.keycloak.authorization.client.util.HttpMethodResponse$2.execute(HttpMethodResponse.java:50)
at org.keycloak.authorization.client.util.TokenCallable.obtainAccessToken(TokenCallable.java:121)
at org.keycloak.authorization.client.util.TokenCallable.call(TokenCallable.java:57)
at org.keycloak.authorization.client.resource.ProtectedResource.createFindRequest(ProtectedResource.java:276)
at org.keycloak.authorization.client.resource.ProtectedResource.access$300(ProtectedResource.java:38)
at org.keycloak.authorization.client.resource.ProtectedResource$5.call(ProtectedResource.java:205)
at org.keycloak.authorization.client.resource.ProtectedResource$5.call(ProtectedResource.java:202)
at org.keycloak.authorization.client.resource.ProtectedResource.find(ProtectedResource.java:210)
The error in Keycloak is:
09:58:25,420 WARN [org.keycloak.events] (default task-30) type=CLIENT_LOGIN_ERROR, realmId=quarkus, clientId=web-application, userId=null, ipAddress=172.17.0.1, error=invalid_client, grant_type=client_credentials, client_auth_method=client-secret
Question:
Why Quarkus tries to use "grant_type=client_credentials"? It should use the grant type = "authorization_code". This looks like a bug in Quarkus, but maybe there is a flag.
"Service Account Enabled" is off. Enabling it should fix the issue.
Could you try:
quarkus.oidc.client-type=web-app
instead of:
quarkus.oidc.application-type=web-app
Source: https://quarkus.io/guides/security-openid-connect-web-authentication
I've tried to follow the steps here to configure ejabberd OAuth but failed. ejabberd.yml looks like below :
-
port: 5280
module: ejabberd_http
request_handlers:
"/websocket": ejabberd_http_ws
"/log": mod_log_http
# OAuth support:
"/oauth": ejabberd_oauth
# ReST API:
"/api": mod_http_api
## "/pub/archive": mod_http_fileserver
web_admin: true
http_bind: true
## register: true
captcha: true
Note : I've restart the ejabberd.
URL that I used (this is the page where I entered User, Server and Password) : http://mytestsite.com:5280/oauth/authorization_token?response_type=token&client_id=Client1&redirect_uri=http://mytestsite.com&scope=user_get_roster+sasl_auth
I've been redirected to https://mytestsite.com/?error=access_denied&state=&gws_rd=ssl
According to the tutorial, once I enabled /oauth and /api in the .yml file, the following URL should redirect me to http://mytestsite.com/?access_token=RHIT8DoudzOctdzBhYL9bYvXz28xQ4Oj&token_type=bearer&expires_in=3600&scope=user_get_roster+sasl_auth&state=
You must defined oauth_access parameter in ejabberd.yml config file, otherwise, no one can create an oauth token.
We will update the documentation to make it more accurate on that part.