I have a registered a client to access a web service using OAuth2. I know the client id, client secret and grant type and token endpoint. Does OAuth2 expose an endpoint to get the client registration id? If not, is there any other way to obtain the client registration id?
I am trying to use the client registration id to create a Spring Security ClientRegistration object for use in a Spring WebClient. Is there a way to create a OAuth2 enabled WebClient without the registration id?
You can use any identifier of your choice as a client registration id. For example, you can name it after API your trying to access or Identity Provider name. It is used to get ClientRegistration from ClientRegistrationRepository.
ClientRegistrations are loaded automatically from an application.properties file. Spring auto-configuration looks for properties with the schema spring.security.oauth2.client.registration.[registrationId] and creates a ClientRegistration instance within a ClientRegistrationRepository.
You can refer to the following blog post for more examples of how to create and use ClientRegistration class: Intro to Spring Security 5 Core Classes.
Related
I'm developing a set of microservices exposed as REST through WSO2 API manager.
Now, I'd like to call these services in Angular front end. What is the best way to handle user authentication and authorization?
I found it can be done through OAuth2 Password Grant as described here?
When user logs in, user credentials will be sent to specific WSO2 APIM endpoint (/token), it validates, generates the token and this token will be sent in header for subsequent calls.
Is this the best approach to this case?
Thanks in advance,
As mentioned in your question, https://apim.docs.wso2.com/en/next/learn/api-security/oauth2/grant-types/password-grant/
This method will only work when you have the resource owner's username and password.
Take an example, suppose you have published the APIs and created a user (resource owner) in the WSO2 store. this user is subscribed to the API using the application. the application will have a client id and secret, which will be used to generate the OAuth2.0 token. this token will be used to invoke the APIs.
Now in your angular project, one way is to hardcode the base64(clientid:clientsecret) and call the token API to generate the OAuth2.0 bearer token. use the generated token to call the APIs onboarded on WSO2. To protect your APIs from the attack, use rate limiting based on IP
Now take another situation, if you want the user to authenticate first, then generate the JWT token for that user using the password grant type (using actual user's username and password), and using that JWT generate the OAuth2.0 Bearer token which will be used to call the APIs.
Steps to be performed for the second situation:
during registration (from Angular), internally onboard the user in the WSO2 Identity Server. (There is a WSO2 API for the same)
After registration, generate the JWT token from the identity server by authenticating username and password. (Again for this, WSO2 API is there)
now using this JWT token, Generate the OAuth2.0 token from WSO2 APIM
use this token to call the APIs
The second approach is the ideal approach for user to service authentication and authorization using WSO2 as the gateway while the first approach mainly focuses on service to service authentication and authorization
Hope this answers your question
Reference Link: https://medium.com/wso2-learning/how-to-protect-your-apis-with-self-contained-access-token-jwt-using-wso2-api-manager-and-wso2-75673d8a4686
I have:
Spring boot client application with some public endpoints and private endpoints which require #PreAuthorize("#oauth2.hasScope('resource.read')") for example
I have a external authorization server: Cloudfoundry UAA
I have a external OIDC provider linked to UAA I can use that to authenticate a person, I receive a Person_ID from the ID_Token from that external OIDC provider
Now I need to change UAA core code to implement my logic of using that Person_ID and searching for equivalent user from LDAP which shares the same Person_ID and then I will need to add it's usergroups to the token for the client. (I have done it currently in the /userinfo endpoint)
So I have done this logic in the /userinfo endpoint, when client receives a access token (From client, redirected to UAA, from UAA to OIDC for AUTH, then back again for the token and then this token is sent to client, now client can take the token and ask for the /userinfo which will then have it's user roles)
Is this bad logic? Should I add the LDAP implementation(step4) inside the access token already somehow?
Really, as is often the case with design questions, it depends.
The key to remember is that OIDC and its associated id_token are for authentication. It's common for the /userinfo response to state claims about who the user is. Part of the user's identity might be their role.
OAuth and its associated access_token, on the other hand, are for authorization. It's common for the access token to state claims about what the client is authorized to do. What a client might be able to do may be different than the user's role.
Think about what decisions this client will need to make. It may be able to make choices like which of its pages it can show, based on the roles that it inferred from the /userinfo response.
Think about what this client will communicate with. Maybe it will communicate with a resource server. If the client passes the access_token obtained during login, then that token should indicate what the client is authorized to do.
I've configured SAML2 Web SSO to redirect the user login from an external form to our WSO2 Identity Server. We are using OAuth on the WSO2 Identity Server.
Recently, we've changed the OAuth ProviderUserId. We were using the email address and now we are using a GUID.
When the users are redirected from the external form to WSO2 and we try to get the user data from OAuth (using the access token), the subject we get is the email address and not the GUID. The login fails.
Any ideas?
Thanks in advance.
I'm supposing that you are using Identity Server 5.0.0.
In the configuration of the service provider you can set the claims you want.
Try to set the Role Claim URI: to the claim coresponding to GUID.
Then it should be this field who is set when requesting a token.
I am trying a POC with WSO2 API manager and Identity server. The application users are registered to the user store on the identity server. An API is exposed on the API manager that will be used by the application. The goal is to authenticate the users accessing the application using the oauth resource owner password credentials. The user credentials are in the user store on the identity server.I created a new tenant for this.
I configured SSO for the API manager by using this documentation. so that the users are authenticated against the identity server user store.
Tried to generate a token to access the API exposed on the API manager. I was able to retrieve the token client credentials grant type but not for the resource owner password grant type.
Appreciate any help here.
I do not think, you need SSO here. SSO is needed with APIM and WSO2IS, if users need to login to the API store/publisher/APIM management console. I hope you are talking about end users.. Then end users are may not need to login to the APIM. They just need to login your custom applications and application would call the APIs in the APIM.
But, say user need to login to custom applications using SSO, then you can configure SSO between WSO2IS and custom applications. Please refer here. Once user login to the application, application can exchange a end user's SAML2 Assertion with access token by using APIM. Then application can access the APIs in APIM using access token behalf of the user. You can refer this for more details
Also, if you are just trying to use OAuth just for authentication, You may need to use openid-connect. (just to login to custom application)
I'm trying to create an application that allows an authenticated user to create OAuth2 bearer tokens for use with APIs published by the organization. The idea is to allow the user to self generate / revoke such tokens, similar to GitHub's Personal API tokens. The user can then use the issued tokens to gain programmatic access to protected resources exposed by the same organization.
This application requires:
A UI to authenticate a user and allow the user to generate and revoke tokens
A server-side RESTful API that allows user authentication and token generation, revocation and storage
Ideally this application would be stateless and not require sessions, using a SPA.
Some questions surrounding the implementation:
Should the exposed API be the #EnableAuthorizationServer /oauth/token endpoint using the Resource Owner Password Credentials Grant type? If so, is it insecure to expose the Client Credentials to the UI? Can this be avoided?
Should the API expose a new, dedicated endpoint which directly calls AuthorizationServerTokenServices? If so, how might this be achieved?
Is there a reference implementation using Spring Boot and Spring Security OAuth2?
Any suggestions or references would be greatly appreciated.