OAuth Abstraction For Web Application With Multiple API's
We have a web application (login page, etc) that calls a backend server (JWT) for all services. The backend server also exposes multiple API's (REST, SOAP) that utilize HTTP Basic Authentication. I am looking to migrating to OpenIDConnect and OAuth2 with the Spring Security toolset. I am trying to understand the correct configuration and the best way to integrate with identity providers like AzureAD.
The web application sounds like a OAuth Web application and a OAuth2 client. The backend server sounds like an OAuth resource servers for multiple API's.
What is the best way to model in AzureAD?
- Does each api have separate client id's?
- Better to have common authorities pool or specific to each api?
Looking for any insight and recommendations. Thanks
Note that: By having separate client IDs for every it will be easy to monitor and manage permissions for each API separately.
Implementing common authorities pool will make application's configuration easier but difficult to monitor and manage permissions for each API if there are more APIs.
Hence, you can try creating separate Azure AD Application for every API (REST, SOAP). It is useful for auditing and security purposes.
Based on your requirement, you can make use Authentication Flows to authentication the Application.
Create an Azure AD Application and add API permissions:
Generate an access token to call the API:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:ClientID
client_secret:ClientSecret
scope:https://graph.microsoft.com/.default
grant_type:client_credentials
When I decoded the token, the assigned permissions are displayed like below:
By using the above access token, you can call the API:
GET https://graph.microsoft.com/v1.0/users
- Encrypting InMemoryAuthentication passwords with Bcrypt
- What are Spring Security default credentials for Spring Boot?
- How to install spring-boot-starter-security dependency
- How to authenticate resource owner with JWT when sending request to /oauth2/authorize?
- How to add Header - Authorization for swagger 3, spring boot
- How to manage exceptions thrown in filters in Spring?
- why does spring security refuse to use my config file
- An error occurred while attempting to decode the Jwt: Signed JWT rejected: Another algorithm expected, or no matching key(s) found
- After Spring Boot 3 update: Manually authenticating user not working
- Multiple user details services for different endpoints
- Spring Security - Authrozation on rest apis
- Exclude specific resource page(s) from Cross-Origin-Resource-Policy same-origin header in Spring WebSecurityConfigurerAdapter
- my Spring CustomSecurityExpressionRoot not working
- @EnableGlobalMethodSecurity is deprecated in the new spring boot 3.0
- Spring Security blocks POST requests despite SecurityConfig
- #oauth2 security expressions on method level
- Calling spring authorization server OAuth2 REST endpoints
- How to extend the RequestMatcher in default RequestCache in Spring Security?
- How do I ensure a filter is executed after security filters in the SecurityFilterChain?
- how does spring security order multiple SecurityFilterChain?
- Spring 6 upgrade @PreAuthorize not working with ArgumentResolver
- Why is WebDataBinder used when Jackson is/should be used for deserialization (which breaks correct order of validation/authorization)?
- CORS in Spring Security (Spring Boot 3)
- Spring Security Authentication returns empty authorities
- Should i use ofNullable after checking if the value is null?
- Spring Boot throwing 401 Unauthorized on POST request
- Spring Boot security, always opens login page
- Spring boot 3 Upgrade - java.lang.NoSuchMethodError
- How to save header's value into Spring Security context considering concurrency safety
- Property 'security.basic.enabled' is Deprecated: The security auto-configuration is no longer customizable