I have a REST backend that is accessed using REST request calls. This backend has a thin client front end and a plugin that consumes the REST api.
Currently the security is implemented using HTTP basic authentication.
Now I want to implement oauth as security mechanism. I have read all about oauth but could not find a working example of securing RESTful backend using oauth.
Please could any one guide me on how can i implement oauth security in my app?
Related
I'm looking for different way to implement Oauth2 between client and server which are developed with Spring Boot. I already tried with Spring Oauth and external providers and both ways implemented with success but they don't meet my expectations. Any suggestions are appreciated.
All OAuth2 server provides OIDC endpoints which can be accessed using the clients and secrets provided by the sevrer. You can use Rest calls inside the code using HttpClient or Resteasy to access these endpoints. Also the URLs for endpoints that need to be accessed are based on the provider of the Oauth2 service (Auth0 or Keycloak). You can find the specification of the endoints of Oauth2 here
I need to secure my spring REST APIs with access token obtain from Keycloak and validation done by Spring security adapter.
I have my mobile client which will be calling APIs from my server which needs to be validated with access token obtained from Keycloak
You can find an example with what you need wright here:
https://github.com/iuliazidaru/keycloak-spring-boot-rest-angular-demo
We have a Java 8 backend application using SprintBoot with an embedded Jetty server.
The UI for the application is a Single Page Application built using React.
Currently I have enabled authentication by integrating with Okta using the spring security SAML extension. When the assertion is posted by Okta to my app, I create a session and the JSESSIONID is sent in the cookie.
This was fine until now when we had a very simple UI serving few UI components.
However, now we have several REST endpoints in our backend and we would want them to be authenticated as well. REST endpoints themselves are developed using Jersey.
If I understand correctly, SAML is clearly not the choice for pure REST based endpoints as SAML is mainly a browser based protocol. These REST endpoints will be called by our UI as well we want them to be independently called via Postman or something for testing.
When a client would call these REST APIs, I am guessing the client should send an Authorization header which should be checked by one of the authentication filters in the backend. After validating the client and the user, the filter should inject the user information in the SecurityContext because Jersey injects SecurityContext in all of the REST endpoints. Then it becomes easier to fetch the user from this SecurityContext.
Upon reading, it seems Okta OpenID Connect can be one choice which issues a JWT. However I am not clear on how to use this. That is, when Okta issues a JWT should our UI or any client for that matter keep sending the JWT in the Authorization header to our APIs and then our APIs in turn should send the JWT to Okta to validate it?
Question is what is the best choice to serve both, a login for the UI and a session and authenticating REST endpoints? Not to mention the REST APIs will be stateless in nature.
When a client would call these REST APIs, I am guessing the client
should send an Authorization header which should be checked by one of
the authentication filters in the backend
In OpendID Connect (OIDC), that value in the Authorization header is id_token which can be in JWT format. This id_token is issued by the OIDC server as the last step for whichever OIDC grant type you choose and applicable to your case.
Upon reading, it seems Okta OpenID Connect can be one choice which
issues a JWT. However I am not clear on how to use this. That is, when
Okta issues a JWT should our UI or any client for that matter keep
sending the JWT in the Authorization header to our APIs and then our
APIs in turn should send the JWT to Okta to validate it?
Think that you have 3 components in this architecture. Relying Party (client), Identity Server / Authorization Server / OIDC Provider and Resource Server (your backend and it's data). When Authorization Server issues and id_token to Relying Party, your Resource Server also knows this token. So when you request for data in resource server, you will present your id_token to Resource Server and it knows if it is valid id_token or not
Question is what is the best choice to serve both, a login for the UI
and a session and authenticating REST endpoints?
OIDC Provider (or Identity Server if you need more complex operation), since OIDC is Authorization (OAuth 2.0 at core) and Authentication.
I am developing a application which uses Spring Rest services. I am using basic auth for authentication. I know that it is unsecure. My end client are capable of handling OAuth. I want to use OAuth, can any one point me to how to do OAuth in Java. I saw some examples they mention about Twitter , Google and Facebook.But I don't want to use social networking sites.
OAuth is a concept, and not any library which you can inject, (of course libraries exists to implement that)
So if you want to have OAuth in your application (i.e your application has its own OAuth), you have to setup following things
Authentication Server
Provide Provision to Manage OAuth Clients
Manage AccessTokens
Check out the OAuth 2.0 Specification to get clear understanding of how it works and how to build your own.
https://www.rfc-editor.org/rfc/rfc6749
I'm trying to set up a SSO between a webapp and a REST API, to do this I'm using Apache Shiro + Jasig CAS but now I'm having a problem related to the authentication of the REST API.
I'm using CASRealm + CASFilter in the Webapp and trying to use the session created there to access the REST API, I've tried 2 approaches:
propagating the CAS service ticket from the webapp to the REST API through the request header (does not work, it says the service ticket is invalid because it belongs to another app, maybe the TGT would work)
store the username and password in the webapp and use them in http basic authentication (this might be a big security flaw, I'm trying to avoid it)
What other approach can I use to authenticate the user in the REST API?
I guess this is mainly an architecture issue.
Please ask questions if you didn't understand my question (or my english)
It looks like you want to use the first CAS service as a proxy for your REST API: you could use the CAS proxy mechanism: https://wiki.jasig.org/display/CAS/Proxy+CAS+Walkthrough. Though, the proxy support is not available in the Shiro CAS module, you should use the buji-pac4j extension, here is a good discussion on this topic: http://shiro-user.582556.n2.nabble.com/Shiro-cas-proxying-td7579694.html.
You can enable the OAuth2.0 configuration on CAS and then u can secure your REST services with the oauth2.0. For example u can have a rest service with oauth for user authentication. Here some usefull links.
OAuth configuration
Securing REST
OAuth and REST