January 21, 2016 at 2:28 pm #6991
I have an existing Spring based restful web service application which is protected by OAuth2.0 using sprinG security. Now, I am planning to migrate the users from current database to OpenAM. Once that is done, I want to protect the same sprint based restful web service using OpenAM’s OAuth2.0.
Current flow is:
1) Get oauth token from application oauth end point
2) use this token for making rest api’s exposed by the application
What I want is:
1) Get oauth token from OpenAM
2) use this toke for making rest api’s exposed by the application
I have gone through the OpenAM Oauth docs and I am not sure whether this is possible. Is this integration possible? If so, is there any documentation or sample link?
January 21, 2016 at 3:20 pm #6995
- This topic was modified 3 years, 8 months ago by nkarthik82.
Absolutely. OpenAM is written to comply with the OAuth 2.0 specification. If you are using OAuth 2.0 now it will be just a matter of setting up the OAuth2 Provider in OpenAM, creating your OAuth 2.0/OpenID Connect Client profile, and then building the appropriate REST calls to OpenAM from within your existing application.
What grant flow are you currently using to obtain you access token?
The OpenAM documentation around OAuth (https://backstage.forgerock.com/#!/docs/openam/12.0.0/dev-guide/chap-rest-oauth2-oidc) should be used in conjunction with the OAuth 2.0 specification documentation (https://tools.ietf.org/html/rfc6749#section-1.3) to get the full picture.January 21, 2016 at 3:45 pm #6997
We use Client Credentials (client_credentials), Resource Owner Password Credentials Grant (password)
Right now, we use the spring security OAuth implementation to generate the access token. Then, we pass this token in the header for making rest api calls.
I don’t get how Spring will be able to validate the access token passed in the request header with OpenAM server.January 21, 2016 at 4:06 pm #7000
I forgot to mention. Our application is a spring rest service which gets data from a DB which is outside OpenAM. So, we can say it is a service provider.
Different Clients use this rest service for doing CRUD operations on the database and right now, it is protected using Spring OAuth which generates and validates access token.
Now, we are planning to move the user details alone to OpenAM from the current DB so that client’s can directly generate an access token using OpenAM. But, once they get the token, they will pass it in request header to the Spring rest service for doing CRUD operations.
What I want to know is how can Spring validate the token? Should I write some custom module in Spring to do this or can I directly remove the Spring security and trust OpenAM for validating the token?
If OpenAM can validate the token, how will it handle the communication between the web services and OpenAM?January 21, 2016 at 4:17 pm #firstname.lastname@example.orgParticipant
OpenAM provides the following three OAuth 2.0 endpoints with the last one, tokeninfo, used for validating tokens:
Authorization endpoint defined in RFC 6749, used to obtain an authorization grant from the resource owner
Token endpoint defined in RFC 6749, used to obtain an access token from the authorization server
Endpoint not defined in RFC 6749, used to validate tokens, and to retrieve information such as scopes
Given an access token, a resource server can perform an HTTP GET on /oauth2/tokeninfo?access_token=token-id to retrieve a JSON object indicating token_type, expires_in, scope, and the access_token ID.January 21, 2016 at 4:18 pm #7003
Posted the previous comment from the wrong account. :)January 22, 2016 at 10:41 am #7016
So, the only option that I could think of is to write a custom module in my application which can get tokens from OpenAM and validate the token using /oauth2/tokeninfo for every request.
Am I right?
I thought we can directly protect the web services using OpenAM OAuth similar to how we protect web applications with login pages.January 22, 2016 at 3:57 pm #7029
You are correct, you will either have to build your own module or find some other library that you could use that would handle this for you. ForgeRock doesn’t provide any sort of “agent” for OAuth based web services like they do for web applications.March 19, 2019 at 10:26 pm #25109sumanibm@forgerockParticipant
I am doing a POC with OpenAM and wanted to protect some sample rest API endpoints as below.
1. Spring boot Client application with features(Login, Logout, Authorization*) in which user can successfully authenticate to Open AM using http://…/authenticate endpoint and received SSO token. I am stuck at authorization part.
2. Open AM as authorization server where we have enabled OAuth2.0 with client id & secret. Also resource owner/user information are present there. Do I need to add java agent to resources ( sample rest endpoints) or have to use some filter to accept JWT token). Appreciate your help and guidance here.
3. Spring Boot application exposing sample rest endpoints which will act as Resource server.
I am asked to use JWT +JWKS to access these sample rest endpoints protected with different user. I am stuck how to get the access token to access the protected rest endpoints.
- This reply was modified 6 months, 1 week ago by sumanibm@forgerock. Reason: content was blank
You must be logged in to reply to this topic.