I have a Java application using Spring Security 5.2.1 and secured by Keycloak.
The client in Keycloak is a public openid-connect client.
It works fine.
I have now a requirement to use PKCE (Proof Key for Code Exchange).
As Client Support for PKCE has been added to Spring Security 5.2.0.M2 and as I use Spring Security 5.2.1, I can use Spring Security to implement it.
That's the good news.
The 'bad' news is that I found nearly nothing on the Web or in the Spring Security documentation on how I must implement it, practically.
Adding "enable-pkce": true in keycloak.json doesn't work, and I don't find any clear example of what to do.
Is there some documentation, website or whatever else, describing what to do to implementsthis ?
Thank you very much !
From the Spring Security reference documentation https://docs.spring.io/spring-security/site/docs/5.3.1.RELEASE/reference/html5/#initiating-the-authorization-request
PKCE will automatically be used when the following conditions are true:
client-secret is omitted (or empty)
client-authentication-method is set to "none" (ClientAuthenticationMethod.NONE)
Related
I've been attempting to secure my GraphQL API with Spring Security and JWT tokens, I've followed along with this post but have had no sort of luck. I got a working version of authentication using contexts with GraphQLContext but for every mutation/query I need to add the same verbose auth check, where spring security annotations are far nicer.
I'm unable to even really test what I've done since GraphQL doesn't seem to like when i add #PreAuthorize("hasRole(\"USER\")") on a query resolver, so I'm unsure if GraphQL is compatible with spring security at this point.
I've attached the source code to a gist since there is a fair few classes, I'm just unsure if the approach I'm taking is the right one, but using annotations on authorised routes is far nicer.
Soruce Code:
https://gist.github.com/PHILLIPS71/9388afb2495152f875b48ae06b241348
Stacktrace:
Caused by: com.coxautodev.graphql.tools.ResolverError: No method found with any of the following signatures (in priority order):
com.sun.proxy.$Proxy73.users( [, graphql.schema.DataFetchingEnvironment])
com.sun.proxy.$Proxy73.getUsers( [, graphql.schema.DataFetchingEnvironment])
After recent spring boot upgrade (1.5+) I am no longer able to access /metrics endpoint in my application. To solve this, I added management.security.enabled=false and management.security.roles=ACTUATOR. This allowed me to access the endpoint and it still required credentials before viewing. This works but I don’t understand why. Am I only disabling the ACTUATOR role to access this endpoint? Is there any security risk here?
I know after you move to spring boot 2.0.0.M5 only status and info endpoints are enabled by default. In Spring Boot 2 also you no longer need to have management.security.enabled https://github.com/spring-projects/spring-boot/issues/11383
I generally use this:
management.endpoints.web.exposure.include=info, health, metrics, env, beans, configprops
I'm trying to get SSO up and running. So when I sign in on a different application (on the same auth0 domain) and go to the login page of my application I want my application to automatically log me in.
I managed to get the first parts running and I received an authorization code from auth0. But when I try to retrieve the tokens they are all null.
my redirectuUri and clientSecret are correct and I assume the authorization code returned earlier is correct aswell.
It seems as if the request doesn't return any tokens. They are all null.
Where do I start to find out what's going wrong? Thanks!
public Tokens getTokens(final String authorizationCode, final String redirectUri) {
Validate.notNull(authorizationCode);
Validate.notNull(redirectUri);
System.out.println("Sending request with code to retrieve tokens.");
final Credentials creds = authenticationAPIClient
.token(authorizationCode, redirectUri)
.setClientSecret(clientSecret).execute();
return new Tokens(creds.getIdToken(), creds.getAccessToken(), creds.getType(), creds.getRefreshToken());
}
If using the Auth0 Spring MVC Library (not Spring Security MVC) - then best place to stick a breakpoint would at the top of the Callback Controller's handle method
You can then step through / step in - and inspect what is going on. This method calls getTokens and that delegates to Auth0ClientImpl which is the code block you reference in the question.
Check your ClientId, ClientSecret and Domain are all correct - and if your code is reaching this method - that the code / redirectURI being passed in are also correct. Would check the Auth0 logs from the Dashboard too, and determine if any successful authentication events are recorded.
Finally, please can you confirm which version of auth0-java (maven POM dependency / gradle dependency) you are using - and which version of the auth0-spring-mvc library you are referencing also.
For SSO Specific Examples - plain Spring falls between two stools as I wrote one for plain java and one for Spring Security MVC - but you should get a good idea of what is going on by studying these two samples:
Auth0 Servlet SSO Sample
Auth0 Spring Security SSO Sample
In particular, study the JSP pages since that is where the SSO checks and auto-login logic lives. Ensure too that you enable SSO on the Settings of each of your Clients defined in your Auth0 tenant.
Disclaimer: am the author of the above libraries - please leave me comments below if you still have problems and require any clarifications.
I'm having trouble getting Spring Security to work in my Spring MVC app. It is configured correctly (I think) and I am fully expecting it to use the configured security filter on all requests. It isn't. My question isn't to make sure I'm configured correctly so I'm not going to post any code, I am only asking if there is a method or something I can call in one of my controllers that will return true or false signifying if Spring Security is actually enabled or not so I can know how to proceed debugging. Thanks!
In your case, you could use spring actuator.
This is module used for application monitoring. You can read more about it, in this blog post: http://www.baeldung.com/spring-boot-actuators
I am developing an web application using java with Spring MVC and Sprin-Security. I can see, Spring Security does the authentication and security related tasks by itself which is OK. I was wondering how Spring Security detects the password field from database on which the authentication is made!!!
I have stored the user passwords in a column named 'xyz'. Now, how can I ask Spring-Security to look for user password in the column 'xyz'???? I tried to find a clear answer for this, but couldn't. So, if you guys please help me to make a clear concept about this.... I appreciate that!!
First, you need to setup JDBC Connectivity. For that you can use Spring JDBC so that the connections are spring managed.
Then, you need to override UserDetailsService of Spring Security to your own queries. An example is given here
Then wire your services either via programmatic configuration or via XML configuration, whichever way you have done it in your project.