I am using Spring Security Oauth2 for generating access token. When I use password as grant type, I send a post request as
http://localhost:8085/oauth/token?grant_type=password&client_id=ws&client_secret=secret&scope=read+write&username=david#abc.com&password=abc#123
I don't want to send the username and password in the URL.
I checked source code of TokenEndPoint.java but couldn't find much. I know that we can use HTTPS and encrypt the username and password.
I just want to know if there is any way to send username and password in headers.
I hope this helps you and meets your requirement.
Source: https://github.com/spring-projects/spring-security-oauth/blob/master/docs/oauth2.md
As a general rule, a web application should not use password grants, so avoid using ResourceOwnerPasswordResourceDetails if you can in favour of AuthorizationCodeResourceDetails. If you desparately need password grants to work from a Java client, then use the same mechanism to configure your OAuth2RestTemplate and add the credentials to the AccessTokenRequest (which is a Map and is ephemeral) not the ResourceOwnerPasswordResourceDetails (which is shared between all access tokens).
OAuth2RestTemplate example in Git Hub
url: https://github.com/mariubog/oauth-client-sample
Related
Based on the diagram you can see above (Oauth authrization flow). Reference https://youtu.be/oKzeHshquCs?t=1949
Using user credentials (username, password), we are attempting to
get an authorization code (login).
Authorization code received.
Using the received authorization code we are now requesting an
access token.
When access token is given. This access token will be
now used to access the resource server (as Bearer Token).
I would like to ask how to implement this using API, using the latest implementation of OAuth2. Using custom REST API's on the Authorization Server.
Scenario: using two api's ('/auth/code' then ''auth/token'')
Using user credentials (username, password) the user will request on
api '/auth/code', where authorization_code as the response.
Using the recieved authorization code (from #1), we will request an access
token on '/auth/token'. Access token will be used as bearer token on
the authorization server.
Or if we can do this two step (#1 and #2 above) on one API process (auth/token) would also be great.
Do you have any working project in regards with this?
I have explored the code of Baeldung, but based on this implementation, it is still using the default implementation of spring security. It would be my great pleasure if there are Senpai's out there can help me with this. Thanks :)
There's no such API to get an authorization code directly passing the user credentials. Usually, there would be an API (/as/authorization), which redirects the user to the login page. Once the user enters his credentials, he will be redirected to the target application with the authorization code in code as the query parameter of the URL. (You need to configure your app's URL as a redirect URL or callback URL in the Identity provider)
This code is usually short-lived and can't be used more than a time. (i.e) You can use this code only once to get an access token. When you exchange the code with an access token, you should be seeing refresh_token (if you granted access to refresh_token grant_type in the IdP) as well with which you can request tokens in the future.
You need to configure all these things in an Identity Provider. This could be PingIdentity, Auth0, etc.
Make a call to /as/authorization API
Once user enters his credentials and redirected to the target application, extract the code from the query parameter and make a call to token API (oauth/token) to get access_token and refresh_token
Once the access_token is expired, use the refresh_token to get a new access_token (grant_type should be refresh_token).
Once the refresh_token is expired, you need to again get the authorization_code again with the /as/authorization API.
I am developing an app secured with Spring Oauth2, password flow.
But I'm still confused about difference between UserDetailService and ClientDetailsService flows in Spring.
As I understand from OAuth2 specification, client and user are different entities. Client has clientId, clientSecret and some grants, and User has username, password and also some grants.
Multiple users use the same client (mobile app or web browser in my case).
So I need to authenticate some user and provide it with an access token.
I have implemented both UserDetailsService and ClientDetailsService (with all needed infrastructure: AuthorizationServerConfigurerAdapter and ResourceServerConfigurerAdapter) and during authentication I see, that username from request is passed as clientId into clientDetailsService and
as username into userDetailsService.
But I thought it should be more complex process like for authentication request client should provide both client credentials and user credentials so then I can verify client (is it registered in my system) and its grants then verify user and its grants and then return an access token.
My questions:
Do I understand the process correctly?
Are client grants and user grants of the same meaning?
What classes should I customize to separate verification of client and user credentials?
Solution is stupid simple.
The client and the user are really different entities
To obtain access token you need to complete basic authentication with Base64 encoded client credentials in header and username/password of the user in params.
Header pseudocode:
Basic Base64("client_id:client_secret")
Params:
username=username, password=password, grant_type=password
This will return you access_token, refresh_token and some extra info.
I'm writing a mobile app that communicates to a remote Java service via REST. I have protected my (SpringBoot) web service with https protection (due to the nature of the data, it needs to be secure) but my question is about which user/password I use to secure the https calls.
Should the username and password I use in the https header be a service account that the client (mobile app) and Java service knows or should it be the public user's username and password? The easiest option is just to use a service account but this means the mobile app will have those details built into it and distributed publically (albeit in compiled form).
Going the other way and using the user's username and password means I'll have to have the logon REST endpoint open and unsecure (which is fine I guess), but it just makes it slightly more fiddly.
Good question, and I would reckon you to use token based authentication and authorization scheme. Firstly you should have a login page where client logs in by providing username and password which is authenticated by calling some remote login service which maintains it's own user store or may use an existing one in your organization if any. Upon a successful authentication, the auth service should provide the client with a valid token, which then be refreshed time to time. The mobile or web client should pass in the token to the downstream microservices when a request is sent and this token should be sent inside the Authorization HTTP header.
Exposing the username and password while passing it around the network normally not considered as a good solution and that's where token becomes handy too. Token is the normal procedure that people use to secure rest endpoints. Yous rest endpoint should intercept each and every request comes at it, passes the token to the auth provider and verifies that. If the token is valid it will allow the request otherwise it should deny it.
Security is a pretty much larger topic and you have X.509 certificates other than tokens to encrypt the data sent across the wire over https and so forth. I suggest you to take a look at the spring security documentation since that will be a good starting point. Spring Security gives lots of hooks for developers which can be used out of the box with some sensible defaults. You can use JWT style tokens, Oauth tokens and spring security supports all these different forms too.
My user is already loggedin with a valid token, but in some important operations (like confirm or cancel of a paid subscription), I want it to send the password along the other data, so the server validate it.
By now, my application has the users in a database, and it was easy to develop this way.
How can I check that user sent password correctly? Will I need to try to login with the username and password in my backend?
Your backend should already be setup as a Keycloak Client so that it can pass tokens for validation / introspection.
If you enable "Direct Access Grants" it will allow the backend to directly pass and verify username and password credentials with Keycloak.
I have read and implemented my own Auth server following this tutorial from Spring. There are multiple SSO providers - Facebook, Github and a custom auth server. In this tutorial, the auth server contains the handling of other SSO providers.
I have a separate resource server that links to my auth server using the following properties:
security.oauth2.resource.userInfoUri=http://localhost:9000/user
I am able to get the token from my auth server using a cUrl command:
curl acme:acmesecret#localhost:9000/oauth/token -d grant_type=password -d username=user -d password=...
{"access_token":"aa49e025-c4fe-4892-86af-15af2e6b72a2","token_type":"bearer","refresh_token":"97a9f978-7aad-4af7-9329-78ff2ce9962d","expires_in":43199,"scope":"read write"}
But what I fail to understand is how can I use the other SSO providers to get such token as well from the auth server? The resource server should not care how did I get the token and whether I am authenticated using Facebook or my custom auth server. It should simply ask the auth server what is the Principal (logged user) and then decide which resources to show him, right?
I don't have any UI and this will be backed for a mobile application so I need to udnerstand how to handle the authentication using REST reqeusts.
If I understand your question correctly,
how can I use the other SSO providers to get such token as well from
the auth server?
This custom Auth server is abstracting out your interaction with FB or Github and issuing you it's own token. The token that your custom Auth server spitting out is not an FB or Github token, it's a token generated by your custom Auth server (After authenticating with FB/Github token).
Then why do we need FB/github?
How else your custom Auth server can identify a person, It sure can use user Id and Password; consider 'login with FB' as another nice option it gives to the user.
How to add other SSO providers like digitalocean in addition to FB and github?
Just do the same as we did for FB and Github (register a client id with digital ocean and then in auth server application, Add client Id and secret in the properties/yaml file etc)
The resource server should not care how did I get the token and
whether I am authenticated using Facebook or my custom auth server. It
should simply ask the auth server what is the Principal (logged user)
and then decide which resources to show him, right?
Yes, your understanding is correct.
Edit (To answer question asked in the comment)
But lets say I log in with Facebook through my Auth server. Where do I
find the token that I can use with the Resource server? Let's say I
have a RestClient and want to make a request to obtain some resource
belonging to a user which went through the Facebook auth process via
my auth server. Where do I find the token to use?
If that's a requirement, I think you can use this example instead; you may not need a custom auth server as such. Whole point of having custom auth server is abstracting out the interaction with FB or github.
Or
If you still want to go with custom auth server direction, then expose an endpoint from Auth server (which will get you the resources you need from FB) and then make use of that from your resource server.