Going Full OAuth with the new Spring Authorization Server in Spring Boot 3.1!
Vložit
- čas přidán 25. 05. 2023
- Hi, Spring fans! We're doin' it! We're looking at the new Spring Authorization Server auto-config in the just-released Spring Boot 3.1, and I'll be joined by Spring Security legend Steve Riesenberg
- Věda a technologie
You guys are just amazing, I was blushing all the time. Great learning experience :)
Thanks guys. This video actually cleared most of the doubts I had with the authorisation server. Awesome!
Great to hear! Thanks for watching
Josh acted like he doesn't knw 😂! Pretty entraining and easy grasping content! We really waited for Spring Authorization server to be in spring eco-system! Excellent content but plz upload in high resolution
Thanks 🙏 for watching and I’m glad you got something out of it
This is GOLD Josh. Thanks!!
First of all, guys, amazing video, I enjoyed it all the way from the beginning till the end.
One question in my mind right now. How flexible is SAS for changing the view (HTML & CSS) of the Login page or Consent page as well?
I remember having so many troubles doing those things with Cognito or Keycloak, I really hope SAS gives more flexibility.
Thanks and all the best to you guys.
The Spring Security docs and official samples demonstrate how to do this easily, as well as our demo-authorizationserver sample.
Very awesome. Can you please help understand when should we use access_token Bearer token as opposed to API Key's? Sometimes API's are secured using API's key (api key and secret key combinations) instead of access_token Bearer token ; can you please help explain.
Great stuff, Josh and Steve. The worst part seems to be all the config, which is mostly a one-off.
Speaking of security... I recommend moving off LastPass because of its poor security practices. We switched from LP to 1Password and really love it. Migration is easy and it is feature rich.
Thanks! Note that of the properties I walked Josh through on the client side, only client-id, client-secret, and scope are required (along with provider and issuer-uri). The others were added to show you the defaults, so it's really a minimal amount of config. Depending on your needs, you would normally replace configuration on the server side with a management screen (UI) and a database table.
I can’t imagine getting up-and-running in less
Great video. Very informative. I am running into issues though. On form login I keep getting an error with status 999. This occurs after the post. Any advice or general direction to check? I do have it on stackoverflow which has a lot more detail (such as pom.xml and config file). Thanks and keep up the great work!!
I think I answered this in the comments on stackoverflow. Generally it's an invalid redirect_uri.
Thanks for great overview.
I have one question, is authorization_code flow is PKCE enabled?
It is supported by default, but you can enable a `ClientSettings` option to require PKCE.
As always I defer to the endless wisdom of Steve
Hoping for a follow-up discussion or tutorial with how UI app (Angular or React.js) works with it.
Security is hard, after watching the video it hasn't gotten any easier 🤣, but if you can do all this in 1 hour, then it's certainly manageable for the rest of us 👍.
Kudos to the Spring team for this great effort 🔥.
Thanks! While security is indeed always hard, note that of the properties I walked Josh through on the client side, only client-id, client-secret, and scope are required (along with provider and issuer-uri). The others were added to show you the defaults.
Thanks for watching and I’m glad you enjoyed it
You guys are amazing ..
Steve’s amazing and I am a huge fan!
Hello, josh. Could we config of that in the same module without splitting in subprojects?
Thank you for the presentation!
I have a (genuine) question: Why would I use Spring Authorization Server instead of, say, Keycloak?
Could you give some pros/cons?
Thanks for watching! Unfortunately, this is a pretty subjective question and since we're quite biased it's hard to give a good answer. I will just give some examples of where you might find SAS useful vs something like Keycloak. Some examples are: when you want a light-weight Spring Boot-based authz server, you're already using Spring Security and want to add OAuth2, you want to run an authz server natively, you don't require many/all the features of another server, you want/need to run on-prem, you want to heavily customize, you're not already using another server, etc.
@@stephenriesenberg9255 Thank you very much for your insights!
@@cloudsquall88 You're quite welcome! I should note that the on-prem reason is there because you may be comparing SAS to a product solution in the cloud. There are tons of other reasons as well, but I'd encourage you to try out Spring Authorization Server by following this video and see how easy (and fun) it is before digging deeper into comparisons!
Yah. What Steve said
I tried doing this exact implementation, but I containerized it using docker compose, and I'm constantly getting bad client?
I wonder if there's something additional required.
Did you make sure to specify the right host : port for the redirect URIs on both the oauth server and the client, after they’ve both been containerized? Local host in a contain won’t resolve
Amazing content...Can we use revoke endpoint for logout? Or please suggest how to handle logout..
Token revocation and logout are not really the same thing. Generally, I hear folks wanting to use token revocation for logout because they are using an access token as a session, which it is not. For logout, Spring Authorization Server currently supports logout through Spring Security's standard `http.logout()` mechanism, but also you can configure the OIDC Logout Endpoint which is a specific SAS feature for RP-initiated logout. Other types of logout are not yet supported, but there are issues in the issue tracker for them.
Yah, what the amazing Steve said
Thank you for the demo. It looks simple enough but I'm still confused about how to apply it to my own app. When securing a rest api that is consumed by a separate client app, can the authorization server live inside the rest api and serve the oauth endpoints on the same port as my rest api? Do I need the resource server in there as well? Would the client app use authorization_code grant type? Could you point me to some info on this? Appreciate the help!
I think you are asking if it is possible that a Resource server is at the same time, an authz server? While I think it is possible, not sure if it is a best thing to do. I would vouch that is better to have separate instances of apps for those two things.
@@markostrisko2370 Thanks, yes that was one of my questions. I guess in general, I'm looking for information on how to put it all together in a real world application.
To keep things simple I’d keep them as separate apps..
@@coffeesoftware what is I need them in the same app? is there something specific I need to do to get them working together?
Hi! How can I use client credentials grant type in client instead of authorization-code?
Greate! Thanks
By just following you, I was able to successfully complete the authorization_code workflow. The only difference is, my resource server is an mvc, not rest. Now when I try to post a form, I get "An expected CSRF token cannot be found" with status code 403. As I am using thymeleaf, csrf is already there in the form. Any suggestion?
Thanks 🙏 try using the following t config on your client
github.com/spring-tips/spring-authorization-server/blob/main/gateway/src/main/java/bootiful/gateway/SecurityConfiguration.java
@@coffeesoftware Awesome. That did the trick. Thank you.
Glad to hear it! Congrats 🎈🎊🍾🎉
This video is amazing, how do you able to execute "uao resourceserver.zip" and "http" and some other custom command, Have you created any aliases or custom scripts?
Thanks for watching and I’m glad you like it. And yes it’s just an alias to a script called unzip-and-open.py. The script unzips the archive and then runs idea build.gradle.kts
And what if fe have auth server and resource server in same app and we use symmetric key?
I already watched out many videos like your, But I can't figure out how to register new users through the API. All are doing the same (In Memory User), a single admin user by coding and fixed. So I wanted to know how to register more than one users on Auth server through API like "api/auth/register". Hope you get my point and pls answer me.
Hi - you could implement your own UserDetailsService implementation that talks to JDBC or any other persistence layer. The abstraction is simple and has one method that returns a simple object
@@coffeesoftware First many many thanks for quick answer. Hope I'll coding for.
I’d recommend Spring Data JDBC or JPA for the UserDetailsService implementation. There are a ton of great tutorials for this. The actual registration flow is just a regular Spring MVC rest endpoint to insert a row into the database. User registration is usually an advanced topic only because it requires creating a user flow involving sending verification emails and additional steps, which is quite involved and not directly security related. There are also many good identity management systems if you want to skip the registration task. Also, if your requirements are flexible you may consider simply using Social Login and let your users register by logging in with Google or another provider. It’s quite easy and we have a how-to guide on this in the reference documentation.
@@stephenriesenberg9255 Thanks first. As per your comment I can say User registration responsibility should be belong to the Auth server if it is implemented. New User should be registered with Authorization Server if not exist.
@@subaratatubebd yes, for these you just need user registration endpoints. All the things described here are pretty basics, just how to get started, but if you have a good understanding of Spring Security, you can easily figure out all these registration stuffs.
Using Spring Security and Auth Server is there an easy way to generate an access token programatically?
Do you mean programmatically on the auth server (say in a custom endpoint)? Normally, you would use `client_credentials` for getting an access token programmatically (as a machine). But if you want to simply generate an access token yourself, Spring Security comes with `JwtEncoder`, which is what Spring Authorization Server also uses.
Steve Riesenberg for the win!
Any chance to show how to secure websocket? How to use jwt with sockets?
hi - you know this is a sort of weird situation. you would secure the user in the normal way, then and only then send the WS stream. You can even do something to send the JWT as a value in the payload of the WS message. WS's don't have headers, so you need to have your own enveloper/header payload on the WS message, like STOMP. So, once you've figured out how to conduct out-of-band information like headers, then put the JWT in there and then write something to validate the JWT. For an example of validating a JWT manually, check out the livestream I just did yesterday czcams.com/video/Nd_KEUindDk/video.html and the corresponding code github.com/coffee-software-show/securing-spring-integration-with-oauth
In the end, I made BeforeSocketHandshakeInterceptor and checked if token is passed as query. Worked for me
Hello Guys, thk you for this tutorial.
when using spring authorization server with SPA client , is it possible to allow access to login page only when redirecting from /oauth2/authorize ?
I don't a user to have direct access to the login page without being redirect from the client
I'm not familiar with a use case like this. Can you explain why you'd need to do this? I can't think of an easy way off hand to enforce such a rule since the user is anonymous (not yet authenticated).
Hello, how can I achieve the same thing without using RouteLocator, instead of this, I want to use reactive webclient?
Without RouteLocator I'm assuming you're not wanting to use Spring Cloud Gateway? In that case, we have a sample in the spring-authorization-server repo (demo-client) that uses Spring Security OAuth2 Client's WebClient support for this. Check the Spring Security reference docs for details.
@@stephenriesenberg9255 thanks a lot! I got the workaround 😊
I love to see it
just works))
thanks for the insight
In an application where users of a client have unique permissions, how is this managed in spring authorization server?
I think you're asking how to include unique scopes (permissions) for a particular user? I don't have an example handy and this comments section isn't great for sharing code, but see the `OAuth2AuthorizationConsentAuthenticationProvider` class, which has an `authorizationConsentCustomizer` that I believe would allow you to handle or set custom permissions/scopes on a per-user basis. You can also provide a custom consent screen as well as customize the eventual JWT or opaque access token that is generated, all of which is documented in the reference. If you get stuck, feel free to open a stackoverflow question and I can help you further.
@@stephenriesenberg9255 Thank you
As always I more than happily defer to the endless wisdom of Steve 🙏
@stephenriesenberg9255 Hello, Steve. Pardon me for still using this thread, but I'd really appreciate if you could clear this up for me. At what point do you think a project should move away from a regular spring security jwt setup using say the jjwt library, in favour of the spring authorization server. What are the ideal use cases for both?
@@chijiokeibekwe9710 id say you should use spring security’s oauth resource and client support, regardless of whether you’re using spring authorization server or okta or azure Active Directory or Google / github / meta / Apple or keycloak. Using an Oauth idp is better than just doing jwt auth in your apps for a number of reasons including that the processor intensive act of validating passwords is now centralized and can be avoided for the lifetime of the token. (I know you asked Steve but I thought I’d take a shot at an answer :-))
Hello Guys, first thank you for this great video.
I've a spring boot boot authorization server working fine locally and i can use i spa client like angular to authenticate the user using the authorization code with pkce.
However after putting my spring boot authorization server behind gravitee gateway ,when the client make a get request to gravitee it redirect it to the server and the server redirect the user to it login page.
But when the user authenticate, I have the saveRequest Null because the header change between the first gravitee call and the redirect on the server login page.
Can anyone help me please ?
Would you be able to open a stackoverflow question with details, logs and code?
where i can get code link?
Hi all the code is available on github.com/coffeee-software-show
thanks@@coffeesoftware. There is a typo in the link though, it should inly be spelled with two "e"s :)
honestly watched the first 10 mins.. The pace and atmosphere are very uncomfortable
Sorry it didn’t resonate but thanks for watching anyway
Tried to follow coding with you, but a POST to localhost 8080 oauth2/token using basic authorization with client and secret, give me an error "OAuth 2.0 Parameter: grant_type". As explained in github issue "spring-projects/spring-authorization-server/issues/349" Spring will not be providing support for the password grant as its deprecated in OAuth 2.1.
Yes, that’s correct. The password grant is not recommended and is deprecated in 2.1. I know it is quite appealing to want to use it for mobile apps, but security issues aside, consider what happens when you want to add multi-factor authentication or another login flow step. OAuth2 doesn’t solve these problems, but using OIDC and a browser-based flow can. It’s harder to implement but is the more secure and future proof option.
Again, what would I do without the endless wisdom of Steve Riesenberg?