I have my Spring Boot application, that provides some rest endpoints. Those rest endpoints need security, and I want to use the Oauth2 for it.
My idea is to use Google oauth2 token for that. I don't want to provide login functionality in my Spring Boot app, so I just want to check that the Bearer token is there and get the user info from it to display his/her data accordingly.
I'm checking this tutorial, but I don't think it's exactly what I want
https://www.baeldung.com/spring-security-5-oauth2-login
I would like to explain some scenrios that should be considered while deciding the security approach:
If your application users exists in google, means users having google accounts, then you can go for google authorization server oauth 2.0 https://developers.google.com/identity/protocols/OAuth2, In this case your should register on google developer portal, and application will recieve the access and refresh token after successful authentication of users. After that OpenId call can be made to google to get the user information
Above flow and integration will same as, Like you see the link on Quora application for "Login via google".
Now in services you can request validate the Bearer token via google oauth 2.0 validate endpoint and call the userinfo endpoint to fetch the user information.
if you go for JWT token then there wont be requirement to reach out to google authorization server for token validation and userinfo call.
Second approach is to build your own oauth 2.0 server using springBoot - https://spring.io/guides/tutorials/spring-boot-oauth2/
Use API gateway layer for token validation and further authorization can be done on microservices using spring security.
At the end of this tutorial you have more info for Google’s userInfo endpoint response:
https://developers.google.com/identity/protocols/OpenIDConnect#obtainuserinfo
You can check there :)
Related
Given:
I have a Micronaut application that provides diverent endpoints which are secured using OAuth2 and Keycloak. A user needs to login and gets a token.
The application needs to access other microservices. Those other endpoints are also secured with OAuth2 tokens. The tokens are machine2machine tokens, so no user login is required.
Problem:
The HttpClients for accessing other microservices need a OAuth2 machine2machine token. The micronaut application should request this token at a given token endpoint using a client id and a client secret. I did not found any documentation about this. Has someone already solved this problem or a good documentation about it?
I have enabled google social login for my keycloak instance, but I need to use it as a rest service.
Is there endpoint that can be used to do this?
There is no Google authentication API in the Keycloak but you can solve it with Token Exchanging.
You need first authenticate with Google API and get an external
token,
External Token to Internal Token Exchange.
I've got a spring-boot app that authenticates with OIDC (oauth2) and I'm trying to get a list of all the users from the authorization server - how should I implement this using spring?
Spring Security OAuth2 doesn't have an API for expressing a user repository. It does have a UserDetailsService interface, but you'll note that it only has the loadUserByUsername method.
If you are building an OAuth 2 authorization server, you could take a look at Spring Data and Spring MVC to expose a query endpoint (using Spring Security to secure that endpoint).
If you are building an OAuth 2 resource server or client that is talking to a third-party authorization server, you could take a look at RestTemplate or WebClient to formulate whatever proprietary query your authorization server wants since like #Ronald said, there is no OAuth 2.0 standard for querying users.
When a user signs in into his identity provider his personal information can be accessed by the claims the identity token contains. Or by approaching the userinfo endpoint.
There is no endpoint which returns all the users from the authorization server according to the OIDC standard.
I have access to a web application which has a link to another application I'm developing. When that link is clicked the URL is filled with two parameters: user, and token.
This token is generated per every user login on that very same web application.
I want to use that token and user to authenticate someone in the application I'm developing!
I have access to the source app's database in order to query against the token and username.
However I need help finding a way to implement this logic with Spring-Boot. Do I need a custom filter / authentication provider? How to wire these things up with Spring?
I want to stick to the framework rather than developing my own solution for this.
TL;DR: I need help securing a RESTful controller with a token I obtain through GET
Thank you!
Yes, you could write filter to authenticate token.
If you want make architecture a bit better I would recommend creating gateway (i.e. Zuul) and invoke second application through gateway. Implement gateway to authenticate requests. In my architecture I create separate Auth component to generate token and validate token. Gateway could call Auth to validate token.
Apologies, I work predominantly with iOS lately, and its been a while since I've worked with Spring.
Tools:
Kotlin
Spring Boot
Spring Social
Problem:
I'm building an app that allows typical 'Login with Facebook' type functionality.
I'd like to send the OAuth token obtained by the iOS client to the backend to authenticate with. If the token is valid, the backend will return successful authentication, otherwise indicate invalid credentials.
After logging in with the OAuth token, some profile information will be retrieved.
Question:
Most of the Get Started guides seem to follow the authentication with OAuth using username and password credentials.
Using Spring Social+Facebook, how can I:
Authenticate using an OAuth access token and retrieve profile data?
It is simple - Spring's FacebookTemplate can be instantiated with an oauth access token as follows:
val facebook = FacebookTemplate("$$TOKEN$$")