I am trying to protect my swagger with Basic Auth. But also, the Doorkeeper with Bearer authentication is used.
If I send the basic and bearer in one query, doorkeeper doesn't authorize me.
Is it possible to make doorkeeper ignore basic auth and only accept Bearer?
If I understood you correctly, you can try to play with client_credentials and access_token_methods configuration options and set desired way of getting authorization data from the request.
You can find more info in project wiki, Changing how clients are authenticated (but it actually a stale one), or check the configuration initializer (in your project or in Doorkeeper repo)
Related
When I am trying to understand OAuth2 client, I am confused about why we have two different filters
I attempted to integrate with Github. Here are my observations
OAuth2AuthorizationCodeGrantFilter sound like a filter that exchanges authorization code for access token, but when I keep debug point it does not do that
OAuth2LoginAuthenticationFilter sounds somewhat like it does login somehow, but this filter exchanges auth code to access token instead of above
I'm not sure why this is the case, as the first class name implies some strong correlation to authorization code
Also, Whats is the difference between OAuth2LoginConfigurer & OAuth2ClientConfigurer
Looks like OAuth2LoginConfigurer configures OAuth2LoginAuthenticationFilter, while OAuth2ClientConfigurer configures OAuth2AuthorizationCodeGrantFilter
Can someone explain what each of them does & in which scenarios they are applicable?
Thanks
This is well documented in the Spring Security reference.
OAuth 2.0 Login
OAuth 2.0 Client
As well, in the javadoc:
OAuth2LoginAuthenticationFilter
OAuth2AuthorizationCodeGrantFilter
At a high level:
http.oauth2Login() is an implementation of OpenID Connect Authentication using the Authorization Code Flow
http.oauth2Client().authorizationCodeGrant() is an implementation of OAuth 2.0 Authorization Code grant
I've already looked at dedicated Rails casts here and
there, as well some Rails API tutorials with JWT here and there and here. Unfortunately, most of them are too outdated (2011-2015).
Nevertheless, I'm a still a little bit lost what to choose between oauth2, omniauth-oauth2, ruby-jwt
and in which situation and how to glue all these bricks together.
To be short, I need to authenticate Users via an external corporate API, get JWT token and be able to decode it to extract User information
before let him enter the Rails application.
What should I do:
create a custom strategy ?
will this custom strategy work with the corporate authentication API
if it does not use Doorkeeper ?
Some recent links would be really appreciated.
I see that you want to use Open Id Connect mechanism, which Identity Provider (IdP) will return id_token (JWT format) to client. That mechanism is already implemented here: https://github.com/doorkeeper-gem/doorkeeper-openid_connect. Check it out!
I want to make a JSON API with Rails 5 that will feed an angular app and possibly later mobile apps. I do not want to include any html in the rails application. I typically use devise to handle user creation and authentication in regular rails apps. I would like to implement an OAuth2 compliant flow so I found a gem called doorkeeper.
I like devise as it handles the sending of a confirmation email and password reseting, etc. I would like doorkeeper to keep my app OAuth2 compliant.
My issue is that the OAuth2 documentation says to try to not use the password grant type but I cannot find a better alternative method for a site being served by the same server the API is coming from. Should I require a CSRF token only for the OAuth route to acquire the access token to ensure the request is coming from the site? Should I use the CSRF token from within the angular app the entire time in conjunction with the access token?
Also should I have devise handle the sending of the access token? How would that work in the other flows besides password grant? I would also have to edit devise to only accommodate JSON requests and to respond in kind.
Also I would like to implement a JWT however I still think it best to have the token linked to a session ID, I know the kind of defeats the purpose of the JWT but I think its beneficial to use the JWT in order to accommodate native apps.
I am sure this is not an uncommon thing to want to set up nowadays but I have yet to find a solid walkthrough connecting devise, doorkeeper, and an API only setup. Has anyone experienced and implemented a something like this?
I am building an API and I'm stuck at the authentication part. I will try to explain what I have and what I'm trying to accomplish:
First, the API is closed to the public, it will only be used on the admin's back-end and for 3rd party devices in the company.
I have a model called Member that is being used with Devise for authentication
I'm also using STI to distinguish between 3 levels of users (using CanCan for roles)
What I thought:
I tried the Token authentication by Rails, it worked but I was afraid of expose the token in each Ajax request, I don't know if I was right.
I also tried to use a '/token' route to post my credentials and get a token, but I was facing the same problem in a more complicated approach. The link with the tutorial
I don't wanna use OAuth because it's unnecessary for that kind of application.
Is it secure to use this token authentication with ajax requests or is there a more secure way to prevent people accessing my API?
Token authentication needs to be done over a secure connection.
If for example you are using Heroku, it is possible to use
their credentials to gain a HTTPS url. With this the contents
will be encrypted and so exposing the token through JSON
over the API will be acceptable.
I am building a REST API using Grails. I want it to be protected using OAuth2.0 client_credentials flow(grant_type). My use-case is as follows:
a external agent will send a request to something like
http://server-url/oauth/token?client_id=clientId&client_secret=clientSecret&grant_type=client_credentials
and obtain a access_token. Then, my URL(protected resource) should be accesible with something like
http://server-url/resource?access_token={access-token obtained before}
I am looking for something that makes doing this on Grails easy and quick. What will be the best way/tool/plugin to use for this ? Scribe library is an option, if there are any tutorials for my specific use-case, it will be great.
P.S.: I have tried the spring-security and related plugins, no joy there. Any alternatives would be nice.
I have the same issue. I found a lot of grails plugins that helped you authenticate your app against other oauth providers, but nothing that would help me make my app the oauth provider. After a lot of digging, I came across this grails plugin that will do exactly what you want.
https://github.com/adaptivecomputing/grails-spring-security-oauth2-provider
I'm still configuring it for my application, and I think the docs might need a few edits (specifically the authorization_code flow) but I got the simple client_credentials flow to work with minimal configuration. Hope that helps!
Based on my experiences, Scribe was built for OAuth 1.0 and has only very limited support for OAuth 2.0. In fact, for testing our own OAuth 2 implementation, all we could use from it was an HTTP request wrapper, we had to do anything else manually. Fortunately, doing it manually is suprisingly easy.
Since I still haven't found a fine open OAuth 2.0 library for Java (frankly I'm not familiar with Groovy), I encourage you to write the client code for yourself. You don't even need a client callback endpoint to use the client credentials grant flow. So you simply create an HTTP request (as you've written above already, take care to escape the GET parameters though) and get the response content. Your flow does not use redirects, so simply parse the JSON object in the response content, e.g. with the org.json library. Finally, send an HTTP request using the extracted access token.
Note that your examples are not completely standard compliant. The standard requires using HTTPS, sending the token in an HTTP header instead of a GET parameter and suggests using a HTTP basic authorization header instead of GET parameters to specify client credentials.
I may have misunderstood your question, and you may want to implement the server side, too. The scribe library supports only client side, so you can find a commercial implementation or implement your own server. It is a complex task, but if you support only the client credentials flow, it almost becomes easy. ;-)
This isn't a plugin, it's just a sample Grails application that acts as an OAuth provider. It was really easy to get up and running with Grails 3.
https://github.com/bobbywarner/grails3-oauth2-api