Throughout this afternoon, I tried to implement a micro service architecture without success. The great problem is the security. I read the Oauth2 doesn't work with Spring cloud unless your implementation uses the api getaway like a Oauth2 client. I have tried this solution, the api gateway do login in the Oauth2 but the access to the business services don't recognize the Oauth2 login of the api gateway.
I follow the example at https://github.com/piomin/sample-spring-oauth2-microservices
Can someone say me what is wrong in the example?
Related
I have API which is hosted in Azure. It is using Microsoft Identity platform for Authorization. Now we need to integrate APIM Gateway for the API. APIM also provides OAuth Authorization. So my question is should I configure OAuth for my API in APIM since Api would be deployed in APIM or I can continue to use Microsoft Identity platform which is doing its job. So I am looking for benefits for using OAuth from APIM rather than throw Microsoft Identity. In other words what would be difference and pros using OAuth vs Microsoft identity which also relies on OAuth?
Each API should validate a JWT access token on every request, then use the token's scopes and claims to authorize access to resources. This is sometimes called a zero trust architecture.
Another important requirement is to avoid revealing sensitive data in tokens, such as emails, to internet clients. The phantom token pattern has more info on this, and involves the use of an API gateway.
I would favour a solution where there is an API gateway in front of your APIs. This is a hosting best practice and also enables you to perform tasks such as cookie and token translation in the gateway.
APIM is one solution so I would favour that type of option if it improves your API security. There are other Azure options though, so it can be worth clarifying the types of things you want to do in gateways before choosing one. The API Gateway Guides may give you some ideas.
I am trying to implement sns login with Spring Security. The api server is spring-boot and the front is android and iOS.
From my understanding, it seems that spring-security-oauth-client supports the process of issuing an access token with server side rendering. (authentication code grant or implicit grant ..etc)
This is where my troubles begin.
First of all, I want to use OpenId Connect because I know that authentication should not be processed with oauth's access token.
Because android needs to use the sdk, the front (android) issues the idToken and gives it to the backend server.
So I wanted to implement it using the oauth2 function supported by spring-security, but I couldn't find a good way. So the following question arose:
Can it be implemented with the oauth-support function of spring-security?
So, I am trying to process authentication by creating an Authentication Provider for each oauth provider through a custom filter that directly extends OncePerRequestFilter.
Another question arises here.
Is there any difference between implementing the filter directly in spring-security and performing authentication in the controller of the spring container? performance or other aspects
thank you.
I'm looking for OAuth serverless provider with:
OAuth authentication for major providers
Access to the providers' API
I already spent some time playing with OAuth.io service and was able to build prototype based on NodeJS. I successfully implemented authentication with Facebook, Twitter, Github, Stackexchange, Google, Linkedin. Integration with Paypal failed.
That is what I found for OAuth.io:
Proc:
List of supported providers
User-friendly management console
Authentication flow, simple integration
Cons:
Access to Github, Linkedin API generates an errors due to changes in their APIs. Looks like these changes were not reflected in OAuth SDKs.
Low activity at Github. Last commit for NodeJS SDK was made in Nov 2016.
Is there any other OAuth serverless providers on the market?
Thanks in advance.
Another oauth.io user here. I like the simplicity of their SDK, but their dashboard doesn't work at the moment (only loading spinners).
A great alternative is https://auth0.com, lots of features and integrations. You also have access to the provider's API, like you asked. You can find an example of using Auth0 to access the GitHub API here: https://auth0.com/docs/connections/social/github
Since you mentioned serverless, auth0.com also have a very nice serverless platform https://webtask.io where you can run your own NodeJS functions in the cloud. I found it a much more intuitive/enjoyable experience than AWS Lambda, and it integrates directly with auth0.com.
Downsides of Auth0 are the steeper learning curve compared to oauth.io (they started off very simple, but now it seems they want to be the be all end all of auth) and less customisation of the login screen/flow. Basically they want you to redirect your users to a login screen that they host and designed.
Hope that helps!
I am trying to implement OAuth2 in a react-node serverless application. Similar to https://serverless-stack.com and OAuth2 above it.
I have followed AWS nodejs blueprint and confused with OAuth provider part.
https://github.com/awslabs/aws-apigateway-lambda-authorizer-blueprints/tree/master/blueprints/nodejs
(Here I need to achieve 20th line '// 1. Call out to OAuth provider')
I have also tried following articles/repos and could not achieve my requirements.
https://github.com/kennu/serverless-cognito-oauth2
http://www.awsomeblog.com/api-gateway-custom-authorization/
http://docs.aws.amazon.com/apigateway/latest/developerguide/use-custom-authorizer.html
How to set up an OAuth2 Authentication Provider with AWS API Gateway?
https://github.com/laardee/serverless-authentication-boilerplate
https://serverless.com/framework/docs/providers/aws/events/apigateway/#http-endpoints-with-custom-authorizers
https://blogs.edwardwilde.com/2017/01/12/creating-an-oauth2-custom-lamda-authorizer-for-use-with-amazons-aws-api-gateway-using-hydra/
https://github.com/matthoiland/serverless-oauth2
https://github.com/mcguinness/node-lambda-oauth2-jwt-authorizer
https://github.com/Serverless-Vienna/Comments-Showcase
My idea of OAuth2 authentication/ authorization is similar to https://babelouest.github.io/glewlwyd/
I used Cognito for Authentication and trying to use OAuth2 in lambda custom Auth for Authorization.
Please let me know of any article or way to achieve custom authorization of AWS API Gateway endpoints using OAuth2.
Both code bases can provided OAuth2 capabilities. Why should I use one vs the other?
The Spring OAuth2 library has capabilities of turning an application into a full-fledged OAuth2 Authorization Server, which is able to issue its own tokens BUT it still needs and depends upon a central OAuth2 provider for authentication. CF UAA is one such provider.
Facebook or Github are the other such OAuth2 service providers used more commonly for this purpose.
More details about Spring OAuth can be found at - https://spring.io/guides/tutorials/spring-boot-oauth2/
I hope it helps.