Technology stack:
payara micro 5.2021.1
jakarta 8
microprofile 4.1
I'm trying to create a simple microservice with authentication in place. I created a simple angular application that only uses the google API's service with the implicit flow to generate a jwt token.
Microprofile has a library that can be used for authentication and authorization.
I tried to use it (microprofile-jwt-auth-api) and I would like to achieve authentication without any kind of authorization.
For that I'm using the annotation #LoginConfig(authMethod = "MP-JWT") in the class that extends the Application class, combined with mp.jwt configurations in microprofile.properties.
Not sure if I'm doing anything wrong, but my expectation was that any call to any resource without the authorization header should retrieve an unauthorized error.
The authentication seems to not work without the #AllowedRoles. If I add the #AllowedRoles in my controllers, the authentication starts to work. After googling, I got the idea that the #LoginConfig(authMethod = "MP-JWT") only works combined with the #AllowedRoles, which seems to be strange to me...
Also, it seems that it is possible to disable the allowed roles mechanism (https://docs.payara.fish/community/docs/5.2020.3/documentation/microprofile/jwt.html#_switching_off_rolesallowed_support_in_jax_rs) but it didn't work.
Do you have any idea? The workaround would be to create a filter and explicitly call the google API to validate and introspect the token, but I want to avoid this scenario (if possible).
Related
I'm using keycloak as an auth server, my client app is a sring-boot one with the keycloak client adapter dependency.
One challenge I have not yet tackled, is the insertion of specific scopes on the request header before an authorization request executes (towards the auth server - keycloak auth endpoint).
Right now I've tested my endpoints (using access-tokens with limited capabilities by the use of scopes ) via curl and/or postman and they behave as expected, so I know they work. But I don't know when/how can I append them as a "scope" request header when using spring boot (mainly because that's all plumbing code that runs under the hood in spring boot).
I assume I would need to use some kind of interceptor/filter that gives me access to that request object just before "executing", but I haven't been able to find a concrete example.
Any suggestion/guidance or pointing towards relevant documentation would be greatly appreciated.
thanks in advance.
UPDATE:
Since my last post; I've tested several combinations to achieve this, and sadly none have worked, it is quite amazing that something as basic to oAuth2 like injecting scopes on the authorization request, isn't supported easily out of the box by the spring boot keycloak adapter. I've tried following approaches:
1 - Using a custom implementation of Sping "ClientHttpRequestInterceptor" . This doesn't help because this interceptor provides access to the front-channel requests (or requests reaching the app through the front-controller), it doesn't provide access to the back-channel request (of which the auth-request is part of).
2 - "ClientHttpRequestInterceptor" is usually also used in conjunction with a "RestTemplate" custom implementation. The problem here is that this would work only to those requests executed through an instance of the RestTemplate, and this is not what happens with the back-channel requests used by the spring-adapter
3 - Using Configuration objects based on springsecurity. spring-security offers usefull filters for configuration components that could help here (#Configuration, #EnableWebSecurity, #ComponentScan(basePackageClasses = KeycloakSecurityComponents.class OR #KeycloakConfiguration); This global type of configuration basically mix your spring boot keycloak adapter app with springsecurity code, and while this works fine for most cases, if you happen to use/need "policies" (By using the "keycloak.policy-enforcer-config" type of configs), then your policies will stop working, and whole set of new issues will arise.
FROM: https://oauth.net/2/scope/
OAuth Scopes
tools.ietf.org/html/rfc6479#section-3.3
Scope is a mechanism in OAuth 2.0 to limit an application's access to
a user's account. An application can request one or more scopes, this
information is then presented to the user in the consent screen, and
the access token issued to the application will be limited to the
scopes granted.
The OAuth spec allows the authorization server or user to modify the
scopes granted to the application compared to what is requested,
although there are not many examples of services doing this in
practice.
OAuth does not define any particular values for scopes, since it is
highly dependent on the service's internal architecture and needs.
It is clearly stated that scopes can be requested by the application to receive tokens with limited access, yet all on-line documentation to achieve this with the keyclock adpaters (and particularly spring boot) is almost(completely?) non existant.
some redhat's keycloak expert could offer suggesstion?
I am developing an application and I am using Spring Security. My question is - is there a way to call the exact logic that is run when I send a post request to /login (default), but from within the programme?
Normally, I post my LoginUserDto object to /login endpoint to login. However, I am implementing facebook login now, so I am constructing my LoginUserDto on the server side from whatever data I get from facebook based on user's access token. Now I just need to call the same logic that I would normally call with the rest call to /login, but from within the code in order to return tokens.
Does anyone know how this can be done?
Thanks
You should look at Spring Security 5's inbuilt support for OAuth2, as this will be the easiest way to incorporate Facebook as an external Authorization Server. There is some good documentation which walks through what is necessary via OAuth2 Login. Additionally, I found working with the oauth2login sample code from the Spring Security Repository extremely helpful to understand how the application should be configured, and it has a section for integrating with Facebook.
I'm currently in the process of implementing an OAuth2 authentication into a Spring Boot application (using the latest Spring Boot Version 2.0.1). I followed the tutorial from http://www.java-allandsundry.com/2018/03/spring-boot-2-native-approach-to-sso.html which already put me into the lucky position where the authentication itself is up and running.
However after the authentication using OAuth2 (I'm using Google as authentication provider for now) I would like to enhance the Principal(or any other object accessible to the application) with additional data.
The basic usecase is like this:
Perform OAuth2 authorization.
Check the user infomation returned from the OAuth provider.
If a user with the matching ID from the OAuth provider can be found in a local database then enhance the Principalwith that user information and proceed.
If a user with the matching ID from the Oauth provider can not be found in the local database then show an error message and block the login.
Step 1 Is working fine but I cannot find any way to add a listener, an interceptor or any other kind of configurative element into the default Spring processing that would allow me to do steps 2-4.
I already looked into the multiple configuration options inside the WebSecurityConfigurerAdapter and several other source, so far without success. The closest thing I found online was using a PrincipalExtractor but that doesn't seem to be supported any more since Spring Boot 2.
Any idea of how I can perform the interception and inject my additional logics?
I have followed a bunch of guides to no avail.
I think I have a pretty simple case so here goes:
I want to create a REST API using Spring (Boot). I have a user database which I access using Spring Data and I have already prepared a UserDetailsService for it.
Now I want to add OAuth2 security using the implicit flow, however I have not been able to get this to work. I do not wish to separate the Authorization server and the Resource server since the key is to keep deployment simple.
How would you go about this?
I have created few rest services using jersey implementation.
In security concerns, service can invoke by any one. So I decided to use the token based authentication system.
I wrote one filter in spring security which handles every request before its hits the server.
One login service were created so user can invoke this service by passing the username and password for valid credentials it will generates the access token and expiry date and saves it in Hashmap and DB and returned as a response to the user.
For remaining services user have to pass the generated token in header to access the JAX-RS services.
All these process are coded by us i.e., generation,storage and expiration of the token.
Since we have some security API like oauth1,oauth2 in market is it good to provide the security for rest service by above mentioned way???
Is oauth api will suits my requirement . If it is please guide me how to achieve this ?
Please help me out with valuable suggestions ???
Thanks in advance.
We've been in a similiar position before starting with our rest api. The only difference we had no exisitng code. So basically we saw 2 choices
Run our own Tokenhandling, that what you already have
Use something existing, i.e. oauth2
Our main requirement was authentification via token and we prefered an existing solution. So we just run with oauth2 in form of spring-security-oauth2, even we are not using the whole self authorization stuff.
What i like and probably had missed in an own implementation is that a token generally identifies a user and a client combination and that clients can have rights too. Its nice to have this extra layer of security in our rest api, so i can block early on before even hitting one line of our code.
In form of spring-security-oauth2 its proven code, which works and like much of spring its customizable. Example: In our first version we did use the provided JdbcTokenstore for storing the token, but as requirements changed, we just coded our own and switched it in the config.
The disadvantage of using at least spring-security-oauth2 is that the whole authorization flow is normally webbased and needs communication between the client, the user and our app. As this would not work with our clients we had to trigger the token generation, etc ourselfs, which is doable with spring, but needed some code exploration :-)
If i had to build it again with java and where already using spring, i'd go with spring-security-oauth2 and the oauth way again. But when i had an existing working solution and dont need any of the oauth stuff i would keep the homegrown solution.