I'm creating microservices with spring boot using this tutorial
https://medium.com/omarelgabrys-blog/microservices-with-spring-boot-authentication-with-jwt-part-3-fafc9d7187e8
So I have actually 4 microservices:
eureka-server
gateway-service (with #zuulproxy)
auth-service
gallery-service
Following the tutorial linked, the scenario is:
I can, with success, register and login user on gateway-service using auth-service routes, obtain a jwt token. This token is used on gateway-service to invoke gallery-service routes.
The problem is that only gateway-service implements spring-security. So gallery-service doesn't use the same securityContext and I can't obtain the information about logged user in a gallery-service's controller.
Is this a valid solution or I have to use spring-security in each microservices? In this case, how use the same jwt given by auth-service, in all microservices?
On top this problem, there is the fusionAuth question. In the auth-service, db is simulated with a list. Instead of list, I have to call fusionAuth login API with username and password and get user's token and roles.
I'm new in spring-security world and in general in developing with microservices. Is all this a valid approach?
My purpose is create a mobile application with thousands of users, so I want to develop an efficient and secure way to login them and add more logic on other microservices based on user's role.
Thanks in advance for helping!
Related
What I'm trying to do is to create an application with Angular frontend and Spring Boot backend with OAuth2 authentication.
The issue is that I don't know how to get on the frontend the ROLES user has so that I'll be able, for instance, to show something role-based on the page. Yes, there are scopes that OAuth provides in the response but the problem is that these scopes are for the CLIENT but not for the specific USER itself. And that CLIENT is my frontend side (correct me if I'm wrong) which basically means that every user operating my application(client) going to have the same scopes(roles). Moreover, I can specify roles on the backend with the help of Spring and UserDetailsService and then use those roles with #PreAuthorize, etc. But not on the frontend side.
Just as an example, if I simply used single JWT then with a token itself I'd return both the username and roles to frontend. And then I could store that data and use it on the frontend side according to my needs.
So what I'm asking is if it's actually possible and if this is correct to do so?
And how can I possibly implement such behavior?
OAuth doesn't solve this problem and it is best solved via claims in your API. OAuth should deal with authentication only. My below post may help you to think about the best separation: https://authguidance.com/2017/10/03/api-tokens-claims/
In a nutshell you will have to look up user rights such as roles after the OAuth processing completes.
There is a great video from Spring developer on YouTube about OAuth2/OpenID Connect. It shows how to implement the resource server using the newest Spring Security 5 solution.
Probably the easiest and the best way to achieve this is to use an OpenID Connect server which will provide all user management stuff. On the market there are many solutions. Auth0 and Okta are Identity Clouds which provides their services for small amount of money. On the other hand you have Keycloak, which is a server which you can install in Docker or even on bare metal - it's free and open-source.
I'm looking to build a Spring Boot REST API for an Android application.
Some of user specific resources should be protected by OAuth2.
My problem is - I don't wan't to use the social logins for my user authentication. I wan't to have my own user database (SQL) with my own user registration, that allows the user to login using username/password.
I'm new to the Spring Boot world - but have been looking on quite a few examples online, and I can see that Spring has a lot of useful libraries for user handling and OAuth.
But I can't seem to find some good examples that describes the proces of creating an Authentication Server that uses a local user database, and at the same time has an open user registration API.
So my question is - does any of You guys/girls have some links to guides that does this?
Thanks
Hope these will help:
https://blog.varonis.com/introduction-to-oauth/
http://www.baeldung.com/rest-api-spring-oauth2-angularjs
Also You can go with JWT Auth tokens:
https://github.com/cpapidas/Spring-Boot-OAuth2-JWT-MySQL
http://www.baeldung.com/spring-security-oauth-jwt
For more samples on Spring boot, You can refer following:
https://github.com/spring-guides
Best of luck.
I have access to a web application which has a link to another application I'm developing. When that link is clicked the URL is filled with two parameters: user, and token.
This token is generated per every user login on that very same web application.
I want to use that token and user to authenticate someone in the application I'm developing!
I have access to the source app's database in order to query against the token and username.
However I need help finding a way to implement this logic with Spring-Boot. Do I need a custom filter / authentication provider? How to wire these things up with Spring?
I want to stick to the framework rather than developing my own solution for this.
TL;DR: I need help securing a RESTful controller with a token I obtain through GET
Thank you!
Yes, you could write filter to authenticate token.
If you want make architecture a bit better I would recommend creating gateway (i.e. Zuul) and invoke second application through gateway. Implement gateway to authenticate requests. In my architecture I create separate Auth component to generate token and validate token. Gateway could call Auth to validate token.
I've tested the Spring Security SAML Extension for integration in my project and it looks good for me.
But I have one problem with this implementation:
How can I change the authentication to a form based login?
I have an application with a login form. And the requirement is that the authentication goes against an Active Directory Federation Services.
But up to now I found no way in the SAML Extension.
Sorry about this question, but my experience in Spring Security are not very good. I hope the someone here can help me in a simple way.
Best Regards
Thomas
The main point of federation protocols (like SAML) is that user's credentials are only used at the Identity Provider (= ADFS), and are not revealed to the Service Providers. In other words when using SAML you can't have a form login on your SP page.
If you want to combine multiple authentication methods - e.g. SAML + form login against local database, it is of course possible.
We are using Spring 3 framework and we have a SSO (Single sign on) provider which redirects to our app passing special tokens in the request to indicate the user is authenticated.
I would like to use Spring security to handle stuff like denying access to pages unless the user is authenticated, but I'd also like to be able to bypass this on my local machine while developing the application.
So in the production scenario, I expect the SSO to redirect to our app, specifically to a "/login.html" target which is supposed to somehow trigger a custom class I write to pull the expected login info from request and load up the user's info from our database and put it in session for the rest of the app to use.
Then in the development scenario I need to bypass SSO by just being able to create a session using a custom login page and then load the user's info from database just as above.
I am trying to figure out how to do it myself but I can't seem to wrap my head around all of it.
Any info on how to accomplish this even just high level kind of road map would be a huge help
If you write a custom AuthenticationProvider for Spring Security to authenticate with your SSO provider, then you could have two Spring Security configurations, one that wires up your custom AuthenticationProvider for production and one for development that uses a standard authentication provider.