jgrandja / oauth2-protocol-patterns Goto Github PK
View Code? Open in Web Editor NEWLicense: Apache License 2.0
License: Apache License 2.0
My microservice needs to expose actuator endpoints for monitoring purpose. thus I added the dependency "org.springframework.boot:spring-boot-starter-actuator". but I hit the error "HTTP ERROR 401".
I modified ResourceServerConfig to exclude the authentication check on this endpoint as below:
// @Formatter:off
@OverRide
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/actuator/health").permitAll()
.mvcMatchers("/api/**").access("hasAuthority('SCOPE_resource.read')")
.anyRequest().authenticated()
.and()
.oauth2ResourceServer()
.jwt()
.jwkSetUri(this.resourceServerProperties.getJwt().getJwkSetUri());
}
// @Formatter:on
but it doesn't work. Any advice?
If microservice c had 10 RestController endpoints, how could you update this code to lockdown each one of them? Because it looks like the token allows access to the entire service when in reality that is never the case. A client of a service may only have access to 5 of the 10 endpoints. How can you get more granular security in the client credential flow?
When I start uaa server using ./gradlew -b uaa-server/build.gradle uaa
I got FAILURE as a response on http://localhost:8090/uaa/
How to enable logs?
Thank you Joe, for this great sample application demo.
Question: I am try to decide which provider to use (spring or keycloak) for my SSO application. Can you guide me to right direction. We are planning to starting SSO development in couple of weeks.
Hi Joe,
Can you please provide an example about how to implement Client Assertion (one kind of client credentials for service to service) with Spring Security 5.2 and above?
Thank you in advance,
Will
Hi,
Thank for sharing the demo!
When I access localhost:8080, after a while it will show FAILURE.
And when I see the uaa-server.log, I have an error:
Caused by: java.lang.ClassNotFoundException: javax.xml.bind.JAXBException
I try to add these dependencies but it doesn't work
dependencies {
uaa("org.cloudfoundry.identity:cloudfoundry-identity-uaa:${uaaVersion}@war") {
artifact {
name = "cloudfoundry-identity-uaa"
extension = 'war'
type = 'war'
}
compile "javax.xml.bind:jaxb-api:2.2.11"
compile "com.sun.xml.bind:jaxb-core:2.2.11"
compile "com.sun.xml.bind:jaxb-impl:2.2.11"
compile "javax.activation:activation:1.1.1"
}
}
Can you help me on this?
Hi Joe,
Can you please advise how to implement Client Assertion with Spring Security 5.2+ ?
Thank you in advance,
Will
Hi Joe,
I changed the "auth-server" to "localhost" in all projects. I tried to access localhost:8080 and it showed a login page at http://localhost:9000. I typed in user1/password, and it had 500 internal error, checked the log, it was caused by "oauth2Authentication is null".
@bean
ProviderSettings providerSettings() {
return new ProviderSettings().issuer("http://localhost:9000");
}
@ModelAttribute("authorizedClientRegistrations")
List authorizedClientRegistrations(OAuth2AuthenticationToken oauth2Authentication) {
if (this.clientRegistrationRepository == null) {
return Collections.emptyList();
}
If I added the entry 127.0.0.1 auth-server to host file and keep using "auth-server", it works.
What is the difference between http://auth-server:9000 and http://localhost:9000 in this case?
Warm regards,
William
Hi @jgrandja ,
I am trying with Keycloak configuration .
all "Get" request are working fine i.e @GetMapping("/") and @GetMapping("/whoami") from "Amicroservice and Bmicroservice.
But when i add a "@Postmapping(/massage)" in AControlloer.java and try to consume from home.html or index.html, issue. 403 forbidden.
Should i need to add something like below to consume "@postmapping()" or Post method .?
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.oauth2Login().and()
.csrf()
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
.and()
.authorizeRequests()
if possible, can you please add a simple @Postmapping() example api/method in any of the "Amicroservice or hotel Bmicroservice. and consume it from Index.html or home.html.
Code snippet:
@SpringBootApplication
@Controller
public class HotelsApplication {
public static void main(String[] args) {
SpringApplication.run(HotelsApplication.class, args);
}
@GetMapping("/")
public String getIndex() {
return "index";
}
@GetMapping("/whoami")
@ResponseBody
public Authentication whoami(Authentication auth) {
return auth;
}
/* newly added post method
* which is not working as expected , it sis ending up with error
* Failed to load resource: the server responded with a status of 403 (Forbidden)
*/
@PostMapping("/message")
public String createMessage(@RequestBody String message) {
return String.format("Message was created. Content: %s", message);
}
}
Securityconfig class is in my Amicroservice (ResourceService )
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.oauth2ResourceServer().jwt().jwtAuthenticationConverter(jwtAuthenticationConverter());
http.authorizeRequests().anyRequest().authenticated();
http.headers().frameOptions().sameOrigin();
}
private JwtAuthenticationConverter jwtAuthenticationConverter() {
JwtAuthenticationConverter jwtAuthenticationConverter = new JwtAuthenticationConverter();
jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(new KeycloakRealmRoleConverter());
return jwtAuthenticationConverter;
}
@Bean
public JwtDecoder jwtDecoderByIssuerUri(OAuth2ResourceServerProperties properties) {
String issuerUri = properties.getJwt().getIssuerUri();
NimbusJwtDecoder jwtDecoder = (NimbusJwtDecoder) JwtDecoders.fromIssuerLocation(issuerUri);
jwtDecoder.setClaimSetConverter(new UsernameSubClaimAdapter());
return jwtDecoder;
}
}
class UsernameSubClaimAdapter implements Converter<Map<String, Object>, Map<String, Object>> {
private final MappedJwtClaimSetConverter delegate = MappedJwtClaimSetConverter.withDefaults(Collections.emptyMap());
@Override
public Map<String, Object> convert(Map<String, Object> claims) {
Map<String, Object> convertedClaims = this.delegate.convert(claims);
String username = (String) convertedClaims.get("preferred_username");
convertedClaims.put("sub", username);
return convertedClaims;
}
}
class KeycloakRealmRoleConverter implements Converter<Jwt, Collection<GrantedAuthority>> {
@Override
@SuppressWarnings("unchecked")
public Collection<GrantedAuthority> convert(final Jwt jwt) {
final Map<String, Object> realmAccess = (Map<String, Object>) jwt.getClaims().get("realm_access");
return ((List<String>) realmAccess.get("roles")).stream()
.map(roleName -> "ROLE_" + roleName)
.map(SimpleGrantedAuthority::new)
.collect(Collectors.toList());
}
}
Thanks in advance.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.