Search code examples
springspring-securityspring-authorization-server

Spring Authorization Server without redirecting URLs for CURL access

This is my setup. I have a kong community server running as a gateway and all sort of different clients to access resource services via routes in the backend.

To unify the authentification (that all the backend services need) I want to write a kong plugin that extracts basic auth from the request header and validate it against a single authentication server. If the user is successfully authenticated, he shall receive a token for further requests.

I followed this tutorial: https://www.baeldung.com/spring-security-oauth-auth-server

So I created an own authorization server with Spring Authorization Server for authenticating the users and issuing oauth2 access tokens containing the user data.

Unfortunately there is no way to display a loginForm (requests are all REST Call with the users basic auth in the header).

What is the best approach to authenticate a user within the authorization server without redirecting the request to the resource services? I know that it probably should be done there. But as said this setup allows no Formlogin and I want to store sessions in the authorization server.

so this is my application.yml:

 security:
oauth2:
  authorizationserver:
    client:
      myclientid:
        registration:
          client-id: clientid
          client-secret: "{noop}secret"
          client-name: clientid
          client-authentication-methods:
            - client_secret_basic
          authorization-grant-types:
            - authorization_code
            - client_credentials
            - refresh_token
          redirect-uris:
            - ####
          scopes:
            - articles.read

server:
  port: 9000

I can use the clients credentials and get my token using grant client_credentials. But how can i pass my users credentials without getting a loginForm?

Solution

  • I want to write a kong plugin that extracts basic auth from the request header and validate it against a single authentication server.

    What you're wanting to do is not compatible with OAuth 2.0 Security Best Current Practice since you would need to use the password grant type to obtain an access token in your gateway, which is discouraged.

    Instead, you should set up each client talking to your gateway to use the client_credentials grant, which would allow them to use their credentials directly with the authorization server to obtain an access token. You could of course proxy requests to the auth server behind your gateway if desired.