I use keycloak as Idp. And I use a keycloak client to get jwt token from keycloak.
when I use the token to call the api in my springboot app which secred by keycloak-spring-security-adapter and spring-security. I find KeycloakAuthenticationFilter can get Authentication from SecurityContext.
why? Where is convert token to Authentication and put it in SecurityContext?
when use keycloak token call rest api, KeycloakAuthenticationFilter will go to auth.
use token to authenticate by authenticator
in authenticator, will verify token, if success, will put it to SecurityContext.
but how to put to SecurityContext has some variant
you can clike one to see how to finish this step.
Related
I implement a oauth2 authorization server by spring security oauth2 and use JwtTokenStore to store access token,then I need to provider a /userinfo controller for current access token to get user info by an oauth2 client,the /userinfo as follow:
#RequestMapping("/userinfo")
public Object getCurrentUserInfo(HttpServletRequest request) {
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
return authentication;
}
but I don't know how to get userinfo?
Maybe need read more OAuth 2 Developers Guide .Know function for Authorization Server,Resource Server and OAuth 2.0 Client,know spring security.
To get userinfo by access token ,should config a resource server in the Authorization Server too. Because resource server provider a filter OAuth2AuthenticationProcessingFilter to get user info by token and set into SecurityContextHolder.
I am using Spring oath to secure my RESP API's and successfully generated the oauth token. Now I am stuck in 2 place mentioned below.
1) Logout: I didn't find any URL in specification which I can call to logout/invalidate the token. One option I got is to write own implementation of logout and delete the token from the token store from that method. But is there any other way to logout/invalidate the token like we retrieve the token.
2) Validation of Token: Is there any url where I can pass my token and can validate that the token is valid or not. One way is to write a own method from which I will validate token. If own method returns 200 then valid token else invalid token(401). But like to know that , is Spring OAUth provide any such url.
The most common usage is to integrate Spring security with a standards based cloud authorization server, in which case you can use these options:
Logout occurs when a UI calls the End Session Endpoint
Tokens can be validated by APIs either in memory or via an Introspection Endpoint
Note however that not all Authorization Servers implement these endpoints in a standard way.
Deleting tokens on logout is the most standard option, along with keeping tokens short lived so that they expire soon anyway.
I am using client_credentials grant type in my spring boot application. In client_credentials grant_type the client makes a request to the token endpoint. If the access token request is valid and authorized, the authorization server issues an access token.
localhost:8181/OUTPOST/oauth/token?grant_type=client_credentials&client_id=myClientId&client_secret=secret
The problem is my client is a javascript application. Client application wont be able to securely store the client credentials, so there is no point is having client_secret.
Implicit, password and Authorization code needs user details for generating token. But i dont have any user, i just need to validate my client application.
Which grant_type should i use to support my requirement?
The implicit OAuth2 flow is wat you are looking for. Details from the OAuth2 spec: https://www.rfc-editor.org/rfc/rfc6749#section-1.3.2
I don't think what you are asking is really valid. It is not possible to authenticate a JavaScript client securely via OAuth2 without user credentials. This would mean that everyone that can access the JavaScript app would be authenticated.
If you want to restrict access to this app without user credentials, it might be better to add network level policies instead, like IP range whitelisting.
I have an application that understands OAuth 2.0 token (on passing a valid OAuth 2.0 token, it authenticates a user) returned by Live ID .
This OAuth toke looks like -
"78wcH%2by1t6avE8zhVCzXQndK2zWJbCWvoZbSKfAduQuyQETUG2FtN5FOw%2bKaj5uCwUfuOS/2J35NvhDkZaaqoOzOVuoTYUDZgAACNzcJuSyBR21CAE9LpBrltj0PljQ76Hd9aJXW8x8DtRsKZvOn76PN69oGDzrGIjXXPIyCGDii9TYmP92kmh50B05qTqhdLiAXcluriQWuEMKONPUVazSmFN2BXZVW3NDdk3vkos8m68SXf%2"
Now I have another application which is based on Azure ACS mechanism. I can get SAML or SWT token from there.
Sample SWT tokens can be found here
Is there any method I can convert the SAML/SWT tokens to the former OAuth 2.0 token?
Note: I tried fetching SWT tokens via OAuth v2-13 protocol, but this token is not validated by the service accepting OAuth token.
Found it.
ACS doesnot expose any API which converts a SAML token to an OAuth 2.0 token.
The possible alternative is that on receiving a SAML token, break open the token, verify the authenticity of the user and successively, fetch OAuth token for the user using live id APIs.
It will definitely double the latency for your signin process.
Does oauth2RestTemplate or access token providers support validate token request?
Here is the flow:
Mobile/Web-App authenticated from third party Authentication server
and obtains Access-Token.
User tries to access a secured resources, and passed the Access-Token in the request, as expected by the protocol.
Is it possible to check this token against third-party server?
I found a bit similar here in the form of a refresh token.
Is validation request the part of the OAuth2 standard?
Thanks
No, OAuth2 doesn't enforce a specific token format or API for validating tokens. This is something that has to be decided independently between the resource server and the authorization server.
For example, the UAA project, which uses Spring Security OAuth2, uses signed JWT tokens, so the resource server can validate the contents without having to ask the authorization server directly. It also provides a /check_token endpoint, which will decode the token and verify that it has not expired.