I have a web applications:
app1 with springframework 2.5 It has standard spring-security form login. I didn't find a solution to enable SSO via Keycloak for this app, because keycloak spring-security adaptor doesn't support springframework 2.5.
app2 with springframework 5 using keycloak for Single Sign On with authorization_code grant type.
I am integrating these 2 application together by adding menu items in app1 to navigate to app2 pages using JavaScript. I am looking for a silent authentication option to get tokens from Keycloak after log into app1. Then sent request to app2 with this token. I really appreciate if anybody can give me some idea. Sample code is even better.
Related
I deployed a Standalone Keycloak (KC) server and I developed one API that acts as a resource server(it is not supposed to handle login/registration of users etc) with Spring Boot. I want this API to be secured with KC JWT tokens. I expect every user coming has already obtained a JWT token. To the security configurations of my API I added the following configuration:
spring.security.oauth2.resourceserver.jwt.issuer-uri=http://localhost:8180/auth/realms/<REALM_NAME>.
Everything works as expected, my API is able to allow only authenticated and authorized users to call the endpoints. However, I have the following question:
As my configurations are right now, anyone who receives a token from my KC server and the issuer-uri can build another API and do her/his own stuff. How is it possible to restrict the KC server in order to be used only from APIs that I allow? E.g: my API should provide a client_name and a client-secret before it is allowed to verify a token with the issuer.
I am using spring-boot-starter-oauth2-resource-server to configure OAuth2 instead of the one that Keycloak provides. I am running Spring Boot 2.4, Spring Security 5 and Keycloak 12.0.4.
I have two services app1 and app2.
App1 use devise_jwt for auth.
App2 don't have web-ui, but provide only some api-data.
Is there a way to setup sso from app1 to app2?
Some examples to clear what i'm talking about:
I auth in app1, go to page where app2 data is shown (app1.com/app2data), ajax-request to app2.com/data is fired to retrieve JSON, app2 check JWT and give me it's JSON-data
I go to app2.com/data, it redirects me to app1/login, authenticate and redirect to app2.com/data
Or maybe there is more simple ways to secure data in app2 service?
I am building a new application using microservices with a frontend UI using React JS. I have created an auth microservice using Spring Boot and OAuth 2.0. For single page applications I have read that I should use the implicit grant instead of the password grant. The auth microservice will support this but my question is where would I implement the UI for the user to put their username and password? Would it be within the auth microservice or would I have to create a separate UI application?
The authentication form will be on your auth microservice. Think for example as you use google login. You'll see google login page even if you have your own microservice. It's because authentication provider is google and you redirect user to login to google.
I implemented all grant types a while back. May be this will help you.
Can I use OpenId Connect to implement SSO between two Single Page Applications (SPA)? If yes, what would be the flow.
Scenario: App1 (SPA) starts and uses one of the OIDC flows to obtain Id_token and acccess token. It then makes many REST API calls. At some later time, user clicks on a button that brings up second SPA App2. Both app belongs to same company. Can App2 utilize Id_token and access token obtained by App1 for SSO? Looking at the spec, answer appears to be NO, because these tokens are meant for a specific client. Any other flow that enables SSO between two SPAs using OIDC? or is it outside the scope of OpenId Connect, in which case we have to look at traditional propitiatory solutions like CA, IBM etc. Thanks.
I would use the implicit flow for both apps. It could work like this:
App1 goes to the auth endpoint of the OpenID Connect server. To get the tokens, the user has to get authenticated and the OIDC server may create a session for him (identified by a cookie).
App1 opens a new tab with App2.
App2 doesn't have tokens yet, so it goes to the OIDC auth endpoint. The OIDC server recognizes the session created in step 1 and it may decide decide to release the tokens without authentication and redirect back to App2.
This way, each app would get its own tokens (yes, they are released for a specific client). And the user would not be bothered by authentication for the second app. But the OIDC behavior in step 3 is not standardized and depends on implementation. For example, it may depend on what scopes the apps are requesting - if they are not the same for both apps, the OIDC could require authentication for the second app as well.
If you also need single sign out, there is a specification for that:
http://openid.net/specs/openid-connect-session-1_0.html
You create two iframes in your apps - one for detecting OIDC session changes and one for communication between the first iframe and the app. The specification contains even examples of the iframe documents.
We have all the user data in our local mysql database. We are moving our services to cloud and I need to use cloudfoundry UAA to authenticate by calling a login microservice endpoint on our network instead of doing uaac add user for all the users in db.
I am new to this, it would help me if you can explain the steps to do it.
Thanks in advance
I assume (based on the SAML tags on your question) that you are thinking of doing this with SAML. If this is your first time doing SAML then there is a bit of learning curve. If so you may find it easier to just creating a custom Login app.
SAML
You would setup an Identity Provider and the IdP would authenticate users against either mysql or your login microservice. simplesamlphp can be used for this purpose. A user would authenticate to the IDP, the IdP generates a SAML assertion (e.g a signed xml doc with information about the user) that gets sent to the Service Provider (UAA). The service provider then looks at the assertion to determine who the user is. UAA supports SAML logins. It has been a while since I've set it up that way, but I recall you run a separate 'login' war from the rest of UAA, and the login war uses APIs to talk to UAA. You also need to configure the SAML trust relationship between ssp and the UAA login war. This isn't hard to do if you are familiar with SAML. If you aren't then it can be difficult to get all the pieces right.
Custom Login App
I think an easier approach is to just build your own login app that calls your authentication service and the UAA apis. UAA provides a sample app and documentation