I have gone through the google cloud endpoints documentation and find the below configuration there for custom authentication,
https://cloud.google.com/endpoints/docs/openapi/authenticating-users
I don't understand the below things,
How do I configure My spring boot jwt authentication(username and password in database) service url here ?
2.What are the possible values for the below configurations in case of custom authentication
x-google-issuer: "issuer of the token"
x-google-jwks_uri: "url to the public key"
x-google-audiences: "YOUR-CLIENT-ID"
Can you provide a example for this If any one using this type of authentication?
There are some great resources in response to this existing StackOverflow question:
Google Cloud Endpoints custom authentication with App Engine Flexible (Node.js)
Don't let the specificity of the question deter you. Even though it was asked about AppEngine Flex with Node.js, the answer is language/environment agnostic.
Related
What I'm trying to do is to create an application with Angular frontend and Spring Boot backend with OAuth2 authentication.
The issue is that I don't know how to get on the frontend the ROLES user has so that I'll be able, for instance, to show something role-based on the page. Yes, there are scopes that OAuth provides in the response but the problem is that these scopes are for the CLIENT but not for the specific USER itself. And that CLIENT is my frontend side (correct me if I'm wrong) which basically means that every user operating my application(client) going to have the same scopes(roles). Moreover, I can specify roles on the backend with the help of Spring and UserDetailsService and then use those roles with #PreAuthorize, etc. But not on the frontend side.
Just as an example, if I simply used single JWT then with a token itself I'd return both the username and roles to frontend. And then I could store that data and use it on the frontend side according to my needs.
So what I'm asking is if it's actually possible and if this is correct to do so?
And how can I possibly implement such behavior?
OAuth doesn't solve this problem and it is best solved via claims in your API. OAuth should deal with authentication only. My below post may help you to think about the best separation: https://authguidance.com/2017/10/03/api-tokens-claims/
In a nutshell you will have to look up user rights such as roles after the OAuth processing completes.
There is a great video from Spring developer on YouTube about OAuth2/OpenID Connect. It shows how to implement the resource server using the newest Spring Security 5 solution.
Probably the easiest and the best way to achieve this is to use an OpenID Connect server which will provide all user management stuff. On the market there are many solutions. Auth0 and Okta are Identity Clouds which provides their services for small amount of money. On the other hand you have Keycloak, which is a server which you can install in Docker or even on bare metal - it's free and open-source.
I am new in security so need little help with this task. I develop small application where I need just authenticate users by credentials, and return jwt token without any roles or scopes (users will consume all rest service).
I just need distinguish authenticated and anonymous user, and verify token.
I checkout a lot of tutorials, but they are a too complex for my purpose.
There are my questions, I will be grateful for any help or some guide in steps what I should do and how:
One of tutorials which I found use OAuth2. It's really need
implement OAuth2 for my purposes?
Which dependency should I use? jjwt or spring security jwt?
Really need authorization server and resource server, or exists
simpler way?
Thanks.
Here is a short answer to your question that hopefully will help you with further research:
You dont need to implement your own OAuth2 server. You can use existing OAuth2 compliant application like Keycloak or Mitreid. We found Keycloak to be more future rich and easy to use.
If you are just receiving and validating JWT tokens then Spring will do it for you. But in order to create JWT tokens you need to use third party libraries like jjwt or nimbus-jose-jwt.
Again you have option to create your own Spring app that will authenticate and create JWT tokens, but it will take more to be fully OAuth2 compliant. My advice is to just use existing OAuth2 app like Keycloak.
The resource server is the one that you need to create and is the actual application that is being secured and accessed by JWT token.
Its late to answer this question, but still answering this if in case someone is still looking for an answer. Assuming you have already achieved authenticating the credentials, but looking for help with JWT, look at my answer JWT Token is always received as expired while parsing
Hope this helps.
I'm looking to build a Spring Boot REST API for an Android application.
Some of user specific resources should be protected by OAuth2.
My problem is - I don't wan't to use the social logins for my user authentication. I wan't to have my own user database (SQL) with my own user registration, that allows the user to login using username/password.
I'm new to the Spring Boot world - but have been looking on quite a few examples online, and I can see that Spring has a lot of useful libraries for user handling and OAuth.
But I can't seem to find some good examples that describes the proces of creating an Authentication Server that uses a local user database, and at the same time has an open user registration API.
So my question is - does any of You guys/girls have some links to guides that does this?
Thanks
Hope these will help:
https://blog.varonis.com/introduction-to-oauth/
http://www.baeldung.com/rest-api-spring-oauth2-angularjs
Also You can go with JWT Auth tokens:
https://github.com/cpapidas/Spring-Boot-OAuth2-JWT-MySQL
http://www.baeldung.com/spring-security-oauth-jwt
For more samples on Spring boot, You can refer following:
https://github.com/spring-guides
Best of luck.
I'm reading the Google Cloud Endpoints docs related to OAuth2 Security.
I assume this kind of security is against Google accounts.
Is there any support to have a custom User schema to authenticate against?
What I would like is to have client JS application which uses Google Cloud Endpoints but authenticate against local storage (App Engine) of users.
Is Google Clound Endpoints suitable for this or do I need to write my own Security mechanism?
My understanding of OAuth is:
An end point is implemented by a provider, so when an application such as yourself, authenticates a user such as myself, it returns a result.
Now the problem is if google's end points can return custom schema.
What you could do is, implement the functions, and change your DNS (/etc/conf) so that google's endpoints hit your localhost. In principal this will work, however in practice I am not sure I would do this myself, but perhaps you have your reasons.
So with AppEngine, I imagine there might be a class which overrides/implements this stuff. With the DNS rewrite trick, you should be able to get it to work.
If you do, please write about it, so it can help others.
The OAuth for Cloud Endpoints is Google accounts only. You would have to write your own.
Honestly, just use Google Accounts, user can even sign up for Google accounts with their own email address. In the future they will probably support Open ID with Endpoints as well.
I'm building a Java web app that needs access to a user's Google Calendar data - therefore I thought the OAuth/OpenID hybrid is the best way to go.
What's the best library to handle the job - and reduce the amount of code on my end?
I tried openid4java & Spring Security OpenID (both don't support hybrid) as well as dyuproject (couldn't get it integrated).
PS: GAE is not an option
Any ideas?
I don't know any integrated library but I do it with an OpenID library (openid4java), an OAuth library (net.oauth Java implementation [Edit: or Scribe]) and my bare hands as follows:
My OAuth consumer key is like www.example.com so I use http://*.example.com as OpenID realm.
I add following parameters (to redirect url or form) when redirecting user to Google OpenID endpoint:
openid.ns.ext2=http://specs.openid.net/extensions/oauth/1.0
openid.ext2.consumer=<my oauth consumer key>
openid.ext2.scope=<oauth scope to be authorized>
In return in addition to plain OpenID response I receive:
openid.ext2.request_token=<request-token>
I exchange received request-token with access-token and access-secret which are what is needed to make OAuth-authorized calls. That's all!
Note that in plain OAuth along with request-token you have to use a request-secret and verifier but here you don't need them.
To have a better view you may read Google OAuth, Google OpenID and OpenID OAuth Extension.
Edit: Here (comment 8) is the OAuth extension for openid4java that does above for you.
It does not support OpenID but, Scribe is a very good OAuth Java library that supports Google.