I am trying to secure my application using OAuth. I have client application(UI) build in react and back-end is in Spring Boot. I have an OAuth server configured which will be taking care of authenticating the user.
I am really confused if React application should talk to Auth server and get the token or Spring Boot should get the token.
After reading multiple articles I thought about flows:
User will go to ReactApp home page and ReactApp will redirect it to OAuth Server login page(/authorize)
OAuth server will authenticate the user credential and redirect the user to ReactApp home page with code
ReactApp will send the code to Spring Boot server using the API endpoint
Spring Boot server will use the code(along with client Id and client secret) and get the token from Auth Server and send that token to ReactApp for further communication
Question:
Is this the standard flow?
How secure the application is using this flow?
Is it a good idea to do some part in UI and another part of authentication in the backend ?(code in UI(ReactApp) and token in back-end(Spring Boot))?
Is there any better way than this?
Any help would be appreciated.
Related
I have a spring boot (backend) & angular (frontend) app that I'd like to secure with keycloak (for the authentication).
I have a very basic deployment, in which the executable jar created by spring also serves the client code (from angular).
I have seen several tutorials where the front and back are separated, and the front uses the code flow + pkce to delegate its authentication to keycloak, while the back is stateless and checks for presence of a jwt token certified by the keycloak instance.
However since I have a backend server, I'd like to avoid using a public client and instead rely on the back-channel token exchange on the server side. So the front should not have any knowledge of the keycloak instance.
Is that possible / is it a best practice ? Is there a front library that helps me to achieve that ? I've come across the library keycloak-angular, but it seems to be directed towards the first case, where the SPA connects directly to Keycloak instead of using a backend server.
In such a case you don't need a frontend library. In your frontend you should just handle user session (have a session cookie) and send the cookie every time to your backend. Then the backend server should use any oauth client to communicate with your keycloak server, and once it gets the tokens it can save them in a db together with a handle to your session.
Here's how this flow might look like:
request client -> backend server -> reply with a 302 to the keycloak authorization endpoint. Registered redirect_uri should be a uri exposed by the backend server
user performs authentication / consent, etc.
Keycloak redirects to redirect_uri with code
Backend receives code (as it listens on the redirect uri address), and exchanges it with Keycloak.
Backend receives access token and saves it in a DB together with session ID.
When clients makes another request to backend with their session, backend picks an access token from the DB and can call an API.
can somebody show how to configure a SPRING-BOOT back-end (web app) to work with a JWT token, that is valid and issued for the back-end by google. I cannot find any example. The spring security configuration is missing something.
I've configured the Spring boot adapter to work with a web application. But it's a different flow. The redirects for Android for example do not pass through the back-end. And so a new user that is logging in from a mobile device has a valid token but doesn't trigger a login or registration process.
Kind Regards :)
I have my Spring Boot application, that provides some rest endpoints. Those rest endpoints need security, and I want to use the Oauth2 for it.
My idea is to use Google oauth2 token for that. I don't want to provide login functionality in my Spring Boot app, so I just want to check that the Bearer token is there and get the user info from it to display his/her data accordingly.
I'm checking this tutorial, but I don't think it's exactly what I want
https://www.baeldung.com/spring-security-5-oauth2-login
I would like to explain some scenrios that should be considered while deciding the security approach:
If your application users exists in google, means users having google accounts, then you can go for google authorization server oauth 2.0 https://developers.google.com/identity/protocols/OAuth2, In this case your should register on google developer portal, and application will recieve the access and refresh token after successful authentication of users. After that OpenId call can be made to google to get the user information
Above flow and integration will same as, Like you see the link on Quora application for "Login via google".
Now in services you can request validate the Bearer token via google oauth 2.0 validate endpoint and call the userinfo endpoint to fetch the user information.
if you go for JWT token then there wont be requirement to reach out to google authorization server for token validation and userinfo call.
Second approach is to build your own oauth 2.0 server using springBoot - https://spring.io/guides/tutorials/spring-boot-oauth2/
Use API gateway layer for token validation and further authorization can be done on microservices using spring security.
At the end of this tutorial you have more info for Google’s userInfo endpoint response:
https://developers.google.com/identity/protocols/OpenIDConnect#obtainuserinfo
You can check there :)
Trying to setup a SSO for a Java web application built with Spring MVC.
I've registered my application to an OKTA server, got a Metadata URL and a SignOn URL. I'm using the SignOn URL from my application, authenticating with success, then a POST request is made with some form data that include a SAML Response object.
What should be the next step from here?
I've decoded the SAML response, and now from my understanding I need to get a token or a session ID that I'll need to use to my further requests to the OKTA server.
Edit 1:
Ran the spring-boot-saml-example, the authentication works as expected.
But, when trying to get the current session using OKTA Session API from the Spring application, an HTTP 404 code is returned. Fetching the current session using the browser work fine.
Take a look at this blog post, this example uses Spring Security and an Okta SAML app . Take a look at that, and if that doesn't help let us know.
You can use the spring-webmvc-pac4j security library which provides SAML authentication for Spring MVC (Boot) app.
Configuration is straightfoward for Okta like for any other SAML identity provider: https://github.com/pac4j/spring-webmvc-pac4j-demo/blob/master/src/main/webapp/WEB-INF/demo-servlet.xml#L44 + https://github.com/pac4j/spring-webmvc-pac4j-demo/blob/master/src/main/webapp/WEB-INF/demo-servlet.xml#L214
Summary:
I want my oauth client to re fetch the Authorities from the oauth authorisation server for every request, so any changes to the users Authorities are reflected straight away.
Details:
I have a Spring Boot web app that is secured with #EnableOauth2Sso.
I have written my own oauth authorisation app, that is secured using #EnableAuthorizationServer.
My web app is set to use the authorisation code grant type. This all works fine, and I can log in to my web app against the authorisation app, with whole oauth2 dance occurring correctly resulting in the authorisation code being swapped for an access token.
Once we have the access token back in the web app, as part of the initial authentication, spring security on the web app is then calling the /oath/check_token end point on the authorisation server and storing the returned user info in the HTTP session.
How can I stop this, and make it re request the user info from the authorisation server for every request to the web app?