spring-security-oauth2

问题 I have a Spring Boot application, it use OAuth2 authentication from WSO2 Identity Server. When I run the aplication on Spring Tool Suit, it works, so i can sing in and use my web site. But when I run my application on Tomcat(9.0), I try access a page, and redirect to login page, and when i try to sign in, I get the error ERR_TOO_MANY_REDIRECTS Error Example: When my spring boot app is runing on Tomcat, and I try to access the html page: https://domain/chat/example.html if the user was not

问题 I have a Spring Boot application, it use OAuth2 authentication from WSO2 Identity Server. When I run the aplication on Spring Tool Suit, it works, so i can sing in and use my web site. But when I run my application on Tomcat(9.0), I try access a page, and redirect to login page, and when i try to sign in, I get the error ERR_TOO_MANY_REDIRECTS Error Example: When my spring boot app is runing on Tomcat, and I try to access the html page: https://domain/chat/example.html if the user was not

问题 We are developing an application that uses OAuth 2 for two use cases: Access to backend microservies (using client_credentials ) Authenticating the application's users (using authorization_code , so redirecting the users to Keycloak for login, roughly configured like shown in the tutorial). While authenticating our users, we receive part of the information from the auth server (such as login) and the other part can be found in a local user table. What we like to do is to create a Principal

问题 i am currently working on a project involving spring security (for OAuth2). We are using the authorization_code flow. However when the client hits the AuthorizationEndpoint (/oauth/authorize) we get an "InsufficientAuthenticationException". This may be due to an external system which is also involved in this flow which performs a redirect for the client, sending him to the /oauth/authorize endpoint. From what I understand by looking through the debug logfile and from reading the source code,

问题 In a REST API developed with Sping Boot and OAuth2 is it possible to limit user access according to client defined in the Authorization Server settings? For example, in the Authorization Server I have the following client configuration: clients.inMemory() .withClient(uaaProperties.getWebClientConfiguration().getClientId()) .secret(passwordEncoder.encode(uaaProperties.getWebClientConfiguration().getSecret())) .scopes("openid") .authorities("ROLE_TESTE") .autoApprove(true) .authorizedGrantTypes

问题 I try to use WebClient with oauth2 in spring webflux. I fetch a token from an url access token and i set it into the webclient. but i do not like to fetch this access token in every call of other secured endpoints. Means that i want to fetch it only in the first time during the instanciation of the webclient and when the access token expire. Here is the code that i am using : @Configuration public class OauthEmployeConfig{ /** ** ... String baseUrl, String accessUrl for the access token url *

问题 Spring security in the servlet stack ( web ) allows you to customize the OAuth2 login redirection endpoint base uri in the Oauth2 authorization code grant flow as given here. I am trying to do the same for the reactive stack with Spring webflux. The github issue here mentions an authorizationRequestResolver and authenticationMatcher on the Oauth2LoginSpec that can be used to customize the base uri but I am unable to figure out how. Can someone please help me out with the configuration? 回答1:

问题 I am using Keycloak 10.0.2 to secure the spring boot REST API's and Angular 9 for front end. The front end is served from the spring boot microservice running on http://localhost:8080. On the keycloak side the openid-connect client web origin is configured to allow all origins. Spring boot spring security is configured to use the Keycloak as oauth2 client provider. spring: security: oauth2: client: provider: keycloak: issuer-uri: https://abc-keycloak.abccloud.com/auth/realms/abc scope: openid

问题 External OAuth2 Provider doesn't have public JwkUri, so I tried too override default behavior using following code snippet: @EnableWebSecurity public class DirectlyConfiguredJwkSetUri extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("**/oauth2/code/esia**", "**/code/esia**", "**esia**").permitAll() .antMatchers("/user").fullyAuthenticated() .anyRequest().authenticated() .and() .csrf().disable

问题 External OAuth2 Provider doesn't have public JwkUri, so I tried too override default behavior using following code snippet: @EnableWebSecurity public class DirectlyConfiguredJwkSetUri extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("**/oauth2/code/esia**", "**/code/esia**", "**esia**").permitAll() .antMatchers("/user").fullyAuthenticated() .anyRequest().authenticated() .and() .csrf().disable