I do have an app that is using ReactiveOAuth2AuthorizedClientProvider in order to get a token using authorization-grant-type: client_credentials & client-authentication-method: post
I need to uplifted to support JWT using client-authentication-method: private_private_key_jwt
I have seen spring providing the JwtBearerReactiveOAuth2AuthorizedClientProvider & I'm wondering if I can use it.
I did not found any samples so far on google searches.
I am trying to implement sns login with Spring Security. The api server is spring-boot and the front is android and iOS.
From my understanding, it seems that spring-security-oauth-client supports the process of issuing an access token with server side rendering. (authentication code grant or implicit grant ..etc)
This is where my troubles begin.
First of all, I want to use OpenId Connect because I know that authentication should not be processed with oauth's access token.
Because android needs to use the sdk, the front (android) issues the idToken and gives it to the backend server.
So I wanted to implement it using the oauth2 function supported by spring-security, but I couldn't find a good way. So the following question arose:
Can it be implemented with the oauth-support function of spring-security?
So, I am trying to process authentication by creating an Authentication Provider for each oauth provider through a custom filter that directly extends OncePerRequestFilter.
Another question arises here.
Is there any difference between implementing the filter directly in spring-security and performing authentication in the controller of the spring container? performance or other aspects
thank you.
Throughout this afternoon, I tried to implement a micro service architecture without success. The great problem is the security. I read the Oauth2 doesn't work with Spring cloud unless your implementation uses the api getaway like a Oauth2 client. I have tried this solution, the api gateway do login in the Oauth2 but the access to the business services don't recognize the Oauth2 login of the api gateway.
I follow the example at https://github.com/piomin/sample-spring-oauth2-microservices
Can someone say me what is wrong in the example?
By reading Cognito Identity Provider document, I understand that it looks like it provides out-of-box integration with Facebook / Google / Twitter as Identity Providers.
My application is a developer focused application so I would like enable users sign-up/sign-in with their Github account besides the above Identity Provider's accounts. Is that possible?
If possible, how much extra work (comparing the out-of-box Facebook/Google social sign-up feature) I need to do?
Since first writing this answer, I implemented and published a project that provides a wrapper for Cognito to talk to GitHub. It comes with a SAM/cloudformation deploy script, so you can create a CloudFormation stack that provides the wrapper very easily.
So, OpenID Connect is built on top of OAuth2.0. It's an extension - in OpenID Connect, the OAuth endpoints are there (with one or two extensions or changes), plus some new endpoints.
My understanding from reading the Cognito documentation and the relevant bits of the OpenID Connect and OAuth2.0 specs is that Cognito only uses four of the OpenID endpoints - Authorization, token, userinfo and jwks. You can specify each endpoint separately when configuring an OpenID Connect provider in Cognito. This means it is possible to provide OpenID Connect for github by implementing these endpoints.
Here's a rough plan for implementation:
Authorization: In the spec, this looks to be the same as the OAuth2.0 endpoint (plus some additional parameters that I don't think are relevant to using github as an identity provider). I think you could:
Use the github Auth URL: https://github.com/login/oauth/authorize
Set your GitHub OAuth app to redirect to https://<your_cognito_domain>/oauth2/idpresponse
For the other endpoints, you'll have to roll them yourselves:
Token: This is used to get the access and ID tokens - using a code returned by the authorization callback. It looks the same as the OAuth2.0 endpoint, but also returns an idToken. It looks possible to make an implementation that passes through the code to github's token endpoint (https://github.com/login/oauth/access_token) to get the accessToken, and then generates an idToken, signed with your own private key.
UserInfo: This doesn't exist at all in OAuth2.0, but I think that much of the contents could be filled in with requests to the /user github endpoints (since at this point the request contains the authenticated access_token). Incidentally, this is the reason that there's no open source shim to wrap OAuth2.0 with OpenID connect - OpenID connect's primary contribution is a standardised way of communicating user data - and since OAuth doesn't have a standardised way to do this, we have to write a custom one specific to GitHub (or any other OAuth-only provider we wanted to use for federation).
JWKS: This is the JSON Web Key Set document containing the public key(s) that can be used to verify the tokens generated by the token endpoint. It could be a flat file.
I have implemented the above, and the approach works. I open-sourced the project here.
Unfortunately it's not possible. Cognito Federated Identities can support any OIDC Identity Provider but OAuth2.0 spec does not give that flexibility, so there's no easy way to achieve this unless we add special support for Github.
My API uses the devise_token_auth (omniauth) gem for authentication in the Rails 5 backend. The frontend are using ng-token-auth (Angular 1.x).
I have all the API requests in Postman. I did the security implementation and I need authenticate Postman with every request. Devise_token_auth uses authentication with OAuth 2 and I am having difficulty to implementing this authentication.
For this type of authentication, using Postman, what is the process needed to obtain the connection?
For getting the token, there are few things you need to setup.
The client ID, client Secret are the things to be added into your identity serve as clients.
The Auth Url and access token url will be provided by the identity server and you will be able to get the url by hitting the identity server website when its ready for testing.
The grant type also is dependent upon how you setup the client. For the first time try doing the access token instead of authorization code flow.
For the authorization code flow its a two step process. Get the code first and use the code to get the token.
I recomment watching this tutorial which will help you in understanding Identity server and oauth better.
https://app.pluralsight.com/library/courses/oauth2-openid-connect-angular-aspdotnet/table-of-contents