I’m developing a spring boot application where users can register into the system by providing the necessary information. The platform should provide users to authenticate with their registered user credentials or social media login credentials (google/Facebook).
For simple user authentication, I want to create a simple post request to the server with the user name and password and after validating, the server returns a token. I do not want to use the spring security form login here.
But for social media logic, I believe I have to go with oAuth.
I’m new to spring Boot and spring security. Do I need to integrate both JWT authentication and OAuth authentication for this scenario? A suggestion would be highly appreciated
What you. describe about user management (user registration, login, logout) are standard features of OAuth2 / OpenID authorization-servers. You should pick one "from the shelf" either on premise (like Keycloak) or in the cloud (like Auth0, Amazon Cognito, and many others). Many solutions include "social" identities federation.
REST APIs are resource-servers. See those tutorials for security configuration and tests with mocked identities.
UIs are clients. You should use an OAuth2 client lib to handle OAuth2 flows. Find one for your framework Spring has one if your UI is generated on server with Thymeleaf or alike, but there are libs for Angular, React and other frameworks running in browsers.
Spring OAuth2 client libs can also be used in BFF (backend for front-end) scenario when browser client is not OAuth2 (it is secured with session, not access-token) and talks to an app on the server which is the OAuth2 client (spring-cloud-gateway is a sample but you could also write your own app with spring-boot-starter-oauth2-client). This app translates the request with session into into one with access-token before forwarding it to resource-server. The aim is to hide tokens from Javascript in the browser.
Related
I have some web applications built with spring boot and react. Both react and spring boot servers run in their corresponding container.
I want to build oauth based single sign on (SSO) functionality for all these applications. For example, if user goes to any of applications and try to login, it should redirect to the same page providing OAuth based SSO functionality (may be using google OAuth or facebook OAuth). Logging in once should login across all apps (and possibly logging out once should log out across all apps).
What all I found regarding OAuth2 in official docs is this example. It creates an application which configures the Spring security to redirect to google login and once the login is successful, it redirects back to index.html specified in the same application.
However, I already have multiple applications which I want all to redirect to single webpage which contains button "Login with Google" (along with other options like login with facebook and username / password). Upon successful google authentication, I want it to redirect to corresponding application which initiated the login.
Q1. Is it possible with some simple redirects? If yes how?
I did not found any tutorial explaining how to achieve this. I came across only this tutorial which makes use of makes uses Keycloak Authorization server with spring boot to demonstrate login across two apps. But Keycloak is not the part of spring boot.
Q2. If answer to Q1 is no, then how can I achieve OAuth2 based SSO across multiple apps, with all of them redirecting to single login webpage and redirecting to corresponding app upon successful authentication? Can you please elaborate the process or point me to some tutorial?
Update: I came across another post which seem to explain the same but with now deprecated #EnableAuthorizationServer annotation.
The Federated Identity sample is one of the samples available for Spring Authorization Server. It demonstrates how to configure Google and GitHub (you can also configure Facebook and others in a similar way) as a 3rd party authentication or identity provider.
If you follow the instructions in the readme and run the messages-client (client) and messages-resource (resource server) in the samples directory, you can test out the entire flow.
So to answer your questions (hopefully simply):
Yes, using Spring Security OAuth2 client support and Spring Authorization Server as demonstrated in the samples mentioned above. If you're looking for examples of a javascript frontend, see this branch (specifically the angular-client sample) and this webinar for more info on single-page apps and Spring Authorization Server.
N/A
I'm developing a backend server for my applications. Actually, I'm using Keycloak as Identity Provider exploiting the OpenID Connect protocol. The frontend redirects users to Keycloak Login Page, so a token is returned to it. The frontend makes an authentication request to the backend using the returned token. Backend asks the IDP to validate the token and retrieve user info and roles.
Then I want to generate a JWT from the backend in order to easily authenticate the frontend requests.
Is this architecture fine? Or am I missing something important? Can I implement this architecture using Spring Security? Where can I learn more about it?
Thanks for any advice and support.
I am new to spring security
I have a front end application built using vuejs which calls spring rest api to interact with the backend system.
I have a login page where user enters the password. I want to be able to authorise the user if his login is correct and for the subsequent request authorise him with rememberMe token.
I know there is a lot of information available on the topic but
What is the right way to implement?
Should i use basic authentication ? If I am using basic authentication , how should i set up remember me along with basic authentication?
Should the authentication be handled in post call instead of using a auth filter?
Here are two scenario
If your front-end is built on any frontend framework and it's not dependent on any Server Pages(e.g JSP, Freemarker, velocity) or you want your frontend application to connect to your backend application through web services(Rest web service or SOAP web service) then you need to implement your own token base authentication with help of spring security instead of Basic Authentication of Spring security.
Else you should go with Spring Security Basic authentication, for implement Remember-me with spring security, Spring Security provides two implementations for Remember-Me :
1: Simple Hash-Based Token Approach: It uses hashing to preserve the security of cookie-based tokens
2: Persistent Token Approach: It
uses a database or other persistent storage mechanism to store the
generated tokens
Here is spring remember-me doc for it
We have a Java 8 backend application using SprintBoot with an embedded Jetty server.
The UI for the application is a Single Page Application built using React.
Currently I have enabled authentication by integrating with Okta using the spring security SAML extension. When the assertion is posted by Okta to my app, I create a session and the JSESSIONID is sent in the cookie.
This was fine until now when we had a very simple UI serving few UI components.
However, now we have several REST endpoints in our backend and we would want them to be authenticated as well. REST endpoints themselves are developed using Jersey.
If I understand correctly, SAML is clearly not the choice for pure REST based endpoints as SAML is mainly a browser based protocol. These REST endpoints will be called by our UI as well we want them to be independently called via Postman or something for testing.
When a client would call these REST APIs, I am guessing the client should send an Authorization header which should be checked by one of the authentication filters in the backend. After validating the client and the user, the filter should inject the user information in the SecurityContext because Jersey injects SecurityContext in all of the REST endpoints. Then it becomes easier to fetch the user from this SecurityContext.
Upon reading, it seems Okta OpenID Connect can be one choice which issues a JWT. However I am not clear on how to use this. That is, when Okta issues a JWT should our UI or any client for that matter keep sending the JWT in the Authorization header to our APIs and then our APIs in turn should send the JWT to Okta to validate it?
Question is what is the best choice to serve both, a login for the UI and a session and authenticating REST endpoints? Not to mention the REST APIs will be stateless in nature.
When a client would call these REST APIs, I am guessing the client
should send an Authorization header which should be checked by one of
the authentication filters in the backend
In OpendID Connect (OIDC), that value in the Authorization header is id_token which can be in JWT format. This id_token is issued by the OIDC server as the last step for whichever OIDC grant type you choose and applicable to your case.
Upon reading, it seems Okta OpenID Connect can be one choice which
issues a JWT. However I am not clear on how to use this. That is, when
Okta issues a JWT should our UI or any client for that matter keep
sending the JWT in the Authorization header to our APIs and then our
APIs in turn should send the JWT to Okta to validate it?
Think that you have 3 components in this architecture. Relying Party (client), Identity Server / Authorization Server / OIDC Provider and Resource Server (your backend and it's data). When Authorization Server issues and id_token to Relying Party, your Resource Server also knows this token. So when you request for data in resource server, you will present your id_token to Resource Server and it knows if it is valid id_token or not
Question is what is the best choice to serve both, a login for the UI
and a session and authenticating REST endpoints?
OIDC Provider (or Identity Server if you need more complex operation), since OIDC is Authorization (OAuth 2.0 at core) and Authentication.
I have an application runs on Java Spring 3. My application uses RESTful services and Spring Security for security. It has a user table and checks user credentials from it. I implemented web service capability to my application(one of customer's wanted web services instead of RESTful services). If possible I want same authentication mechanism and want to look up that database and allow just one user (for now-to admin) to communicate with my web service server.
Should I follow the same way as like my RESTful authentication or is there any authentication and security mechanism for Java Web Services at Spring (i.e. how to deal with logout, how to enable logout mechanism for a client-server web services communication)
PS: I use Apache-CXF.
Two potential ways:
Put a BasicAuthenticationFilter or DigestAuthenticationFilter in front of your CXF Servlet.
Use a WS-Security UsernamePasswordToken with CXF and write a CallbackHandler that a) creates a UsernamePasswordAuthenticationToken, b) calls authenticationManager.authenticate() and c) stores the authentication in the SecurityContextHolder.
Note that the above doesn't cover the concept of logout since login sessions are generally implemented with cookies and the above are stateless approaches. If you really need logout then you should consider using OAuth because you can implement logout by invalidating access tokens.
You could put a security token in the HTTP header you are sending to the REST which the REST decodes and verifies it's coming from an administrative location.