I'm trying to get SSO up and running. So when I sign in on a different application (on the same auth0 domain) and go to the login page of my application I want my application to automatically log me in.
I managed to get the first parts running and I received an authorization code from auth0. But when I try to retrieve the tokens they are all null.
my redirectuUri and clientSecret are correct and I assume the authorization code returned earlier is correct aswell.
It seems as if the request doesn't return any tokens. They are all null.
Where do I start to find out what's going wrong? Thanks!
public Tokens getTokens(final String authorizationCode, final String redirectUri) {
Validate.notNull(authorizationCode);
Validate.notNull(redirectUri);
System.out.println("Sending request with code to retrieve tokens.");
final Credentials creds = authenticationAPIClient
.token(authorizationCode, redirectUri)
.setClientSecret(clientSecret).execute();
return new Tokens(creds.getIdToken(), creds.getAccessToken(), creds.getType(), creds.getRefreshToken());
}
If using the Auth0 Spring MVC Library (not Spring Security MVC) - then best place to stick a breakpoint would at the top of the Callback Controller's handle method
You can then step through / step in - and inspect what is going on. This method calls getTokens and that delegates to Auth0ClientImpl which is the code block you reference in the question.
Check your ClientId, ClientSecret and Domain are all correct - and if your code is reaching this method - that the code / redirectURI being passed in are also correct. Would check the Auth0 logs from the Dashboard too, and determine if any successful authentication events are recorded.
Finally, please can you confirm which version of auth0-java (maven POM dependency / gradle dependency) you are using - and which version of the auth0-spring-mvc library you are referencing also.
For SSO Specific Examples - plain Spring falls between two stools as I wrote one for plain java and one for Spring Security MVC - but you should get a good idea of what is going on by studying these two samples:
Auth0 Servlet SSO Sample
Auth0 Spring Security SSO Sample
In particular, study the JSP pages since that is where the SSO checks and auto-login logic lives. Ensure too that you enable SSO on the Settings of each of your Clients defined in your Auth0 tenant.
Disclaimer: am the author of the above libraries - please leave me comments below if you still have problems and require any clarifications.
Related
I am generating an app(frontend and backend) using the console command: jhipster. The app was generated with authorization. Then I was asked to completely remove the authorization.
I found that it is possible to generate a new application with the command: --skip-user-management, how to remove authorization for existing application?
Please take a look at https://stackoverflow.com/a/59212698/7773582 to understand how to remove authorization in an existing application. This is the case for Angular-frontend, I unfortunately don't know where authorization is handled in reactjs as frontend.
I resolve it, using anonymous user.
In SecurityConfiguration.class set permitAll() for all requests and remove beforeFilter().
In private-route.tsx set true for checkAuthorities() method.
I have a Java application using Spring Security 5.2.1 and secured by Keycloak.
The client in Keycloak is a public openid-connect client.
It works fine.
I have now a requirement to use PKCE (Proof Key for Code Exchange).
As Client Support for PKCE has been added to Spring Security 5.2.0.M2 and as I use Spring Security 5.2.1, I can use Spring Security to implement it.
That's the good news.
The 'bad' news is that I found nearly nothing on the Web or in the Spring Security documentation on how I must implement it, practically.
Adding "enable-pkce": true in keycloak.json doesn't work, and I don't find any clear example of what to do.
Is there some documentation, website or whatever else, describing what to do to implementsthis ?
Thank you very much !
From the Spring Security reference documentation https://docs.spring.io/spring-security/site/docs/5.3.1.RELEASE/reference/html5/#initiating-the-authorization-request
PKCE will automatically be used when the following conditions are true:
client-secret is omitted (or empty)
client-authentication-method is set to "none" (ClientAuthenticationMethod.NONE)
I have studied plenty tutorials and pages about Spring Boot Security. But none of them answered my questions. And here they are:
I´m building web app in Spring Boot. And I need to authenticate users via classic session (username, password). But as I know a lot of things are predefined in Spring Boot. And I want to change few things.
1) The only page which DO NOT NEED authentication is /. Here is also login form. Rest of pages MUST BE authenticated. So I do not want to use default URL /login. And what I have to write into form´s action?
2) I also need need unauthenticated routes for static resources. They are located: src/main/resource/static/css
3) Is there a way to edit logout? Like to add a code during logout action?
Can you show me how configure method of WebSecurityConfigurerAdapter should look like? I have already tried a lot of configurations, but they didnt work.
Thank you for your responses.
I recommend you to have a look at this tutorial for a specific login and logout page.
With antmatchers you can also define that your static content is not secured.See here
For adding logic between spring defined processes like logout you should have a look at the spring filter pipelines especially the Logoutfiler. This was already discussed here
It would also be an easy way to set the logout url to a rest endpoint, execute the action you want an then redirect to the auth service. In my opion the filter way is the better solution and cleaner.
I hope this helps to get on track. cheers
I was working on a Spring-security LDAP application. I'm following the link - https://spring.io/guides/gs/authenticating-ldap/ . Problem I'm facing is that I have made a very simple controller and a method to handle a request, returning a string. But browser is opening a login page (which I can't find anywhere). I deleted cache, restarted Eclipse and system both but to my dismay it displays the same page irrespective of any url configured in controller or any port. I'm unable to elucidate this behavior of browser.
If you had followed the guide exactly as it is, then you may notice that the file WebSecurityConfig.java has the following line http.authorizeRequests()
.anyRequest().fullyAuthenticated()
.and().formLogin(); Which means that all your requests need to be authenticated. That means any end points that you define need to be authenticated too. They are secured by default.
You seem to have made a GET request to your endpoint, which is secured by Spring Security. If you want to create an unsecure endpoint then you have to make changes to the WebSecurityConfig file.
The login page that you mention is provided by Spring security library itself. It won't be available in your cloned project. At the end of the page they have also mentioned that the username is ben and password is benspassword. Spring security provides lot of default options which are useful. But, unless you read the documentation to understand what they are, you are in for quite a few surprises.
I'm trying to find a simple, flexible way to add JaaS authentication to REST. I found a post that I think leads me in the right direction (See StevenC's answer). It sounds like the servlet container is responsible for security, not the Jersey code itself. I like this idea, but need a little guidance on implementation.
Grizzly is my servlet container and I want to configure it to use JaaS for authentication. For now, a simple username/password combination would be fine, and hard-coding the username/password pairs directly in code is fine. As long as it uses JaaS, we can refine those details later.
As far as what is sent over HTTP, I'm thinking that storing a cookie would be the easiest way to make this all work. Whatever it takes to keep authentication junk away from my Jersey code.
Here's the code to start Grizzly so far:
final String baseUri = "http://localhost:9998/";
final Map initParams = new HashMap();
initParams.put("com.sun.jersey.config.property.packages",
"my.jersey.Service");
System.out.println("Starting grizzly...");
SelectorThread threadSelector = GrizzlyWebContainerFactory.create(baseUri, initParams);
System.out.println(String.format(
"Jersey app started with WADL available at %sapplication.wadl\n"
+ "Try out %shelloworld\nHit enter to stop it...", baseUri, baseUri));
System.in.read();
threadSelector.stopEndpoint();
System.exit(0);
If this whole process works, what's the best way to check permissions for the user? I would probably want my REST code to actually validate permissions at certain points. Am I even on the right track? Is there an easier way? A link to a tutorial would be a great answer. Even an answer like "I did that and it worked" would give me a warm fuzzy that I'm heading in the right direction.
Thanks for any help.
EDIT: Some clarifications for StevenC's comment:
Do you still want to use servlet filters to protect your resources? I'll use whatever can separate out the authentication detail from the Jersey code. It doesn't have to be servlet filters.
What is mean by "configure it to use JaaS"? The original plan was to protect the current API using JaaS. The next phase would be to make the entire API available online. It seemed to make sense to have a Jersey wrapper around the API calls, but keep authentication handled by Grizzly. Grizzly would have to interact with JaaS at that point I believe.
Are you thinking there should be some config that simply causes grizzly to protect your resources? I was considering a two-step process of authenticating the user and based on roles, authorizing the user to access resources. The idea was to have Grizzly handle authentication (using JaaS) and Jersey handle authorization.
"I don't see the need for the usage of cookies with a RESTful resource." It would be wonderful to remove the use of cookies, but how can the be accomplished? The system needs to know if the user is authenticated. I'd rather not ask them to pass a username/password/etc for each call. Even passing a session token as a parameter with every call seems "ugly".
Also, please note that I'm fairly new to REST. I've been doing SOAP for a couple of years, so I may have a "SOAP bias" that may be blinding me from some obvious, simple solution that everyone uses. If there's an easier way, please feel free to share. I'm just trying to learn as much as possible.
I'm not entirely clear what is meant by "configure it to use JaaS for authentication". If there's a simple configuration to have grizzly enforce HTTP authentication protecting URLs, I don't know about it.
I'm assuming from the other question and answer you reference that you want to use a servlet filter. Normally that's configured in the web.xml file of a servlet project. Grizzly is of course often used to start up a server from code as opposed to application config. When I used grizzly in this way I noticed that GrizzlyWebContainerFactory didn't offer any versions of create() that allowed you to specify servlet filters. However I did notice ServletAdapter [1] in the same project that does give you that ability.
As for the filter itself, I unfortunately don't know of a pre-built servlet filter that simply plugs JaaS configured login modules into your application, so you'll likely have to write a bit of code there. It's not much though, just choose the HTTP based authentication method (e.g. HTTP BASIC, DIGEST, etc.), extract credentials from the request accordingly, and login using the JaaS framework. I don't see that a cookie would specifically be needed for RESTful resources. The RESTful architectural style frowns upon keeping sessions. There are plenty of tutorials about JaaS otherwise, so I won't elaborate on that here.
Once a JaaS subject is active (consumer successfully logged in) you can simply get the current subject and check the active principals and credentials using the Subject.getSubject method.
Anyway, this answer is specifically to give a bit more of the details around doing auth with servlet filters, as you requested in the other (linked) question. This isn't necessarily the only way to do auth in a jersey webapp, but it's a fairly straightforward way to do it. I like it because it keeps me from injecting repetitive auth code in each resource that needs it.
[1] https://grizzly.dev.java.net/nonav/apidocs/com/sun/grizzly/http/servlet/ServletAdapter.html
Not sure if you are asking how to secure each resource, but I found a presentation on javapassion that sounds like what you are looking for. He says to use #Context SecurityContext as a parameter.
#Path("basket")
// Sub-resource locator could return a different resource if a user
// is a preferred customer:
public ShoppingBasketResource get(#Context SecurityContext sc) {
if (sc.isUserInRole("PreferredCustomer") {
return new PreferredCustomerShoppingBaskestResource();
} else {
return new ShoppingBasketResource();
}
}