I am using OAuth2 with Spring Security. The redirectUri in Okta should be mentioned as http://localhost:port/login/oauth2/code/okta. Can I configure a custom Redirect URI and in that case, what other changes I need to do for it to work?
Note:
I added the below configuration for redirectURI which is mentioned in the Registration static class and had configured the same redirection uri on the Okta side. The application is not able to get the token as it is getting into a recursion. When I changed the call-back to http://localhost:8080/login/oauth2/code/okta in the Okta client configuration, it started working?
What is the significance of redirectURI parameter in the application.yml file.
spring:
security:
oauth2:
client:
registration:
okta:
client-id: 0oa47p3n9dwLxBkRi5d7
client-secret: <confidential>
redirectUri: http://localhost:8080/authorization-code/callback
scope: openid
clientName: okta
provider:
okta:
authorizationUri: https://dev-7858070.okta.com/oauth2/default/v1/authorize
tokenUri: https://dev-7858070.okta.com/oauth2/default/v1/token
userInfoUri: https://dev-7858070.okta.com/oauth2/default/v1/userinfo
jwkSetUri: https://dev-7858070.okta.com/oauth2/default/v1/keys
issuerUri: https://dev-7858070.okta.com/oauth2/default
Related
We are developing SAML authentication with many identity providers with Spring Security SAML2.
The metadata file of our service provider is unique and it will be distributed to all identity providers, so we need to have unique endpoint for the assertion consumer service.
The yaml configuration is like:
spring:
security:
saml2:
relyingparty:
registration:
idpone:
identityprovider:
metadata-uri: "classpath:metadata/idp/metadata-idp1.xml"
idptwo:
identityprovider:
metadata-uri: "classpath:metadata/idp/metadata-idp2.xml"
We tryed to add for every idp
acs:
location: "{baseUrl}/login/saml2/sso"
but the url {baseUrl}/login/saml2/sso results not found.
How can we configure it?
Thanks
the correct url is {baseUrl}/login/saml2/idpone or {baseUrl}/login/saml2/idptwo
I have a jhipster (spring boot and angular) project implementing oauth2 protocol with Keycloak. I managed to get the application to redirect to keycloak for authentication. I am quite confused as to where the access token is in the response after sign in and where is it stored after redirecting back to my site?
I tried using chrome inspect to view the network but I can't seem to find the access token.
Below is a link I used to setup oauth2 for my project:
https://www.jhipster.tech/security/
URL when login is clicked: http://localhost:8080/oauth2/authorization/oidc
Thanks for all the reply. Managed to get the tokens using the following:
SecurityContext securityContext = SecurityContextHolder.getContext();
OAuth2AuthenticationToken oauth2Token = (OAuth2AuthenticationToken)
securityContext.getAuthentication();
OAuth2AuthorizedClient client = clientService
.loadAuthorizedClient(oauth2Token.getAuthorizedClientRegistrationId(),
oauth2Token.getName());
refreshToken = client.getRefreshToken().getTokenValue();
With OAuth2, the authentication is stateful which means that you have a cookie (JSESSIONID) for the Spring session.
You can get more information by inspecting the context using SecurityContextHolder.getContext().getAuthentication() in the backend.
I am creating a OAuth2.0 client for a custom OAuth2 provider in Spring Boot + Security (version 5) application.
Below is the application.properties which has all the configuration and there is no additional configuration class in my project.
spring.security.oauth2.client.registration.xxxxxxxxx.client-id=XXXXXXXXXX
spring.security.oauth2.client.registration.xxxxxxxxx.client-secret=XXXXXXXXXX
spring.security.oauth2.client.registration.xxxxxxxxx.scope=openid
spring.security.oauth2.client.registration.xxxxxxxxx.redirect-uri-template=http://localhost:8080/login/oauth2/code/xxxxxxxxx
spring.security.oauth2.client.registration.xxxxxxxxx.client-name=xxxxxxxxx
spring.security.oauth2.client.registration.xxxxxxxxx.provider=xxxxxxxxx
spring.security.oauth2.client.registration.xxxxxxxxx.client-authentication-method=basic
spring.security.oauth2.client.registration.xxxxxxxxx.authorization-grant-type=authorization_code
spring.security.oauth2.client.provider.xxxxxxxxx.authorization-uri=https://api.xxxxxxxxx.com/authorize
spring.security.oauth2.client.provider.xxxxxxxxx.token-uri=https://api.xxxxxxxxx.com/token
spring.security.oauth2.client.provider.xxxxxxxxx.user-info-uri=https://api.xxxxxxxxx.com/userinfo?schema=openid
spring.security.oauth2.client.provider.xxxxxxxxx.user-name-attribute=name
spring.security.oauth2.client.provider.xxxxxxxxx.user-info-authentication-method=header
When i hit http://localhost:8080/ it redirects properly to provider's login page and after successful login it redirects back to my application.
Now the problem is when it redirects then it shows below error message.
I have googled for this error but didn't get any proper answer. Also, the OAuth2 provider didn't share such URL.
After research I came to know that i need to set below property. Should it be provided by Auth Provider?
spring.security.oauth2.client.provider.pepstores.jwk-set-uri
What exactly I am missing here in configuration?
Finally, the problem is solved. I just need to configure the jwk URI which should be provided by the Auth provider.
Below the final configuration for customer Auth Provider.
spring.security.oauth2.client.registration.xxxxxxxxx.client-id=XXXXXXXXXX
spring.security.oauth2.client.registration.xxxxxxxxx.client-secret=XXXXXXXXXX
spring.security.oauth2.client.registration.xxxxxxxxx.scope=openid
spring.security.oauth2.client.registration.xxxxxxxxx.redirect-uri-template=http://localhost:8080/login/oauth2/code/xxxxxxxxx
spring.security.oauth2.client.registration.xxxxxxxxx.client-name=xxxxxxxxx
spring.security.oauth2.client.registration.xxxxxxxxx.provider=xxxxxxxxx
spring.security.oauth2.client.registration.xxxxxxxxx.client-authentication-method=basic
spring.security.oauth2.client.registration.xxxxxxxxx.authorization-grant-type=authorization_code
spring.security.oauth2.client.provider.xxxxxxxxx.authorization-uri=https://api.xxxxxxxxx.com/authorize
spring.security.oauth2.client.provider.xxxxxxxxx.token-uri=https://api.xxxxxxxxx.com/token
spring.security.oauth2.client.provider.xxxxxxxxx.user-info-uri=https://api.xxxxxxxxx.com/userinfo?schema=openid
spring.security.oauth2.client.provider.xxxxxxxxx.user-name-attribute=name
spring.security.oauth2.client.provider.xxxxxxxxx.user-info-authentication-method=header
spring.security.oauth2.client.provider.xxxxxxxxx.jwk-set-uri=https://api.xxxxxxxxx.com/jwks
Thanks
When you receive JWT in client application, you need to verify the signature of JWT. To verify the signature you need public key of Auth provider. As per OAuth specifications, Auth provider can expose the public key through a URI and client can use this URI to get the public key to validate the JWT. This is what is missing in your configuration.
I'm implementing OAuth2 authorization using Spring Boot. I have already Authorization Server and Resource Server, now I want to access resources from Resource Server using client_credentials grant type.
I'm little confused about it, because in Resource Server I have to add client_id and client_secret. But why Resource Server really need it?
As I understand this concept client should get from Authorization Server using client credentials his access token. And then send this access token to Resource Server without any client credentials.
So why Resource Server also need some client credentials? Resource Server and client are two separeted entities, I don't understand why Resource Server has to know about client_id and client_secret.
Why access token is not enough to authenticate? check_token endpoint can return list of resources that can be accessed with this token and if client has this token, this means that he is already authenticated with client credentials to get this token.
What if I want to access from multiple different clients to this Resource Server?
Resource Server config:
#Configuration
#RestController
#EnableWebSecurity
#EnableResourceServer
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
#Override
public void configure(final HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/api/**").authenticated()
.and()
.httpBasic().disable();
}
#Override
public void configure(ResourceServerSecurityConfigurer resources) {
resources
.resourceId("translate-service");
}
}
Resource server properties:
security.oauth2.resource.user-info-uri=http://localhost:8090/user
security.oauth2.resource.token-info-uri=http://localhost:8090/oauth/check_token
security.oauth2.client.client-id=XXXX
security.oauth2.client.client-secret=XXXX
If I wont set client properties Spring will log warning:
Null Client ID or Client Secret detected. Endpoint that requires authentication will reject request with 401 error.
And authentication will not work.
Maybe I doing something wrong and there is some solution to not provide client_id in Resource Server?
If you use RemoteTokenServices your Resource Server is also an additional client of the Authorization Server, see OAuth 2 Developers Guide:
An alternative is the RemoteTokenServices which is a Spring OAuth features (not part of the spec) allowing Resource Servers to decode tokens through an HTTP resource on the Authorization Server (/oauth/check_token). RemoteTokenServices are convenient if there is not a huge volume of traffic in the Resource Servers (every request has to be verified with the Authorization Server), or if you can afford to cache the results. To use the /oauth/check_token endpoint you need to expose it by changing its access rule (default is "denyAll()") in the AuthorizationServerSecurityConfigurer, e.g.
#Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer.tokenKeyAccess("isAnonymous() || hasAuthority('ROLE_TRUSTED_CLIENT')").checkTokenAccess(
"hasAuthority('ROLE_TRUSTED_CLIENT')");
}
In this example we are configuring both the /oauth/check_token endpoint and the /oauth/token_key endpoint (so trusted resources can obtain the public key for JWT verification). These two endpoints are protected by HTTP Basic authentication using client credentials.
and OAuth2 Boot:
2.4 How to Configure the Token Info Endpoint
The token info endpoint, also sometimes called the introspection endpoint, likely requires some kind of client authentication, either Basic or Bearer. Generally speaking, the bearer token in the SecurityContext won’t suffice since that is tied to the user. Instead, you’ll need to specify credentials that represent this client, like so:
spring:
security:
oauth2:
client:
clientId: client-id
clientSecret: client-secret
resource:
tokenInfoUri: https://issuer/oauth2/check_token
By default, this will use Basic authentication, using the configured credentials, to authenticate against the token info endpoint.
I'm making a swagger-UI using swagger 2.0 generated in the integrated Apigee portal.
I'm trying to get the oauth2 client credentials(in swagger 2.0 called application) flow to work in the "try it out" part of the UI.
Note that the input from the user is the clientid and secret, and not the token.
When I try to authorize a get operation and send requests, I can see in the curl representation of the UI that the Authorization header is expressed "Authorization: BearerToken {token}". The token is replaced in the curl string as expected.
Apigee does not support the "BearerToken" prefix, only "Bearer".
Is there a way to force swaggerUI to use the prefix "Bearer" instead of "BearerToken"?
My securitydefinition:
securityDefinitions:
OAuth2:
type: oauth2
flow: application
tokenUrl: 'https://{org-environment}/token'
scopes:
read: Grants read access
My security definition in the path:
paths:
/resources:
get:
security:
- OAuth2: [read]
The name of the token is set from the response the oauth access token generation proxy.
I changed the token.type from "BearerToken" to "Bearer" and this solved my problem.