I deployed a Standalone Keycloak (KC) server and I developed one API that acts as a resource server(it is not supposed to handle login/registration of users etc) with Spring Boot. I want this API to be secured with KC JWT tokens. I expect every user coming has already obtained a JWT token. To the security configurations of my API I added the following configuration:
spring.security.oauth2.resourceserver.jwt.issuer-uri=http://localhost:8180/auth/realms/<REALM_NAME>.
Everything works as expected, my API is able to allow only authenticated and authorized users to call the endpoints. However, I have the following question:
As my configurations are right now, anyone who receives a token from my KC server and the issuer-uri can build another API and do her/his own stuff. How is it possible to restrict the KC server in order to be used only from APIs that I allow? E.g: my API should provide a client_name and a client-secret before it is allowed to verify a token with the issuer.
I am using spring-boot-starter-oauth2-resource-server to configure OAuth2 instead of the one that Keycloak provides. I am running Spring Boot 2.4, Spring Security 5 and Keycloak 12.0.4.
Related
I have an application set up as follows:
Angular UI -> Spring Cloud Gateway -> Spring Boot-based Service
I am attempting to authenticate my application against a limited Oauth SSO server with ONLY the following endpoints:
/authorize
/token
/userdata
The SSO does not provide an /introspect endpoint, nor does it issue JWTs.
What I would like to do is have Spring Cloud Gateway handle the authentication, but based on the result from /userdata, I would like to generate my own JWT to relay to the service.
My questions:
Is this possible?
If so, can someone give pointers or guide me to the resources that will get me started?
Spring Security OAuth2.0 Client and Spring Cloud Gateway combination works well in this case.
Client(Angular UI) requests to the Gateway service with OAuth2.0 login URL
The Gateway redirects the request to Identity Provider(Such as Google) login page.
After user login successful Identity Provider redirects the request to the Gateway with user info.
On Authentication success handler(Gateway service)
Parse user info and save it to somewhere
Create access token and refresh tokens. Set them to request cookies
Redirect to client(Angular UI)
I don't know the reason to pass the token downstream services at this point. If there is no specific requirement then I would implement all the security related operations on the Gateway service. Such as token generation, validation etc. This way new services can be easily added without concerning about authentication and authorization.
Here is a sample project.
Is it possible to use the Gitlab OAuth2 API to write a service that consumes Gitlab resources from the Gitlab API without user interaction (i.e., using machine-to-machine communication)?
As far as I understand the OAuth2 protocol, writing such a service would be possible using the client-credentials flow (i.e., Client Credentials Grant). However, according to the Gitlab OAuth2 Provider API, only the following flows are supported:
Authorization code with PKCE
Authorization code
Resource owner password credentials
Did I miss something or does that mean that an application that I register in Gitlab as an OAuth2 Application can only fetch resources when an interaction with the end-user is involved?
Should I fallback to using group tokens in this case?
I'm struggling theese days on the possible way to configure an Authentication + authorization system to consume a REST API from a mobile application.
Scenario:
We've developed 3 independent portals for a big customer that serves several users.
To enable a SSO for the 3 portals we've implemented a SAML authentication system using SimpleSAMLphp.
Every portal has a service provider and they make assertion requests against a central IdP.
The IdP checks username and password against a database where passwords are hashed and stored during registration.
After the login, the authorization on the portals is handled by the session on the server, and so far everything was fine.
Now the customer asked us to develop a mobile application that will require the users to login and access several of their protected resources collected during the usage of the 3 portals.
We've decided to develop a frontend application using ionic that will consume a REST API made in node.js that will serve all the data (both protected and unprotected resources).
Now here comes the question: to authorize access to protected resources on the Api we'd like to use JWT to easily achieve a stateless system.
The doubt is how to perform the authentication? We've the opportunity to check the credentials directly against the database skipping the SAML process, otherwise we've to implement a solution where the SSO IdP acts as authentication provider and then when an attempt is successful the API app will get the response from the idp and then issue a signed jwt to the consumer client. Is this second way a common implementation? Is it possible?
What path do you suggest to follow? The first could be very easy to achieve, but since we're using html+js for the app's frontend, if we decide to use the second solution probably in the near future we could recycle some code from the app to modernize some functions on the web portals, maintaining the jwt pattern and consuming the new Api also on the web.
I believe that in this case will be easier to ask a token to the new api using someway the logged in user's data already in the session of the portal. Sounds possible?
I hope that everything was clear, any help will be appreciated!
Thanks
The key goal here is to code your apps in the best way, via
the latest security standards (OAuth 2.0 and Open Id Connect).
SAML is an outdated protocol that is not web / mobile / API friendly, and does not fit with modern coding models.
Sounds like you want to do OAuth but you do not have an OAuth Authorization Server, which is a key part of the solution. If you could migrate to one you would have the best future options for your apps.
OPTION 1
Use the most standard and simple option - but users have to login with a new login screen + credentials:
Mobile or Web UI uses Authorization Flow (PKCE) and redirects to an Authorization Server to sign the user in
Mobile or Web UI receives an access token after login that can be sent to the API
Access token format is most commonly a JWT that the API can validate and identify the user from
The API is not involved in the login or token issuing processes
OPTION 2
Extend option 1 to federate to your SAML Identity Provider - enables users to login in the existing way:
The Authorization Server is configured to trust your SAML based identity provider and to redirect to it during logins
The SAML idp presents a login screen and then posts a SAML token to the Authorization Server
The Authorization Server issues OAuth based tokens based on the SAML token details
OPTION 3
Use a bridging solution (not really recommended but sometimes worth considering if you have no proper authorization server - at least it gets your apps using OAuth tokens):
Mobile or Web UI uses Resource Owner Password Grant and sends credentials to a new OAuth endpoint that you develop
OAuth endpoint provides a /oauth/token endpoint to receive the request
OAuth endpoint checks the credentials against the database - or translates to a SAML request that is forwarded to the IDP
OAuth endpoint does its own issuing of JWT access tokens via a third party library (if credentials are valid)
Web or Mobile UI sends JWT access token to API
API validates received JWT access token
I have a project in which there are several microservices which are secured using spring oauth2.I have published these services on WSO2 API Manager and disabled the oauth2 feature of WSO2 as my services are already secured using spring oauth2.Now when I access my services published on WSO2, using token of spring oauth2 i get in response either status code 0 "no response" or status code 403 unauthorized.What could be the issue here.
The WSO2AM (API Manager) authorizes the clients using the OAuth protocol and the backend services should trust the WSO2AM providing service authorization.
The API MAnager is not able (by default) validate the tokens of your backend services.
As far I know WSO2 AM clears the "Authorization" header to the backend services. (correct me when I am wrong).
your options:
Setup a proper environment, where APIM is used to authorize users. The APIM can send a JWT token to the backend services with user identity and attributes and the backend service will validate and trust the APIM JWT token containing user identity and attributes. I really suggest you stick to the way how APIM works and not try to force it working other way
If you really must using your own OAuth tokens, you could send the authorization token in different header (which will not get cleared)
You could create a custom mediation flow to to re-enter the authorization header into the request (I am not sure if you will need to update the exposed api mediation flow too or not to skip the default authorizer).
I am looking for fittings ends to our SSO puzzle.
Currently we have an OpenLDAP behind WSO2 Identity Provider. A client (Service Provider) redirects authorization to the IP (OAuth2) and recieves an access_token.
All fine.
Next step is to validate this token on another Service Provider, in this case a reverse proxy (Apache or Nginx) residing on another EC2 instance, which protects a number of unprotected 3rd party applications (3rd party in the sense that we can't touch source code, but do the hosting our selves). Which tools do serve this request?
Am am aware that the OAuth2 spec leaves a hiatus here and that there is draft which adds a /introspect call to validate this token. I also know that pingidentity implements this draft as part of there Apache module (https://github.com/pingidentity/mod_auth_openidc).
I am just wondering how to implement this on the WSO2-IS side, as I don't find documentation.
*bonus: we also hit several errors while deploying WSO2 (SQL errors) and using it (https://wso2.org/jira/browse/IDENTITY-3009) which made us a bit distrusting about the product.
Oauth2 token validate may be performed with a SOAP call to
{WSO2_IS}/services/OAuth2TokenValidationService.OAuth2TokenValidationServiceHttpsSoap11Endpoint/
The response will include details regarding token validity and JWT claims.