I have a Spring boot app that use azure active directory with front-end authentication here the microsoft page that I used.
This app is the back-end and I would use for many front-end apps.
How can I set in application.properties all different valid client-id for every front-end apps?
Related
I have a frontend application in angular and backend in java language.
Goal:
to secure angular to spring boot application(A) with spring boot security and azure ad.
to secure above spring boot application(A)server api which will call other spring boot application(B) i.e. server to server resource security.
And spring boot application (B) calling spring boot application (A) with spring security.
Above project is a multimodule project.
• Please follow the below documentation link which describes the features and core scenarios of the Spring Boot application for Azure Active Directory (Azure AD). It explains in detail how to connect your spring boot application to an Azure AD tenant and protect your resource server with Azure AD. It uses the OAuth 2.0 protocol to protect web applications and resource servers.
https://learn.microsoft.com/en-us/azure/developer/java/spring-framework/spring-boot-starter-for-azure-active-directory-developer-guide
Do take into consideration that the above steps mentioned in the documentation uses OAuth 2.0 authorization code grant flow for enabling a user to sign in with Microsoft account.
• And you will have to develop and build your own spring boot java application to integrate Azure AD authentication along with resource protection in it. The above documentation will help you configure the accessibility of resource servers from a web application as well as protect that resource server/API or access other resource servers from a resource server. Thus, this satisfies all your requirements promptly if you follow it. Also, please do take into consideration that you will have to have all the prerequisites in place like a supported Java Development Kit version 8, Apache Maven version 3 or later and a spring boot application already registered with Azure AD. Do refer to the link below for starter springboot Java application linked with Azure AD: -
https://learn.microsoft.com/en-us/azure/developer/java/spring-framework/configure-spring-boot-starter-java-app-with-azure-active-directory
What I've done till now:
I have installed Keycloack(8.0.1) and configured it, created realm, clients, and users.
Configured couple of simple Spring Boot apps with Keycloack and it is working with SSO.
I am trying to achieve following.
Keycloak should connect to Azure Active Directory and read the users from there (User Federation) and authenticate, authorise users to use the application.
Created Active Directory B2C on Azure cloud.
I have gone through too many links and read through Keycloak official documentation but could not figured the way out.
Thanks in advance.
We have a requirement of implementing SSO for a customer(OKTA is his IDP) and we also have other client asking for SSO(ADFS and One Login).
And all other clients authentication will be database authentication.
So based on each client the authentication mechanism should change. Is this possible?
My application is Multi Tenant SaaS. Where its deployed on AWS and a load balancer will switch servers randomly.
We use Angular 5 and Spring boot 2.1 for Services.
How can i achieve this? Please guide.
I've setup Keycloak and a public/front-end spring boot app successfully. Everything is working as expected. The front-end Spring Boot App is configured in Keycloak as a client (app-ui) in the realm, user's are able to login through keycloak, tokens pass successfully everything's great. Spring Security is securing endpoints and roles are being respected for endpoints.
Now, I'm trying to add a downstream Spring Boot App (Web Service) in the mix and I want it to be aware of the logged in user to be able to secure calls to it. The front-end Spring Boot App is using Feign Client to call the REST endpoints on the back-end Spring Boot App, but the back-end is not doing any authentication/authorization.
I have a couple questions I'm having trouble figuring out:
How do I setup the front-end Spring Boot App to pass the authenticated user details to the back-end Spring Boot App (RequestInterceptor / RestTemplate / Feign config / Http Headers)?
How do I configure the back-end Spring Boot App to use the authenticated user details it receives from the upstream Spring Boot App and what dependencies do I need to add to the back-end Spring Boot App to facilitate that (org.keycloak:keycloak-spring-boot-starter and org.springframework.boot:spring-boot-starter-security)?
Is there anything I need to configure in Keycloak for the back-end Spring Boot App? Should it be registered in Keycloak as a confidential/non-public client (e.g. app-api)?
Is there anything specific to configure in the back-end Spring Boot App? Does it talk to Keycloak to verify the authenticated user details it receives from the upstream callers?
I'd love to see a demo or tutorial that takes the one's I've seen about How to integrate Keycloak and Spring Boot one step farther to also secure any other downstream services. If I can figure this out, I'll post one.
I'm assuming this can be done with standard OAuth2 configuration on the back-end Spring Boot App, but I wasn't sure how it's recommended to achieve this architecture.
Here's the architecture I'm trying to setup:
How do I setup the front-end Spring Boot App to pass the authenticated user details to the back-end Spring Boot App (RequestInterceptor / RestTemplate / Feign config / Http Headers)?
You need to pass bearer-token in your http request header.
How do I configure the back-end Spring Boot App to use the authenticated user details it receives from the upstream Spring Boot App and what dependencies do I need to add to the back-end Spring Boot App to facilitate that (org.keycloak:keycloak-spring-boot-starter and org.springframework.boot:spring-boot-starter-security)?
You need to add a new client in realm for example "back-end-client" and set its "Access Type" to 'bearer only'. You will need 'keycloak-spring-boot-starter' and 'spring-boot-starter-security' dependencies, also in your add 'keycloak-adapter-bom' .
In your application.properties you should have below mentioned properties
keycloak.realm =
keycloak.auth-server-url = your keycloak url
keycloak.ssl-required =external
keycloak.bearer-only=true
keycloak.resource =your client name
keycloak.credentials.secret= your secret key
keycloak.security-Constraints[0].authRoles[0] = user
keycloak.security-Constraints[0].securityCollections[0].patterns[0] = /*
keycloak.cors=true
Is there anything I need to configure in Keycloak for the back-end Spring Boot App? Should it be registered in Keycloak as a confidential/non-public client (e.g. app-api)?
You need to create a new client and it should be registered as "bearer only"
you can refer this link : https://www.keycloak.org/docs/latest/securing_apps/#_spring_boot_adapter
I have an Angular2 front-end and a Java Spring Boot back-end with my REST endpoints.
Now I want to deploy this app to Google cloud platform, but I want to keep my projects separate.
All I've read is about deploying one single application, but I want to keep my front-end and back-end separate.
How can I deploy my separate projects to Google cloud platform and have them communicate here as well?
Thanks for your help!
The easiest way to do this in GCP would be to host the frontend in Cloud Storage and set up your backend in Google Compute Engine (GCE) or App Engine.
Frontend
Cloud Storage provides static hosting capabilities. You can upload your frontend files to a Cloud Storage bucket and configure your domain to serve content from that bucket. Here is a tutorial for setting a bucket up for static hosting.
Once your backend REST endpoints are set up, the frontend app can easily communicate with them using Angular's AJAX capabilities.
Backend
If you prefer direct access to the machine your server runs on, you can upload the backend code to a GCE instance and run the server there. Otherwise, I would recommend deploying the server using App Engine, which will manage the instances for you.
One point you might be interested in is configuring permssions for your backend endpoints. If you want to restrict access to those endpoints and only allow your frontend to communicate with them, try out the Google VPC firewall features.
Good luck!