Openid Resource Server: Authenticate with Authorization Header #77
Comments
|
It's not clear to me what you're trying to do |
|
I want to be able to validate Oauth2 Jwt tokens in a stateless manner using the JWK_Set Url for public key validation. Similar to what Spring Security 5 does for Oauth2 resource server. What I have done now is use a filter to validate all Jwt Bearer tokens in the Authorization header. At the moment Micronaut Security Oauth2/OIDC support is stateful using a cookie mechanism. |
|
@juliuskrah That is already being done. The token returned by OpenID providers is validated against their key set URL. The only thing that is stateful is the storage of state/nonce so that it can be validated after the redirect. |
|
I’m aware of this. In a Microservice architecture only one service, usually the UI will handle the Login (Authorization Code Flow), other services will deal with just the Bearer Tokens. Micronaut puts these tokens in the cookie which I cannot validate in the Authorization flow. In my case one Micronaut service works with Auth Code flow with tokens created by Micronaut stored cokies. This service communicates with another Micronaut app by sending the original Jwt from the Identity Provider in the header. I hope this clarifies stuff |
That is only the case if you have configured it to do so. That is not the default. You can enable the keys controller in the authorization service and have the other services use that https://micronaut-projects.github.io/micronaut-security/1.2.x/guide/#keys https://micronaut-projects.github.io/micronaut-security/1.2.x/guide/#jwks |
jameskleeh
added
closed: question
|
I will look at this and revert |
|
@jameskleeh this works. I used micronaut:
security:
enabled: true
token:
jwt:
enabled: true
signatures:
jwks:
keycloak:
url: 'https://<domain>:<port>/auth/realms/<realm>/protocol/openid-connect/certs'I wasn't interested in the keys endpoint. Question: Any suggestion on how to customize the Question: Also any suggestion on how to extract the roles or scopes to participate in the |
|
Please ask questions in Gitter
…On Mon, Sep 23, 2019 at 5:21 PM Julius Krah ***@***.***> wrote:
@jameskleeh <https://github.com/jameskleeh> this works. I used
micronaut:
security:
enabled: true
token:
jwt:
enabled: true
signatures:
jwks:
keycloak:
url: 'https://<domain>:<port>/auth/realms/<realm>/protocol/openid-connect/certs'
I wasn't interested in the keys endpoint.
Question: Any suggestion on how to customize the getName() to use
preferred_username instead of Subject?
Question: Also any suggestion on how to extract the roles or scopes to
participate in the @secured({"ROLE_ADMIN", "ROLE_X"}) flow
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#77?email_source=notifications&email_token=AAMCVLI3AR3YAJ6S6RL63TLQLEXOHA5CNFSM4IWR2QZKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD7MJ6QA#issuecomment-534290240>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAMCVLOM2IJQVI5SBVXM3DDQLEXOHANCNFSM4IWR2QZA>
.
|
|
Copy that |
Feature Request
When I use an access token directly in the Authorization Header with Scheme
Bearer, I get a 401 response.Is there a mechanism I can configure for Resource Server?
Micronaut Security: 1.2.0
OS: Windows: 10
JDK: 11
The text was updated successfully, but these errors were encountered: