!tyUkzuxcwjMphNuxek:matrix.org

spring-security

218 Members
Welcome. Ask away! Unless otherwise specified we assume you're using the latest 5.x version of Spring Security4 Servers

Load older messages


SenderMessageTime
12 May 2022
@bplotnick-57e16fbf40f3a6eec0664cfb:gitter.imbplotnick (Ben Plotnick) *

Hi - I'm trying to configure an OAuth2 client, but just for resource consumption, not for login. The authorization server does not have a userinfo endpoint, nor does it support OIDC, nor does it have a metadata endpoint. I am configuring it as follows:

spring:
  security:
    oauth2:
      client:
        registration:
          foo:
            redirectUri: "some/callback"
              clientId: "someClientId"
              clientSecret: "someClientSecret"
              scope: "foo,bar"
              authorizationGrantType: "authorization_code"
        provider:
          foo:
            authorization-uri: "https://login.example.com/authorize"
            token-uri: "https://auth.example.com/oauth2/token"

However, I am currently getting [missing_user_info_uri] Missing required UserInfo Uri in UserInfoEndpoint for Client Registration: foo. I've tried setting the user-info-uri value to empty, but it doesn't help.

Any ideas of what i might be doing wrong?

14:59:56
13 May 2022
@jzheaux-5a8ef091d73408ce4f8e5d3b:gitter.imjzheaux (Josh Cummings) In a Spring Boot application, you can use the spring.security.oauth2.resourceserver.jwt.audiences property 22:06:57
@staleks-5e2acea9d73408ce4fd7a861:gitter.imstaleks (Aleksandar) *

Another question from me, regarding Migration from Spring OAuth2 -> Spring Security 5.6.x. As you may know previous configuration was done by annotating class with @EnableResourceServer and extending ResourceServerConfigurerAdapter. 2nd one (I guess) was allowing to override method configure(ResourceServerSecurityConfigurer) and there I was able to set resourceId e.g.

    @Override
    public void configure(ResourceServerSecurityConfigurer resources) {
        resources.resourceId(RESOURCE_ID).tokenServices(createTokenServices()).stateless(true);
    }

Wondering is this possible (and how) with Spring Security?

22:06:57
@staleks-5e2acea9d73408ce4fd7a861:gitter.imstaleks (Aleksandar) *

Another question from me, regarding Migration from Spring OAuth2 -> Spring Security 5.6.x. As you may know previous configuration was done by annotating class with @EnableResourceServer and extending ResourceServerConfigurerAdapter. 2nd one (I guess) was allowing to override method configure(ResourceServerSecurityConfigurer) and there I was able to set resourceId e.g.

    @Override
    public void configure(ResourceServerSecurityConfigurer resources) {
        resources.resourceId(RESOURCE_ID).tokenServices(createTokenServices()).stateless(true);
    }

Wondering is this possible (and how) with Spring Security?

22:07:11
@jzheaux-5a8ef091d73408ce4f8e5d3b:gitter.imjzheaux (Josh Cummings) Otherwise, you can register a custom JwtValidator https://docs.spring.io/spring-security/reference/5.6.2/servlet/oauth2/resource-server/jwt.html#oauth2resourceserver-jwt-validation-custom 22:07:12
@jzheaux-5a8ef091d73408ce4f8e5d3b:gitter.imjzheaux (Josh Cummings) A simple one might look like new JwtClaimValidator("aud", (aud) -> aud != null && aud.equals("myResourceId")) 22:08:47
@staleks-5e2acea9d73408ce4fd7a861:gitter.imstaleks (Aleksandar) *

Another question from me, regarding Migration from Spring OAuth2 -> Spring Security 5.6.x. As you may know previous configuration was done by annotating class with @EnableResourceServer and extending ResourceServerConfigurerAdapter. 2nd one (I guess) was allowing to override method configure(ResourceServerSecurityConfigurer) and there I was able to set resourceId e.g.

    @Override
    public void configure(ResourceServerSecurityConfigurer resources) {
        resources.resourceId(RESOURCE_ID).tokenServices(createTokenServices()).stateless(true);
    }

Wondering is this possible (and how) with Spring Security?

22:08:47
@jzheaux-5a8ef091d73408ce4f8e5d3b:gitter.imjzheaux (Josh Cummings) * A simple one might look like new JwtClaimValidator("aud", (aud) -> "myResourceId".equals(aud)) 22:09:14
@jzheaux-5a8ef091d73408ce4f8e5d3b:gitter.imjzheaux (Josh Cummings) I'm not really clear on how the proposed chain would work. If you go to /oauth2/authorize and the user is not logged in, then it must cache the authorize request and redirect to /login. At that point, the authorize request has not been processed. Once login is complete. the authorize request gets processed by virtue of redirecting back to it. 22:12:42
@kvadevack-5706795d187bb6f0eade54f2:gitter.imkvadevack (Martin Häger) *

Hello! I would like to avoid leaving a form login session open after an OAuth2 authorization code (spring-authorization-server) has been issued. Can I somehow hook into the /oauth2/authorize endpoint before it redirects back to the resource server and delete the session?

And is there a way to make this work with stateless session management? I’ve toyed with CookieRequestCache to keep track of where to go next, but I think I would need to call or do some sort of internal redirect back to spring-authorization-server within an authentication success handler so as to not lose track of the authentication?

So the chain would be:

GET /oauth2/authorize -> redirect to /login
GET /login
POST /login -> redirect to callback

rather than what's currently happening:

GET /oauth2/authorize -> redirect to /login)
GET /login
POST /login -> redirect to /oauth2/authorize (authentication lost)
GET /oauth2/authorize -> 401 (callback never happens)

Any pointers would be much appreciated :).

22:12:42
@kvadevack-5706795d187bb6f0eade54f2:gitter.imkvadevack (Martin Häger) *

Hello! I would like to avoid leaving a form login session open after an OAuth2 authorization code (spring-authorization-server) has been issued. Can I somehow hook into the /oauth2/authorize endpoint before it redirects back to the resource server and delete the session?

And is there a way to make this work with stateless session management? I’ve toyed with CookieRequestCache to keep track of where to go next, but I think I would need to call or do some sort of internal redirect back to spring-authorization-server within an authentication success handler so as to not lose track of the authentication?

So the chain would be:

GET /oauth2/authorize -> redirect to /login
GET /login
POST /login -> redirect to callback

rather than what's currently happening:

GET /oauth2/authorize -> redirect to /login)
GET /login
POST /login -> redirect to /oauth2/authorize (authentication lost)
GET /oauth2/authorize -> 401 (callback never happens)

Any pointers would be much appreciated :).

22:13:16
@jzheaux-5a8ef091d73408ce4f8e5d3b:gitter.imjzheaux (Josh Cummings) That is, in the proposed chain, if I'm reading it correctly, would never actually authorize the client, which I imagine is not what you are wanting. 22:13:16
@kvadevack-5706795d187bb6f0eade54f2:gitter.imkvadevack (Martin Häger) *

Hello! I would like to avoid leaving a form login session open after an OAuth2 authorization code (spring-authorization-server) has been issued. Can I somehow hook into the /oauth2/authorize endpoint before it redirects back to the resource server and delete the session?

And is there a way to make this work with stateless session management? I’ve toyed with CookieRequestCache to keep track of where to go next, but I think I would need to call or do some sort of internal redirect back to spring-authorization-server within an authentication success handler so as to not lose track of the authentication?

So the chain would be:

GET /oauth2/authorize -> redirect to /login
GET /login
POST /login -> redirect to callback

rather than what's currently happening:

GET /oauth2/authorize -> redirect to /login)
GET /login
POST /login -> redirect to /oauth2/authorize (authentication lost)
GET /oauth2/authorize -> 401 (callback never happens)

Any pointers would be much appreciated :).

22:14:31
@jzheaux-5a8ef091d73408ce4f8e5d3b:gitter.imjzheaux (Josh Cummings) Relatedly, I'm wondering why you don't want the user to remain logged in. That kind of seems to be the point of OIDC; that the user can go to several properties that are authorized by the same server and not have to re-login. 22:14:31
@jzheaux-5a8ef091d73408ce4f8e5d3b:gitter.imjzheaux (Josh Cummings) If you are using it just for resource consumption, then I wonder if client_credentials is a better grant type. Have you already tried that? 22:17:26
@bplotnick-57e16fbf40f3a6eec0664cfb:gitter.imbplotnick (Ben Plotnick) *

Hi - I'm trying to configure an OAuth2 client, but just for resource consumption, not for login. The authorization server does not have a userinfo endpoint, nor does it support OIDC, nor does it have a metadata endpoint. I am configuring it as follows:

spring:
  security:
    oauth2:
      client:
        registration:
          foo:
            redirectUri: "some/callback"
              clientId: "someClientId"
              clientSecret: "someClientSecret"
              scope: "foo,bar"
              authorizationGrantType: "authorization_code"
        provider:
          foo:
            authorization-uri: "https://login.example.com/authorize"
            token-uri: "https://auth.example.com/oauth2/token"

However, I am currently getting [missing_user_info_uri] Missing required UserInfo Uri in UserInfoEndpoint for Client Registration: foo. I've tried setting the user-info-uri value to empty, but it doesn't help.

Any ideas of what i might be doing wrong?

22:17:26
16 May 2022
@idahotokens:matrix.org@idahotokens:matrix.org joined the room.11:22:45
@tratotui-62824d6f6da03739849689a5:gitter.imtratotui (Tratotui) joined the room.13:13:29
@tratotui-62824d6f6da03739849689a5:gitter.imtratotui (Tratotui) Hello guys!
I have big trouble (may be i dont comprehend something), so...
I have "org.springframework.boot:spring-boot-starter-oauth2-resource-server" in a backend side, and react in a frontend.
13:13:30
@tratotui-62824d6f6da03739849689a5:gitter.imtratotui (Tratotui) * Hello guys!
I have big trouble (may be i dont comprehend something), so...
I have "org.springframework.boot:spring-boot-starter-oauth2-resource-server" in a backend side, and react in a frontend.
Have i opportunity to make authorization proccess without security-oauth-client?
13:14:52
@idahotokens:matrix.org@idahotokens:matrix.org left the room.16:11:52
@andy.lascano:matrix.organdy.lascano joined the room.16:31:01
18 May 2022
@kvadevack-5706795d187bb6f0eade54f2:gitter.imkvadevack (Martin Häger) *

Hello! I would like to avoid leaving a form login session open after an OAuth2 authorization code (spring-authorization-server) has been issued. Can I somehow hook into the /oauth2/authorize endpoint before it redirects back to the resource server and delete the session?

And is there a way to make this work with stateless session management? I’ve toyed with CookieRequestCache to keep track of where to go next, but I think I would need to call or do some sort of internal redirect back to spring-authorization-server within an authentication success handler so as to not lose track of the authentication?

So the chain would be:

GET /oauth2/authorize -> redirect to /login
GET /login
POST /login -> redirect to callback

rather than what's currently happening:

GET /oauth2/authorize -> redirect to /login)
GET /login
POST /login -> redirect to /oauth2/authorize (authentication lost)
GET /oauth2/authorize -> 401 (callback never happens)

Any pointers would be much appreciated :).

15:29:25
@jzheaux-5a8ef091d73408ce4f8e5d3b:gitter.imjzheaux (Josh Cummings) Found your question on SO and gave my answer there: https://stackoverflow.com/questions/72232440/sessionless-form-login-for-spring-oauth2-authorization-server/72278055 15:29:26
19 May 2022
@hubertlapsa-627916bc6da0373984962b5a:gitter.imhubertlapsa (hubertlapsa) joined the room.09:30:20
@hubertlapsa-627916bc6da0373984962b5a:gitter.imhubertlapsa (hubertlapsa) Hi everyone, I introduce integration with oauth2.0 in my application using newest solution in Spring: https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide. Therefore I have a question if it is possible to set a timeout for token? I wants to avoid a situation where I will have to wait for a token for a long time. In the old approach it was possible to solve through ClientHttpRequestFactory: https://stackoverflow.com/questions/54085582/how-to-set-connection-timeout-with-oauth2resttemplate-while-fetching-access-toke/56608956#56608956. Currently, I do not see such a possibility using the latest solution. 09:30:21
@theexiile1305:matrix.orgtheexiile1305

Hey guys,
I've recently upgraded the dependency org.springframework.security:spring-security-test from version 5.6.3 to version 5.7.1 in my spring-boot (version 2.6.7) setup with keycloak (version 18.0.0). After that my some mockMvc and security related tests fails with the following error:

java.lang.NoClassDefFoundError: org/springframework/security/web/context/SecurityContextHolderFilter
	at org.springframework.security.test.web.support.WebTestUtils.setSecurityContextRepository(WebTestUtils.java:88)
	at org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors$SecurityContextRequestPostProcessorSupport.save(SecurityMockMvcRequestPostProcessors.java:728)
	at org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors$TestSecurityContextHolderPostProcessor.postProcessRequest(SecurityMockMvcRequestPostProcessors.java:804)
	at org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder.postProcessRequest(MockHttpServletRequestBuilder.java:843)
	at org.springframework.test.web.servlet.MockMvc.perform(MockMvc.java:189)
	at com.example.configuration.CorsConfigTest.GET request from non-allowed origin is forbidden(CorsConfigTest.kt:115)

or

java.lang.NoSuchMethodError: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken org.springframework.security.authentication.UsernamePasswordAuthenticationToken.authenticated(java.lang.Object, java.lang.Object, java.util.Collection)'
	at org.springframework.security.test.context.support.WithMockUserSecurityContextFactory.createSecurityContext(WithMockUserSecurityContextFactory.java:61)
	at org.springframework.security.test.context.support.WithMockUserSecurityContextFactory.createSecurityContext(WithMockUserSecurityContextFactory.java:40)
	at org.springframework.security.test.context.support.WithSecurityContextTestExecutionListener.lambda$createTestSecurityContext$0(WithSecurityContextTestExecutionListener.java:123)
	at org.springframework.security.test.context.support.WithSecurityContextTestExecutionListener.beforeTestMethod(WithSecurityContextTestExecutionListener.java:73)
	at org.springframework.test.context.TestContextManager.beforeTestMethod(TestContextManager.java:293)
	at org.springframework.test.context.junit.jupiter.SpringExtension.beforeEach(SpringExtension.java:174)
	at org.junit.jupiter.engine.descriptor.TestMethodTestDescriptor.lambda$invokeBeforeEachCallbacks$2(TestMethodTestDescriptor.java:163)

Unfortunately, I cannot understand this error happens, I've only updated the above-mentioned dependency. Can someone help me out? Thanks in advance.

11:00:50
@sjohnr-621e97856da0373984914e8a:gitter.imsjohnr (Steve Riesenberg)

Have i opportunity to make authorization proccess without security-oauth-client?

Do you mean authorization in terms of OAuth? Or authentication?

You can enable JWT or opaque token support and authenticate using tokens on your frontend. See resource server in reference docs.

You will need to provide a way to obtain or provision those tokens. It could be an authorization server or an endpoint authenticated a different way. See JWT Login sample for an example.

Otherwise, can you provide more details on what you're trying to achieve?

21:49:01
@tratotui-62824d6f6da03739849689a5:gitter.imtratotui (Tratotui) * Hello guys!
I have big trouble (may be i dont comprehend something), so...
I have "org.springframework.boot:spring-boot-starter-oauth2-resource-server" in a backend side, and react in a frontend.
Have i opportunity to make authorization proccess without security-oauth-client?
21:49:01
@sjohnr-621e97856da0373984914e8a:gitter.imsjohnr (Steve Riesenberg) Take a look at the customizing the access token response for refresh tokens section of the OAuth client docs, which provides one example (among other grant types) of customizing an OAuth2AccessTokenResponseClient with a custom RestTemplate. 21:54:39

Show newer messages


Back to Room List