Given:
I have a Micronaut application that provides diverent endpoints which are secured using OAuth2 and Keycloak. A user needs to login and gets a token.
The application needs to access other microservices. Those other endpoints are also secured with OAuth2 tokens. The tokens are machine2machine tokens, so no user login is required.
Problem:
The HttpClients for accessing other microservices need a OAuth2 machine2machine token. The micronaut application should request this token at a given token endpoint using a client id and a client secret. I did not found any documentation about this. Has someone already solved this problem or a good documentation about it?
Related
My quarkus backend is calling a rest web service which requires an access token. The access token is generated using client id, client secret and grant type client credentials. The token is valid for a couple of days.
This quarkus backend then propagates the data to an angular frontend.
I have a couple of questions:
Is there an out of the box implementation from Quarkus framework?
If not, please guide me if I should use httpclient or any other library for getting the access token.
How to check for refresh token?
How to save the access token, so that it can be used for other requests by other users?
Otherwise I end up generating an access token every time a user calls the rest service.
Since there is no answer, I will write here how I implemented this:
I use a java.net.http.httpclient to call the oauth server for getting the token with the client id and secret.
I cache the token using quarkus-cache and when the token expires, the quarkus-cache is invalidated and rebuilt with the new token.
Suggestions or better solutions are welcome.
I have my Spring Boot application, that provides some rest endpoints. Those rest endpoints need security, and I want to use the Oauth2 for it.
My idea is to use Google oauth2 token for that. I don't want to provide login functionality in my Spring Boot app, so I just want to check that the Bearer token is there and get the user info from it to display his/her data accordingly.
I'm checking this tutorial, but I don't think it's exactly what I want
https://www.baeldung.com/spring-security-5-oauth2-login
I would like to explain some scenrios that should be considered while deciding the security approach:
If your application users exists in google, means users having google accounts, then you can go for google authorization server oauth 2.0 https://developers.google.com/identity/protocols/OAuth2, In this case your should register on google developer portal, and application will recieve the access and refresh token after successful authentication of users. After that OpenId call can be made to google to get the user information
Above flow and integration will same as, Like you see the link on Quora application for "Login via google".
Now in services you can request validate the Bearer token via google oauth 2.0 validate endpoint and call the userinfo endpoint to fetch the user information.
if you go for JWT token then there wont be requirement to reach out to google authorization server for token validation and userinfo call.
Second approach is to build your own oauth 2.0 server using springBoot - https://spring.io/guides/tutorials/spring-boot-oauth2/
Use API gateway layer for token validation and further authorization can be done on microservices using spring security.
At the end of this tutorial you have more info for Google’s userInfo endpoint response:
https://developers.google.com/identity/protocols/OpenIDConnect#obtainuserinfo
You can check there :)
I've got a spring-boot app that authenticates with OIDC (oauth2) and I'm trying to get a list of all the users from the authorization server - how should I implement this using spring?
Spring Security OAuth2 doesn't have an API for expressing a user repository. It does have a UserDetailsService interface, but you'll note that it only has the loadUserByUsername method.
If you are building an OAuth 2 authorization server, you could take a look at Spring Data and Spring MVC to expose a query endpoint (using Spring Security to secure that endpoint).
If you are building an OAuth 2 resource server or client that is talking to a third-party authorization server, you could take a look at RestTemplate or WebClient to formulate whatever proprietary query your authorization server wants since like #Ronald said, there is no OAuth 2.0 standard for querying users.
When a user signs in into his identity provider his personal information can be accessed by the claims the identity token contains. Or by approaching the userinfo endpoint.
There is no endpoint which returns all the users from the authorization server according to the OIDC standard.
I have two Java Spring applications, one is working as client and other as server. Client is Spring RESTful service.
My requirement is:
Once a server wants to communicate with a client, it should send some token. The token will get validated by client. If the token is valid then client performs some task and sends success result. Otherwise the response will be like not valid token and client does not perform any task for that request.
I think what you need is JWT token, you can learn JWT token and java in JWT token, using the java lib to generate token and validate.
The way to transfer token is to add custom header in request header, so you can just add a filter to intercept the request and validate the token.
If you want use authority not just a simple token you can use spring security and JWT token, the demo and reference can see REST Security with JWT using Java and Spring Security and demo.
In my project,I using spring security+ spring session rest+ hazelcast,it's also a way to protect my rest api by token.
You can chose the method you need and if any question you can comment under the answer.
Apologies, I work predominantly with iOS lately, and its been a while since I've worked with Spring.
Tools:
Kotlin
Spring Boot
Spring Social
Problem:
I'm building an app that allows typical 'Login with Facebook' type functionality.
I'd like to send the OAuth token obtained by the iOS client to the backend to authenticate with. If the token is valid, the backend will return successful authentication, otherwise indicate invalid credentials.
After logging in with the OAuth token, some profile information will be retrieved.
Question:
Most of the Get Started guides seem to follow the authentication with OAuth using username and password credentials.
Using Spring Social+Facebook, how can I:
Authenticate using an OAuth access token and retrieve profile data?
It is simple - Spring's FacebookTemplate can be instantiated with an oauth access token as follows:
val facebook = FacebookTemplate("$$TOKEN$$")