New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Change OAuth for microservices to use jwk.key-set-uri instead of jwt.key-uri #7116

Closed
mraible opened this Issue Feb 13, 2018 · 3 comments

Comments

Projects
None yet
3 participants
@mraible
Contributor

mraible commented Feb 13, 2018

Overview of the issue

Currently, the OAuth implementation for microservices uses jwt.key-uri:

security:
    oauth2:
        client:
            access-token-uri: http://localhost:9080/auth/realms/jhipster/protocol/openid-connect/token
            user-authorization-uri: http://localhost:9080/auth/realms/jhipster/protocol/openid-connect/auth
            <%_ if (applicationType === 'gateway' || applicationType === 'monolith') { _%>
            client-id: web_app
            client-secret: web_app
            client-authentication-scheme: form
            scope: openid profile email
            <%_ } _%>
            <%_ if (applicationType === 'microservice') { _%>
            client-id: internal
            client-secret: internal
            authentication-scheme: header
            client-authentication-scheme: header
            <%_ } _%>
        resource:
            filter-order: 3
            user-info-uri: http://localhost:9080/auth/realms/jhipster/protocol/openid-connect/userinfo
            token-info-uri: http://localhost:9080/auth/realms/jhipster/protocol/openid-connect/token/introspect
            <%_ if (applicationType === 'gateway' || applicationType === 'microservice') {  _%>
            jwt:
                key-uri: http://localhost:9080/auth/realms/jhipster
            <%_ } _%>

And then it fetches the public key in MicroservicesSecurityConfiguration.java:

@Bean
@ConditionalOnProperty("security.oauth2.resource.jwt.key-uri")
public TokenStore tokenStore(JwtAccessTokenConverter jwtAccessTokenConverter) {
    return new JwtTokenStore(jwtAccessTokenConverter);
}

@Bean
@ConditionalOnProperty("security.oauth2.resource.jwt.key-uri")
public JwtAccessTokenConverter jwtAccessTokenConverter() {
    JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
    converter.setVerifierKey(getKeyFromAuthorizationServer());
    return converter;
}

private String getKeyFromAuthorizationServer() {
    return Optional.ofNullable(
        new RestTemplate()
            .exchange(
                resourceServerProperties.getJwt().getKeyUri(),
                HttpMethod.GET,
                new HttpEntity<Void>(new HttpHeaders()),
                Map.class
            )
            .getBody()
            .get("public_key"))
        .map(publicKey -> String.format("-----BEGIN PUBLIC KEY-----\n%s\n-----END PUBLIC KEY-----", publicKey))
        .orElse(resourceServerProperties.getJwt().getKeyValue());
}
Motivation for or Use Case

This works, but it'd be much easier to use jwt.key-set-uri which would allow for key rotation and works for both Keycloak and Okta.

Related issues
Suggest a Fix

Change src/main/resources/config/application.yml to use the following for microservices:

security:
    basic:
        enabled: false
    oauth2:
        client:
            access-token-uri: http://localhost:9080/auth/realms/jhipster/protocol/openid-connect/token
            user-authorization-uri: http://localhost:9080/auth/realms/jhipster/protocol/openid-connect/auth
            client-id: internal
            client-secret: internal
            authentication-scheme: header
            client-authentication-scheme: header
        resource:
            filter-order: 3
            user-info-uri: http://localhost:9080/auth/realms/jhipster/protocol/openid-connect/userinfo
            token-info-uri: http://localhost:9080/auth/realms/jhipster/protocol/openid-connect/token/introspect
            prefer-token-info: false
            jwk:
                key-set-uri: http://localhost:9080/auth/realms/jhipster/protocol/openid-connect/certs
JHipster Version(s)

4.14.0

  • Checking this box is mandatory (this is just to show you read everything)
@mraible

This comment has been minimized.

Contributor

mraible commented Feb 13, 2018

@danielpetisme Since you coded this originally, did you find any particular reason for using jwt.key-uri instead of jwt.key-set-uri?

@mraible mraible changed the title from Change OAuth for microservices to use jwt.key-set-uri instead of jwt.key-uri to Change OAuth for microservices to use jwk.key-set-uri instead of jwt.key-uri Feb 13, 2018

mraible added a commit to mraible/jhipster.github.io that referenced this issue Feb 14, 2018

pascalgrimaud added a commit to pascalgrimaud/jhipster-registry that referenced this issue Feb 24, 2018

@mraible mraible referenced this issue Mar 13, 2018

Closed

OAuth2 configuration refinements #7281

1 of 1 task complete
@maiphuong

This comment has been minimized.

maiphuong commented Mar 21, 2018

HI @mraible ,
I tried to use Okta for your producton and I configed and connect to Okta and it works good.And I use the account that signed up on Okta and login then it is only have ROLE_USER.How can I have ROLE_ADMIN in my account ?

I tried to create new groups ROLE_ADMIN and ROLE_USER and add user to them but when logins still dont have role ROLE_ADMIN.

Please review the screenshot.
https://ibb.co/isb37x

@mraible

This comment has been minimized.

Contributor

mraible commented Mar 22, 2018

Hello @maiphuong - I answered how to do this on the comment you left on my blog post:

https://developer.okta.com/blog/2017/10/20/oidc-with-jhipster#comment-3816810118

Please don't cross-post as it creates more work for us.

@jdubois jdubois added this to the 5.0.0-beta.0 milestone Apr 3, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment