Scribd Logo
Upload

Welcome to Scribd!

  • Springboot OIDC Integration

    Uploaded by

    ks_reddysekhar7966
    50 views5 pages
    The document provides steps to integrate Spring Boot applications with OpenID Connect (OIDC) for authentication and authorization. It includes: 1. Configuring an OIDC client ID and secret in an OIDC provider like Okta or PingFederate. 2. Adding Maven dependencies for Spring Security and OAuth2 libraries. 3. Configuring application properties with OIDC provider details and scopes. 4. Implementing authorization checks and retrieving user attributes from the OIDC ID token in Java code using Spring Security.

    Original Description:

    Original Title

    Springboot OIDC integration

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document provides steps to integrate Spring Boot applications with OpenID Connect (OIDC) for authentication and authorization. It includes: 1. Configuring an OIDC client ID and secret in an OIDC provider like Okta or PingFederate. 2. Adding Maven dependencies for Spring Security and OAuth2 libraries. 3. Configuring application properties with OIDC provider details and scopes. 4. Implementing authorization checks and retrieving user attributes from the OIDC ID token in Java code using Spring Security.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    50 views5 pages

    Springboot OIDC Integration

    Uploaded by

    ks_reddysekhar7966
    The document provides steps to integrate Spring Boot applications with OpenID Connect (OIDC) for authentication and authorization. It includes: 1. Configuring an OIDC client ID and secret in an OIDC provider like Okta or PingFederate. 2. Adding Maven dependencies for Spring Security and OAuth2 libraries. 3. Configuring application properties with OIDC provider details and scopes. 4. Implementing authorization checks and retrieving user attributes from the OIDC ID token in Java code using Spring Security.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 5

    Springboot OIDC Integration Guide

    Table of Contents
    Springboot OIDC Integration Guide............................................................................................................1
    1. Create and configure an OIDC ClientID and Secret in OIDC provider system................................1
    2. Add Maven Dependencies to enable OIDC (Using Okta OIDC client):...........................................1
    OR Add Maven Dependencies to enable OIDC (Using Generic Spring Security Framework OIDC
    client): 2
    3. Application.yml(or application.properties) config :.......................................................................2
    Using OKTA Client:..................................................................................................................................2
    Using Generic Spring Security Framework OIDC client :........................................................................2
    4. Java Code Changes :........................................................................................................................3
    5. Getting User Attributes from OIDC ID Token :................................................................................3
    6. Restrict access to a resource/endpoint based on Scope/Group or UserID :..................................4
    - Endpoint level access control inside controller object:..................................................................4
    - Global level access control in main class:.......................................................................................4
    References...................................................................................................................................................4

    Please follow below steps to secure a web application using OIDC.

    1. Create and configure an OIDC ClientID and Secret in OIDC provider


    system
    - Using OKTA CCI Instance - https://myid-okta-int.cisco.com/createapp
    - Using PMT to create client in PingFederate -
    https://wampmtui.cloudapps.cisco.com/loggedIn#/oauth/clients/0/10

    Save the ClientID and ClientSecret which will be needed for further configuration.

    2. Add Maven Dependencies to enable OIDC (Using Okta OIDC client):


    Edit the pom.xml file and add dependencies for Spring Security and Okta. They will
    enable the Spring AND Okta OAuth 2.0 for your application.
    <!-- security - begin -->
    <dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
    </dependency>
    <dependency>
    <groupId>org.springframework.cloud</groupId>
    <artifactId>spring-cloud-starter-oauth2</artifactId>
    </dependency>
    <dependency>
    <groupId>com.okta.spring</groupId>
    <artifactId>okta-spring-boot-starter</artifactId>
    <version>0.6.1</version>
    </dependency>
    <!-- security - end -->

    OR Add Maven Dependencies to enable OIDC (Using Generic Spring Security Framework
    OIDC client):

    <!-- security - begin -->


    <dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-config</artifactId>
    </dependency>
    <dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-oauth2-client</artifactId>
    </dependency>
    <dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-oauth2-jose</artifactId>
    </dependency>
    <dependency>
    <groupId>org.thymeleaf.extras</groupId>
    <artifactId>thymeleaf-extras-springsecurity4</artifactId>
    </dependency>
    <!-- security - end -->

    3. Application.yml(or application.properties) config :


    You need to modify application.yml as follows (use client_id and client_secret provided by CCI-
    OKTA/PMT-Ping dashboard to your application):

    Using OKTA Client:


    okta:
    oauth2:
    issuer: https://dev-id.cisco.com/oauth2/default
    client-id: < clientId>
    client-secret: <clientSecret>
    redirect-uri: /authorization-code/callback(put specific to your app)

    scopes:
    - profile
    - email
    - openid

    Using Generic Spring Security Framework OIDC client :

    security:
    oauth2:
    client:
    clientId: < clientId>
    clientSecret: <clientSecret>
    redirectUri: /authorization-code/callback(put specific to your app)
    provider:
    okta:
    authorization-uri: https://{yourOktaDomain}/oauth2/default/v1/authorize
    token-uri: https://{yourOktaDomain}/oauth2/default/v1/token
    user-info-uri: https://{yourOktaDomain}/oauth2/default/v1/userinfo
    jwk-set-uri: https://{yourOktaDomain}/oauth2/default/v1/keys

    Restart your app and navigate to http://AppUrl again. You’ll see a


    link to click on to log in with Okta/Ping.

    4. Java Code Changes : Java code changes are required to add fine-grained authorization
    policies and to retrieve user details from the OIDC token.

    - Add WebSecurityConfigurerAdapte to the application’s main class as shown below.

    @SpringBootApplication
    @EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
    public class CodeFlowExampleApplication {

    public static void main(String[] args) {


    SpringApplication.run(CodeFlowExampleApplication.class, args);
    }

    /**
    * The default Spring logout behavior redirects a user back to
    {code}/login?logout{code}, so you will likely want
    * to change that. The easiest way to do this is by extending from {@link
    WebSecurityConfigurerAdapter}.
    */
    @Configuration
    static class WebConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
    // allow antonymous access to the root page
    .antMatchers("/").permitAll()
    // all other requests
    .anyRequest().authenticated()

    // set logout URL


    .and().logout().logoutSuccessUrl("/")

    // enable OAuth2/OIDC
    .and().oauth2Client()
    .and().oauth2Login();
    }
    }

    5. Getting User Attributes from OIDC ID Token : An app can retrieve User
    Attributes from an instance of class OAuth2AuthenticationToken as shown in below code
    snippet.
    @Controller
    public class ExampleController {

    @GetMapping("/profile")
    @PreAuthorize("hasAuthority('SCOPE_profile')")
    public ModelAndView userDetails(OAuth2AuthenticationToken authentication)
    {
    return new ModelAndView("userProfile" ,
    Collections.singletonMap("details",
    authentication.getPrincipal().getAttributes()));
    }
    }

    Note : See available methods provided by OAuth2AuthenticationToken class in


    documentation provided by Spring framework at
    https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/
    security/oauth2/client/authentication/OAuth2AuthenticationToken.html

    6. Restrict access to a resource/endpoint based on Scope/Group or UserID :

    - Endpoint level access control inside controller object: Spring provides


    annotation PreAuthorize which can be used inside a controller to control access to a
    resource based on available claims in OIDC token as shown in below examples.

    @GetMapping("/profile")
    @PreAuthorize("hasAuthority('SCOPE_profile')")
    public ModelAndView userDetails(OAuth2AuthenticationToken authentication)
    {
    return new ModelAndView("userProfile" ,
    Collections.singletonMap("details",
    authentication.getPrincipal().getAttributes()));
    }

    - Global level access control in main class: Springboot supports adding complex
    authorization rules in main java class inside WebSecurityConfigurerAdapter (explained
    in step 4 above) config as shown in below example

    @Configuration
    @EnableGlobalMethodSecurity(prePostEnabled = true)
    public class SecurityConfig extends WebSecurityConfigurerAdapter {
    protected void configure(final HttpSecurity http) throws Exception {
    http.antMatcher("/**")
    .authorizeRequests()
    .antMatchers("/").permitAll()
    .antMatchers("/restricted").hasAuthority("SCOPE_custom")
    .anyRequest().authenticated()
    .and().oauth2Login(); // <-- THIS WAS CHANGED
    }
    }

    Note : Find more details about expression based access control at documentation
    provided by Spring framework at
    https://docs.spring.io/spring-security/site/docs/5.0.7.RELEASE/reference/html/el-
    access.html

    References
    (n.d.). Retrieved from https://developer.okta.com/blog/2019/06/20/spring-preauthorize

    (n.d.). Retrieved from https://docs.spring.io/spring-security/site/docs/5.0.7.RELEASE/reference/html/el-


    access.html

    (n.d.). Retrieved from https://developer.okta.com/blog/2017/12/18/spring-security-5-oidc

    (n.d.). Retrieved from https://docs.spring.io/spring-security/site/docs/5.2.12.RELEASE/reference/html/


    oauth2.html

    (n.d.). Retrieved from https://developer.okta.com/blog/2017/12/18/spring-security-5-oidc

    You might also like