I am new in security so need little help with this task. I develop small application where I need just authenticate users by credentials, and return jwt token without any roles or scopes (users will consume all rest service).
I just need distinguish authenticated and anonymous user, and verify token.
I checkout a lot of tutorials, but they are a too complex for my purpose.
There are my questions, I will be grateful for any help or some guide in steps what I should do and how:
One of tutorials which I found use OAuth2. It's really need
implement OAuth2 for my purposes?
Which dependency should I use? jjwt or spring security jwt?
Really need authorization server and resource server, or exists
simpler way?
Thanks.
Here is a short answer to your question that hopefully will help you with further research:
You dont need to implement your own OAuth2 server. You can use existing OAuth2 compliant application like Keycloak or Mitreid. We found Keycloak to be more future rich and easy to use.
If you are just receiving and validating JWT tokens then Spring will do it for you. But in order to create JWT tokens you need to use third party libraries like jjwt or nimbus-jose-jwt.
Again you have option to create your own Spring app that will authenticate and create JWT tokens, but it will take more to be fully OAuth2 compliant. My advice is to just use existing OAuth2 app like Keycloak.
The resource server is the one that you need to create and is the actual application that is being secured and accessed by JWT token.
Its late to answer this question, but still answering this if in case someone is still looking for an answer. Assuming you have already achieved authenticating the credentials, but looking for help with JWT, look at my answer JWT Token is always received as expired while parsing
Hope this helps.
Related
I spent a lot of hours to try to understand but without success.
All I can find doesn't correspond to what I want to achieve. My need is to secure my Spring Boot API but I want to use Google as the identification. After that I want to map the user datas (essentially name and email) with my database to implement Roles to grant different accesses regarding these roles.
Here are my questions to be sure and know where to start :
1-As far as I know in this case, Google is the Authorization Server and my API the Resource Server. Is that right ?
2-I can find some tuto about ResourceServerConfigurerAdapter but it seems depreceted. For my API, do I have to use the WebSecurityConfigurerAdapter instead?
3-Do I have to use JWT ?
4-How to test with Postman? Send a request to the Google server to get the token and send the Token to the API.
Help would be really appreciated as I spent a lot of time without success.
Go through this tutorial for brief understanding of Spring Security. You should use OAuth Authentication for using google as your authentication, Please check this video under the same playlist. Hope this helps..
What I'm trying to do is to create an application with Angular frontend and Spring Boot backend with OAuth2 authentication.
The issue is that I don't know how to get on the frontend the ROLES user has so that I'll be able, for instance, to show something role-based on the page. Yes, there are scopes that OAuth provides in the response but the problem is that these scopes are for the CLIENT but not for the specific USER itself. And that CLIENT is my frontend side (correct me if I'm wrong) which basically means that every user operating my application(client) going to have the same scopes(roles). Moreover, I can specify roles on the backend with the help of Spring and UserDetailsService and then use those roles with #PreAuthorize, etc. But not on the frontend side.
Just as an example, if I simply used single JWT then with a token itself I'd return both the username and roles to frontend. And then I could store that data and use it on the frontend side according to my needs.
So what I'm asking is if it's actually possible and if this is correct to do so?
And how can I possibly implement such behavior?
OAuth doesn't solve this problem and it is best solved via claims in your API. OAuth should deal with authentication only. My below post may help you to think about the best separation: https://authguidance.com/2017/10/03/api-tokens-claims/
In a nutshell you will have to look up user rights such as roles after the OAuth processing completes.
There is a great video from Spring developer on YouTube about OAuth2/OpenID Connect. It shows how to implement the resource server using the newest Spring Security 5 solution.
Probably the easiest and the best way to achieve this is to use an OpenID Connect server which will provide all user management stuff. On the market there are many solutions. Auth0 and Okta are Identity Clouds which provides their services for small amount of money. On the other hand you have Keycloak, which is a server which you can install in Docker or even on bare metal - it's free and open-source.
At my project I am using JWT to authorize users, but it works only with my own authorization, I need to make possible authorize using Google account, so I need to add Google OAuth 2 authorization, but as i understand it stores token in cookies but i need to make my application stateless since im using JWT, also i need to make tokens from google "valid". I have read this guide but as I understood it shows how to make your own OAuth authorization, but I dont need to create new mechanism, i just need to add authorization via Google using JWT. So how to make OAuth authorization via JWT ?
You might want to explore the auth0 service (auth0.com) - they might provide the functionality you require as a free service, unless there are constraints which mean you could not use such services.
I have gone through the google cloud endpoints documentation and find the below configuration there for custom authentication,
https://cloud.google.com/endpoints/docs/openapi/authenticating-users
I don't understand the below things,
How do I configure My spring boot jwt authentication(username and password in database) service url here ?
2.What are the possible values for the below configurations in case of custom authentication
x-google-issuer: "issuer of the token"
x-google-jwks_uri: "url to the public key"
x-google-audiences: "YOUR-CLIENT-ID"
Can you provide a example for this If any one using this type of authentication?
There are some great resources in response to this existing StackOverflow question:
Google Cloud Endpoints custom authentication with App Engine Flexible (Node.js)
Don't let the specificity of the question deter you. Even though it was asked about AppEngine Flex with Node.js, the answer is language/environment agnostic.
I'm struggling to design a SAML2.0 authentication for a REST API using a gateway. REST is used between my backend and my application. I'm using Java Servlet filter and Spring.
I see two possibilities:
Adding the SAML tokens into the header each time.
Authenticate once with SAML, then using a session or similar (secure conversation) between the client and the gateway.
Case 1: It's a good solution because we are still RESTful but:
SAML tokens are quite big. It's may generated problem due to big header size.
Replaying tokens is not the best way for security concern.
Case 2: It's no more stateless and I have to managed a link with the client. Since I use a gateway, the underlying services can still be RESTful.
Case 2 looks for the better choice despite the fact that it does not follow the rest constraints.
Is someone had already to do it and give me some pointers (for design or implementation)?
Is there a better way to do it with SAML?
Any help or advice are welcome.
It is still draft, but: the OAuth2 SAML bearer profile may a possible solution.
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-saml2-bearer-17
Use a SAML2 to authenticate to an OAuth2 provider, then call your service with the OAuth2 token.
Also, you could generate a jwt token and put it inside of a SAML attribute: from this moment on you could pass the jwt inside of an http header.
It is sort of mixing oauth with saml but if you still need the latter for authentication it could be the way to go.