Secure a rest webservice sprin application using OpenAM Oauth2

This topic contains 8 replies, has 4 voices, and was last updated by  sumanibm@forgerock 6 months, 1 week ago.

  • Author
    Posts
  • #6991
     nkarthik82 
    Participant

    I have an existing Spring based restful web service application which is protected by OAuth2.0 using sprinG security. Now, I am planning to migrate the users from current database to OpenAM. Once that is done, I want to protect the same sprint based restful web service using OpenAM’s OAuth2.0.
    Current flow is:
    1) Get oauth token from application oauth end point
    2) use this token for making rest api’s exposed by the application

    What I want is:
    1) Get oauth token from OpenAM
    2) use this toke for making rest api’s exposed by the application

    I have gone through the OpenAM Oauth docs and I am not sure whether this is possible. Is this integration possible? If so, is there any documentation or sample link?

    • This topic was modified 3 years, 8 months ago by  nkarthik82.
    #6995
     Scott Heger 
    Participant

    Absolutely. OpenAM is written to comply with the OAuth 2.0 specification. If you are using OAuth 2.0 now it will be just a matter of setting up the OAuth2 Provider in OpenAM, creating your OAuth 2.0/OpenID Connect Client profile, and then building the appropriate REST calls to OpenAM from within your existing application.

    What grant flow are you currently using to obtain you access token?

    The OpenAM documentation around OAuth (https://backstage.forgerock.com/#!/docs/openam/12.0.0/dev-guide/chap-rest-oauth2-oidc) should be used in conjunction with the OAuth 2.0 specification documentation (https://tools.ietf.org/html/rfc6749#section-1.3) to get the full picture.

    #6997
     nkarthik82 
    Participant

    We use Client Credentials (client_credentials), Resource Owner Password Credentials Grant (password)

    Right now, we use the spring security OAuth implementation to generate the access token. Then, we pass this token in the header for making rest api calls.
    I don’t get how Spring will be able to validate the access token passed in the request header with OpenAM server.

    #7000
     nkarthik82 
    Participant

    I forgot to mention. Our application is a spring rest service which gets data from a DB which is outside OpenAM. So, we can say it is a service provider.
    Different Clients use this rest service for doing CRUD operations on the database and right now, it is protected using Spring OAuth which generates and validates access token.
    Now, we are planning to move the user details alone to OpenAM from the current DB so that client’s can directly generate an access token using OpenAM. But, once they get the token, they will pass it in request header to the Spring rest service for doing CRUD operations.
    What I want to know is how can Spring validate the token? Should I write some custom module in Spring to do this or can I directly remove the Spring security and trust OpenAM for validating the token?
    If OpenAM can validate the token, how will it handle the communication between the web services and OpenAM?

    #7002

    OpenAM provides the following three OAuth 2.0 endpoints with the last one, tokeninfo, used for validating tokens:

    /oauth2/authorize
    Authorization endpoint defined in RFC 6749, used to obtain an authorization grant from the resource owner

    Example: https://openam.example.com:8443/openam/oauth2/authorize

    /oauth2/access_token
    Token endpoint defined in RFC 6749, used to obtain an access token from the authorization server

    Example: https://openam.example.com:8443/openam/oauth2/access_token

    /oauth2/tokeninfo
    Endpoint not defined in RFC 6749, used to validate tokens, and to retrieve information such as scopes

    Given an access token, a resource server can perform an HTTP GET on /oauth2/tokeninfo?access_token=token-id to retrieve a JSON object indicating token_type, expires_in, scope, and the access_token ID.

    Example: https://openam.example.com:8443/openam/oauth2/tokeninfo

    #7003
     Scott Heger 
    Participant

    Posted the previous comment from the wrong account. :)

    #7016
     nkarthik82 
    Participant

    So, the only option that I could think of is to write a custom module in my application which can get tokens from OpenAM and validate the token using /oauth2/tokeninfo for every request.
    Am I right?
    I thought we can directly protect the web services using OpenAM OAuth similar to how we protect web applications with login pages.

    #7029
     Scott Heger 
    Participant

    You are correct, you will either have to build your own module or find some other library that you could use that would handle this for you. ForgeRock doesn’t provide any sort of “agent” for OAuth based web services like they do for web applications.

    #25109
     sumanibm@forgerock 
    Participant

    Hi Scott,

    I am doing a POC with OpenAM and wanted to protect some sample rest API endpoints as below.

    1. Spring boot Client application with features(Login, Logout, Authorization*) in which user can successfully authenticate to Open AM using http://…/authenticate endpoint and received SSO token. I am stuck at authorization part.

    2. Open AM as authorization server where we have enabled OAuth2.0 with client id & secret. Also resource owner/user information are present there. Do I need to add java agent to resources ( sample rest endpoints) or have to use some filter to accept JWT token). Appreciate your help and guidance here.

    Regards,
    Suman

    3. Spring Boot application exposing sample rest endpoints which will act as Resource server.

    I am asked to use JWT +JWKS to access these sample rest endpoints protected with different user. I am stuck how to get the access token to access the protected rest endpoints.

    • This reply was modified 6 months, 1 week ago by  sumanibm@forgerock. Reason: content was blank
Viewing 9 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic.

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?