there is my application in which I am using Angular on the UI side and on the API side I have a spring boot app and for managing users- using the AWS Cognito user pool. currently, I am able to connect with my user pools in my application, which means I have manually implemented the verification, decoding, and filtering id tokens and access tokens based on role manually. but I want to use the spring oauth2 feature to do the same and want to remove manual verification and boilerplate code.
can anyone help me please to provide the steps how can I achieve it, if you know certain steps,
it will be really helpful for me.
Related
in a project for my internship I have a spring boot application that manages some products, orders, and users.
I chose to use keycloak for authentication and authorization I achieved a good part of the job but now I'm facing a problem that makes the whole usage of keycloak in such a project a question.
So briefly the user authenticates in keycloak and I got the token in spring I extract the Infos and if the user is not in my database (the one related to spring which is different from keycloak database ) I create a new one but now when I'm thinking if a user is deleted from keycloak it will remain in my application database and even the update of users is gonna be difficult.
So my question is should I continue searching for a solution (calling keycloak endpoint from spring is one of them but still thinking about it ) or just go for a JWT implementation .
I chose keycloak cause it's a tested solution and got many features that are easy to use if I needed them in the future but now I got these problems with it.
THANKS for the help !!
Have you considered to configure Keycloak with a custom provider (external user database)?
Something like that: https://www.baeldung.com/java-keycloak-custom-user-providers.
This way, your spring services keep complete control over users database.
I am having difficult integrating with SSO with my web application.
I have an sample dropwizard application.
I tried integrating with google and facebook open connect.
I thought of 2 approaches for integration
1. fetch the token from frontend js once the user is authenticated using open id, pass that token to the dropwizard server as cookie.
2. fetch the token from the dropwizard server itself and store the set token in cookie while responding to the frontend.
I am not sure on which of the above 2 is best or is there any recommend way of integrating with the open connect in dropwizard?
I like delegating SSO to well known applications/ libraries specific for the job. Keycloak is the application I’m familiar with. But I suppose some of the points below are application independent. This partial answer is a possible direction of a solution, but I don’t think it’s the recommended way, if there is any such way. Some people will dislike the approach.
The front end is responsible for authentication. But it cannot be trusted to be unmodified since it is in user space. Therefore calls to the back end should be validated for validity and authorization (which should be a back end task anyway).
Keycloak has libraries for well known front and back end implementations that allow easy integration. I’ve used it successfully with Angular and Dropwizard.
Integration with various identity providers can be combined. Therefore it is probably a pretty safe bet for a situation where authentication demands are expected to change. It takes some getting used to the extra layer though, so your mileage may vary.
Some links:
https://www.keycloak.org
https://www.npmjs.com/package/keycloak-angular
https://www.keycloak.org/docs/latest/securing_apps/index.html
I have an application which is built using Spring MVC and the backend is REST API also built using spring MVC framework.
The request from the browser first hits the springMvc app which then calls my REST API for data. I do not have any needs to expose my API's publicly. So I am not thinking to use any API gateway.
For security, am thinking to host my REST app in a private subnet and host the springMVC app in public subnet in a VPC.
My question is what if some developers would like to test the API's directly , what provisions are available in AWS to manage this in development environment.
I am using AWS cognito for authentication and am just going to validate the token in the REST app for additional security. At netwrok level, I am planning to use Netwrok ACLs to restrict the REST app to be only called by my springMVC app. Basically one public subnet and one private subnet.
Please help if my understanding is correct in this regards and would it cause any design issues later on.
If at some stage later, I plan to expose my API's to lets say a mobile app, I might have to do some rework. Is it worth it to think about future now and design accorindgly considering it might not take much time if I am on AWS.
You can use API Gateway to create private APIs that are only accessible by your VPC. You should consider using this option if possible. There are a lot of things that are difficult to manage when it comes to APIs such throttling, caching, and logging. Using API Gateway a lot of the scaffolding and instrumentation work for the API will already be done. You can also connect Cognito user pools to the API Gateway.
This blog post has a good overview and an example.
I am trying to secure Spring boot REST apis that only need the user to enter a valid OTP (which I am already validating), I have no problem implementing this using sessions/cookies/JWTs but I need to use the simplest implementation that is supported by Spring boot to give the user a token or to know him in some way so that he will access the secured REST APIs.
I could create the Jwt & send it to the user, but Authenticating this across every API seems too much by making a filter & using it on every secured API
This is (compared with using something like this reference) where we can see that Spring security already provides simple & global protection for the APIs but depends on authentication using username & password.
I don't want to recreate the wheel as in security I believe it is best to use standard libraries to avoid any issues.
What is the best practice for the scenario above as I was overwhelmed from the different approaches that I saw & I don't know what is the best?
1- Validating the Jwts in a central place for secured APIs?
2- Creating session for the user (without using Redis or DB) but only keeping it in Application server?
Any help is appreciated.
I need to make simple CRUD application with user registration and authentication using Spring boot, but I have some trouble figuring out how to do this right. I have created user table at RDMS and set up Redis for storing user sessions as explained here.
At Spring boot docs it's said that
If Spring Security is on the classpath then web applications will be
secure by default with ‘basic’ authentication on all HTTP endpoints.
But I defined several CrudRepository intefaces and after starting my application I can GET it's data using browser without authentication. I thought that it should work out of the box without additional tuning and therefore checked if Spring Security is on the classpath with gradlew dependencies command and it appears to be there:
Also default user password that should be displayed during application start up does not show up. So maybe I am missing something here?
Also I am not sure if that would be the best option for mobile app because it possibly uses short-living tokens. There are several other options, among which using a WebView and cookies (as was recommended by Google long ago), creating a custom authentication entry point, using approach that was used in Angular web app and finally stateless authentication with OAuth 2.0. Directly in opposite to author of Angular web app tutorial who claims
The main point to take on board here is that security is stateful. You
can’t have a secure, stateless application.
So how do we need to pass token? How long should it live? Do we need to make additional XSRF token or not? Should we use out of the box solution or implement own one? Can we make it stateless?