I've a Keycloak server and I want to auth via http Ajax request, sending username + email to login. and signup new user. is that possible to create standalone web app to authorize user?
Even if it's not a good practice you can do that by enabling Direct Grant Access for your client, look for "Resource Owner Password Credentials Grant" in the documentation https://keycloak.gitbooks.io/documentation/content/server_admin/topics/sso-protocols/oidc.html
Related
When i am trying to get access token through client credentials flow in okta ,i have got sucessfully,but by using that access token i am not able to fetch any user details.Like the code below
token.getTokenAttributes().get("uid").toString();
The above token object is jwtAuthenticationToken Which is used in web application.
i am using spring-boot okta
The Client Credentials flow is intended for server-side (confidential) client applications with no end user, which normally describes machine-to-machine communication.
It wouldn't have user context and it won’t have a user tied to the access token.
I am developing an app secured with Spring Oauth2, password flow.
But I'm still confused about difference between UserDetailService and ClientDetailsService flows in Spring.
As I understand from OAuth2 specification, client and user are different entities. Client has clientId, clientSecret and some grants, and User has username, password and also some grants.
Multiple users use the same client (mobile app or web browser in my case).
So I need to authenticate some user and provide it with an access token.
I have implemented both UserDetailsService and ClientDetailsService (with all needed infrastructure: AuthorizationServerConfigurerAdapter and ResourceServerConfigurerAdapter) and during authentication I see, that username from request is passed as clientId into clientDetailsService and
as username into userDetailsService.
But I thought it should be more complex process like for authentication request client should provide both client credentials and user credentials so then I can verify client (is it registered in my system) and its grants then verify user and its grants and then return an access token.
My questions:
Do I understand the process correctly?
Are client grants and user grants of the same meaning?
What classes should I customize to separate verification of client and user credentials?
Solution is stupid simple.
The client and the user are really different entities
To obtain access token you need to complete basic authentication with Base64 encoded client credentials in header and username/password of the user in params.
Header pseudocode:
Basic Base64("client_id:client_secret")
Params:
username=username, password=password, grant_type=password
This will return you access_token, refresh_token and some extra info.
I have read and implemented my own Auth server following this tutorial from Spring. There are multiple SSO providers - Facebook, Github and a custom auth server. In this tutorial, the auth server contains the handling of other SSO providers.
I have a separate resource server that links to my auth server using the following properties:
security.oauth2.resource.userInfoUri=http://localhost:9000/user
I am able to get the token from my auth server using a cUrl command:
curl acme:acmesecret#localhost:9000/oauth/token -d grant_type=password -d username=user -d password=...
{"access_token":"aa49e025-c4fe-4892-86af-15af2e6b72a2","token_type":"bearer","refresh_token":"97a9f978-7aad-4af7-9329-78ff2ce9962d","expires_in":43199,"scope":"read write"}
But what I fail to understand is how can I use the other SSO providers to get such token as well from the auth server? The resource server should not care how did I get the token and whether I am authenticated using Facebook or my custom auth server. It should simply ask the auth server what is the Principal (logged user) and then decide which resources to show him, right?
I don't have any UI and this will be backed for a mobile application so I need to udnerstand how to handle the authentication using REST reqeusts.
If I understand your question correctly,
how can I use the other SSO providers to get such token as well from
the auth server?
This custom Auth server is abstracting out your interaction with FB or Github and issuing you it's own token. The token that your custom Auth server spitting out is not an FB or Github token, it's a token generated by your custom Auth server (After authenticating with FB/Github token).
Then why do we need FB/github?
How else your custom Auth server can identify a person, It sure can use user Id and Password; consider 'login with FB' as another nice option it gives to the user.
How to add other SSO providers like digitalocean in addition to FB and github?
Just do the same as we did for FB and Github (register a client id with digital ocean and then in auth server application, Add client Id and secret in the properties/yaml file etc)
The resource server should not care how did I get the token and
whether I am authenticated using Facebook or my custom auth server. It
should simply ask the auth server what is the Principal (logged user)
and then decide which resources to show him, right?
Yes, your understanding is correct.
Edit (To answer question asked in the comment)
But lets say I log in with Facebook through my Auth server. Where do I
find the token that I can use with the Resource server? Let's say I
have a RestClient and want to make a request to obtain some resource
belonging to a user which went through the Facebook auth process via
my auth server. Where do I find the token to use?
If that's a requirement, I think you can use this example instead; you may not need a custom auth server as such. Whole point of having custom auth server is abstracting out the interaction with FB or github.
Or
If you still want to go with custom auth server direction, then expose an endpoint from Auth server (which will get you the resources you need from FB) and then make use of that from your resource server.
I have a use case where the user should be authenticated via /oauth/authorize by entering his username and password into a custom login form which is posted directly without redirecting the user to a providers login page. Authorization code flow seems fitting but how can I alter the flow to skip the redirect to login page? Which are the Spring Oauth2 extension points to customize?
You can have two requests instead of one. You do a POST to your login endpoint as an XMLHttpRequest and on success you direct the user to the /oauth/authorize endpoint.
If you own the client server you might also consider the Resource Owner Password Credentials flow.
I have developed many stateless RESTful webservices for a mobile application in Java and they are working very well.
For example:
http://.../api/coupon
http://.../api/coupon/{id}
...
Now, I have to extend these services because I have to send different data back to the mobile for every user. So I need to know on the server side which user try to get or set information. And I have to prevent the serve of unauthorized users.
There are two different way how user can login into the mobile application:
log in with facebook account
log in with an application account
I need to develop two login and a logout services because the users who use the mobile application have to login into the application.
I read lots of article about auth and RESTful and OAuth.
I think I have to develop two login services with two imput parameters: username and password.
For example:
localLogin(String username, String password) -> token
facebookLogin(String username, String password) -> token
These logon services have to generate a same token and send it back to the mobile application in the http header. And after the login process the mobile client has a token. And the client has to send this token to the server when it makes a RESTful server call.
What do you think? Is my idea good?
If it is, could you help me how can I start to develop this in Java?
If it is not, could you tell me the good way?
You do not need 2 log in procedures. Just use the Facebook SDK!!
i) In your app would be a login with facebook button.
ii) User clicks on it and is then redirected to the facebook login page, where the user enters his credentials and facebook returns a token to you. You do not have to worry about the user's facebook credentials or storing them anywhere! Facebook will handle that for you. Consider the FB login part as black box to your app - you simply make a FB SDK's login call and it will do some processes and give back a access token to your app.
iii) Now, you can exchange the access token for the user's profile information. Enter this profile info to your database - that will ensure authenticated call.
Once you have verified that the user is logged on you can do whatever you want.