I'm looking to build a Spring Boot REST API for an Android application.
Some of user specific resources should be protected by OAuth2.
My problem is - I don't wan't to use the social logins for my user authentication. I wan't to have my own user database (SQL) with my own user registration, that allows the user to login using username/password.
I'm new to the Spring Boot world - but have been looking on quite a few examples online, and I can see that Spring has a lot of useful libraries for user handling and OAuth.
But I can't seem to find some good examples that describes the proces of creating an Authentication Server that uses a local user database, and at the same time has an open user registration API.
So my question is - does any of You guys/girls have some links to guides that does this?
Thanks
Hope these will help:
https://blog.varonis.com/introduction-to-oauth/
http://www.baeldung.com/rest-api-spring-oauth2-angularjs
Also You can go with JWT Auth tokens:
https://github.com/cpapidas/Spring-Boot-OAuth2-JWT-MySQL
http://www.baeldung.com/spring-security-oauth-jwt
For more samples on Spring boot, You can refer following:
https://github.com/spring-guides
Best of luck.
Related
I spent a lot of hours to try to understand but without success.
All I can find doesn't correspond to what I want to achieve. My need is to secure my Spring Boot API but I want to use Google as the identification. After that I want to map the user datas (essentially name and email) with my database to implement Roles to grant different accesses regarding these roles.
Here are my questions to be sure and know where to start :
1-As far as I know in this case, Google is the Authorization Server and my API the Resource Server. Is that right ?
2-I can find some tuto about ResourceServerConfigurerAdapter but it seems depreceted. For my API, do I have to use the WebSecurityConfigurerAdapter instead?
3-Do I have to use JWT ?
4-How to test with Postman? Send a request to the Google server to get the token and send the Token to the API.
Help would be really appreciated as I spent a lot of time without success.
Go through this tutorial for brief understanding of Spring Security. You should use OAuth Authentication for using google as your authentication, Please check this video under the same playlist. Hope this helps..
can somebody show how to configure a SPRING-BOOT back-end (web app) to work with a JWT token, that is valid and issued for the back-end by google. I cannot find any example. The spring security configuration is missing something.
I've configured the Spring boot adapter to work with a web application. But it's a different flow. The redirects for Android for example do not pass through the back-end. And so a new user that is logging in from a mobile device has a valid token but doesn't trigger a login or registration process.
Kind Regards :)
What I'm trying to do is to create an application with Angular frontend and Spring Boot backend with OAuth2 authentication.
The issue is that I don't know how to get on the frontend the ROLES user has so that I'll be able, for instance, to show something role-based on the page. Yes, there are scopes that OAuth provides in the response but the problem is that these scopes are for the CLIENT but not for the specific USER itself. And that CLIENT is my frontend side (correct me if I'm wrong) which basically means that every user operating my application(client) going to have the same scopes(roles). Moreover, I can specify roles on the backend with the help of Spring and UserDetailsService and then use those roles with #PreAuthorize, etc. But not on the frontend side.
Just as an example, if I simply used single JWT then with a token itself I'd return both the username and roles to frontend. And then I could store that data and use it on the frontend side according to my needs.
So what I'm asking is if it's actually possible and if this is correct to do so?
And how can I possibly implement such behavior?
OAuth doesn't solve this problem and it is best solved via claims in your API. OAuth should deal with authentication only. My below post may help you to think about the best separation: https://authguidance.com/2017/10/03/api-tokens-claims/
In a nutshell you will have to look up user rights such as roles after the OAuth processing completes.
There is a great video from Spring developer on YouTube about OAuth2/OpenID Connect. It shows how to implement the resource server using the newest Spring Security 5 solution.
Probably the easiest and the best way to achieve this is to use an OpenID Connect server which will provide all user management stuff. On the market there are many solutions. Auth0 and Okta are Identity Clouds which provides their services for small amount of money. On the other hand you have Keycloak, which is a server which you can install in Docker or even on bare metal - it's free and open-source.
I'm creating microservices with spring boot using this tutorial
https://medium.com/omarelgabrys-blog/microservices-with-spring-boot-authentication-with-jwt-part-3-fafc9d7187e8
So I have actually 4 microservices:
eureka-server
gateway-service (with #zuulproxy)
auth-service
gallery-service
Following the tutorial linked, the scenario is:
I can, with success, register and login user on gateway-service using auth-service routes, obtain a jwt token. This token is used on gateway-service to invoke gallery-service routes.
The problem is that only gateway-service implements spring-security. So gallery-service doesn't use the same securityContext and I can't obtain the information about logged user in a gallery-service's controller.
Is this a valid solution or I have to use spring-security in each microservices? In this case, how use the same jwt given by auth-service, in all microservices?
On top this problem, there is the fusionAuth question. In the auth-service, db is simulated with a list. Instead of list, I have to call fusionAuth login API with username and password and get user's token and roles.
I'm new in spring-security world and in general in developing with microservices. Is all this a valid approach?
My purpose is create a mobile application with thousands of users, so I want to develop an efficient and secure way to login them and add more logic on other microservices based on user's role.
Thanks in advance for helping!
I have gone through the google cloud endpoints documentation and find the below configuration there for custom authentication,
https://cloud.google.com/endpoints/docs/openapi/authenticating-users
I don't understand the below things,
How do I configure My spring boot jwt authentication(username and password in database) service url here ?
2.What are the possible values for the below configurations in case of custom authentication
x-google-issuer: "issuer of the token"
x-google-jwks_uri: "url to the public key"
x-google-audiences: "YOUR-CLIENT-ID"
Can you provide a example for this If any one using this type of authentication?
There are some great resources in response to this existing StackOverflow question:
Google Cloud Endpoints custom authentication with App Engine Flexible (Node.js)
Don't let the specificity of the question deter you. Even though it was asked about AppEngine Flex with Node.js, the answer is language/environment agnostic.