spring-security-oauth2

Spring OAuth2.0: Getting User Roles based on Client Id

☆樱花仙子☆ 提交于 2019-11-27 14:54:22
I have multiple clients registered for my oauth2 auth server. lets say user1 have roles such as ROLE_A , ROLE_B for client1 , same user has roes such as ROLE_C , ROLE_D for client2 . now when the user logins either using client1 or client2 he is able to see all the four roles ie. ROLE_A , ROLE_B , ROLE_C and ROLE_D . My requirement was when the user1 logins to client1 it should return only the roles ROLE_A and ROLE_B . when he logins using client2 it should return only ROLE_C and ROLE_D For achieving this, what I planned is within the authenticate function, I need to get the clientId. so using

Spring Boot OAuth2 Single Sign Off (Logout)

南笙酒味 提交于 2019-11-27 12:30:37
I'm considering to use OAuth2 for my application. The architecture I'm trying to implement is as follows: I will have my own (and only this) Authorization Server Some Resource Apps validating access to their resources using the Authorization Server Some client apps (web, mobile) which will redirect the user to the Authorization Server for authentication and on success will consume the api's on the Resource Apps. So far I have managed to implement this interaction between 3 basic apps (1 auth server, 1 resource server and 1 client). The thing I don't get working is the logout functionality. I

Two factor authentication with spring security oauth2

落爺英雄遲暮 提交于 2019-11-27 11:08:20
问题 I'm looking for ideas how to implement two factor authentication (2FA) with spring security OAuth2. The requirement is that the user needs two factor authentication only for specific applications with sensitive information. Those webapps have their own client ids. One idea that popped in my mind would be to "mis-use" the scope approval page to force the user to enter the 2FA code/PIN (or whatever). Sample flows would look like this: Accessing apps without and with 2FA User is logged out User

How to change spring security oauth2 default token endpoint?

只愿长相守 提交于 2019-11-27 10:00:12
问题 We have spring security oauth2 based application. Every thing is working fine. But i am failed to change default token endpoint from "/oauth/token" to "/external/oauth/token". My spring-servlet.xml <http pattern="/external/oauth/token" create-session="stateless" authentication-manager-ref="clientAuthenticationManager" use-expressions="true" xmlns="http://www.springframework.org/schema/security"> <intercept-url pattern="/external/oauth/token" access="isFullyAuthenticated()" /> <anonymous

Spring-Security-Oauth2: Full authentication is required to access this resource

感情迁移 提交于 2019-11-27 05:32:36
问题 I am trying to use spring-security-oauth2.0 with Java based configuration. My configuration is done, but when i deploy application on tomcat and hit the /oauth/token url for access token, Oauth generate the follwoing error: <oauth> <error_description>Full authentication is required to access this resource</error_description> <error>unauthorized</error> </oauth> My configuration is on Git hub, please click on link The code is large, so refer to git. I am using chrome postman client for send

Spring Security OAuth2, which decides security?

随声附和 提交于 2019-11-27 05:13:16
问题 I've been trying to implement a OAuth2 authentication server using the guides by Dave Syer with some inspiration from JHipster. But I can't figure out how it all works together. It looks like the security setup using the WebSecurityConfigurerAdapter is overwritten when I use ResourceServerConfigurerAdapter. @Configuration @EnableResourceServer public class OAuth2ResourceConfig extends ResourceServerConfigurerAdapter { private TokenExtractor tokenExtractor = new BearerTokenExtractor();

Can i append some information in oauth/check_token endpoint and retrieve it at authorization server?

走远了吗. 提交于 2019-11-27 04:31:49
问题 Preface I am working on an OAuth application for security between two servers. I have an OAuth Server and a Resource Server . The Resource Server has a single .war deployed that contains 4 APIs . Single Responsibility The OAuth server has to validate a the access token that was passed by an API (1 of the 4) from that same .war . The OAuth server has to keep a hit count for a particular accessToken for a particular API . If the hit count exceeds the configured hits the OAuth server would throw

How to test spring-security-oauth2 resource server security?

放肆的年华 提交于 2019-11-27 04:11:36
问题 Following the release of Spring Security 4 and it's improved support for testing I've wanted to update my current Spring security oauth2 resource server tests. At present I have a helper class that sets up a OAuth2RestTemplate using ResourceOwnerPasswordResourceDetails with a test ClientId connecting to an actual AccessTokenUri to requests a valid token for my tests. This resttemplate is then used to make requests in my @WebIntegrationTest s. I'd like to drop the dependency on the actual

Spring oauth2 scope vs authorities(roles)

我们两清 提交于 2019-11-27 03:52:25
问题 I'm Using Spring Security OAuth2 and currently implemented the client_credentials and password grant types. I noticed a client has both scope and authorities. Can someone please explain what the difference is? To be more specific, I'm using the JDBCTokenStore and the database schema has a oauth_client_details table. Also, In the oauth_client_details table, I'm not sure what the following fields are used for: web_server_redirect_url, access_token_validity,refresh_token_validity Some

Customise oath2 token request to accept extra data

旧街凉风 提交于 2019-11-27 03:35:40
问题 I am using jersey and spring-oauth2 with spring security. My app is working fine with end points "/oauth/token". I want to change the endpoints to accept more data. The requirement is, I want to send more details to the token API (i.e. the device details OS, phone/tablet/web etc.). So, I want to override the endpoint and if authentication is successful, I want to store that extra information in database. I could not find anything related to changing the API in such a way. Can someone help?
订阅 spring-security-oauth2