These are chat archives for spring-cloud/spring-cloud

12th
May 2015
Ryan Baxter
@ryanjbaxter
May 12 2015 01:28
@spencergibb that did the trick, thanks!
Spencer Gibb
@spencergibb
May 12 2015 02:34
Look forward to the pull request
Leon Radley
@leon
May 12 2015 08:43
Where should @SessionAttributes("authorizationRequest”) be used? I’m a bit unsure what it does, and if it should be placed on all api endpoints?!
Dave Syer
@dsyer
May 12 2015 09:27
Only the one where you customize the /confirm_access endpoint
Leon Radley
@leon
May 12 2015 09:29

´´´
@Configuration
@SessionAttributes("authorizationRequest")
public class MvcConfig extends WebMvcConfigurerAdapter {

@Override
public void addViewControllers(ViewControllerRegistry registry) {
    registry.addViewController("/error").setViewName("error");
    registry.addViewController("/signin").setViewName("authentication/signin");
    registry.addViewController("/oauth/confirm_access").setViewName("authentication/authorize");
}

´´´

is on the WebMvcConfigurerAdapter right?
Dave Syer
@dsyer
May 12 2015 09:51
Not usually.
You put it on the @Controller
But you appear to have a ViewController for that endpoint, so you don't have that option.
If I were you I'd add an explicit @Controller even if it's trivial
Leon Radley
@leon
May 12 2015 11:04

What I’ve been looking at are the spring-cloud-samples, but they are not as straight forward as I would like them. It would be great if we had a separate repo for a stand alone resource server, and also how I you would combine a SSO and resource server optimally.

Here you have combined to many things into one. It’s hard to tell which annotations belong to what
https://github.com/spring-cloud-samples/authserver/blob/master/src/main/java/demo/AuthserverApplication.java

I’ll go ahead and create a explicit controller for the /oauth/confirm_access
Dave Syer
@dsyer
May 12 2015 11:29
Better samples for resource server/sso probably in the tutorial
The AuthServerApplication isn't many things combined though, is it?
It's just a vanilla auth server
Leon Radley
@leon
May 12 2015 11:33
No it’s not bad, but sometimes in other spring cloud related samples, I think it’s hard to know what annotations are coupled to what configurations
Dave Syer
@dsyer
May 12 2015 11:34
We definitely want to re-organize the samples to make them more approachable
Can you be more specific?
Raise issues in github?
Leon Radley
@leon
May 12 2015 11:37
I would like to see more use cases and from that start understanding how they work together. creating a SSO app with a public oauth api is one of the apps I couldn’t find a sample for.
another is combining spring social and the authentication server
I’ve done this, so I could create a sample for you
Leon Radley
@leon
May 12 2015 11:43
another goodie that I’ve implemented is adding custom attributes to the jwt token so that I can get the logged in users customerId
and then extracting it in one of the resource servers
I could finally solve the custom single sign in the other day, though it may not be elegant it works. by setting the remember-me cookie domain to “.mydomain.com” I’ts available to all my apps. and by creating a filter that checks for that cookie I’m able to redirect to the sso login url and everything is seamless :)

@Component
public class AccountsAuthenticatedFilter extends OncePerRequestFilter {

private final OAuth2SsoProperties ssoProperties;
private final List<RequestMatcher> ignoreMatchers = new ArrayList<>(4);

@Inject
public AccountsAuthenticatedFilter(OAuth2SsoProperties ssoProperties, SecurityProperties securityProperties) {
    this.ssoProperties = ssoProperties;
    this.ignoreMatchers.add(new AntPathRequestMatcher(ssoProperties.getLoginPath()));
    this.ignoreMatchers.add(new AntPathRequestMatcher(ssoProperties.getLogoutPath()));
    this.ignoreMatchers.addAll(securityProperties.getIgnored().stream().map(AntPathRequestMatcher::new).collect(Collectors.toList()));
}

@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
    // Do not try to authenticate against any of the ignored matchers
    for (RequestMatcher m : ignoreMatchers) {
        if (m.matches(request)) {
            filterChain.doFilter(request, response);
            return;
        }
    }

    // If already authenticated continue on our quest
    Authentication currentUser = SecurityContextHolder.getContext().getAuthentication();
    if (currentUser != null && !(currentUser instanceof AnonymousAuthenticationToken)) {
        filterChain.doFilter(request, response);
        return;
    }

    // If there is a remember-me cookie we are logged in and can redirect to sso signin
    Cookie cookie = WebUtils.getCookie(request, "remember-me");
    if (cookie != null) {
        try {
            response.sendRedirect(ssoProperties.getLoginPath());
        } catch (IOException ignore) {}
        return;
    }

    // Otherwise continue
    filterChain.doFilter(request, response);
}

}

Leon Radley
@leon
May 12 2015 11:48
I think the samples should reflect common usecases. and also contain a bit more complex stuff, since that’s often where you get stuck.
@dsyer If I create a couple of use case samples that I’ve encountered, would you include them in spring-cloud-samples?
Or should I maybe do them as spring cloud guides, that way we could share them the same way other spring projects does?
Dave Syer
@dsyer
May 12 2015 12:52
Those are mostly not really Spring Cloud use cases per se. They sound like OAuth2 use cases.
You only use Spring Cloud for the special purpose @Enable* annotations.
Guides are a really good idea though
If you have an idea for a new guide we are all ears
there are some guidelines for producing new gs guides in github somewhere
I think a lot of your ideas sound promising for that
Samples, per se, seem like they should do one thing and do it obviously (which is a problem with some of the SC samples I admit, that's why we want to change them).
Leon Radley
@leon
May 12 2015 12:56

As you say, many of the problems are are spring boot, spring security, oauth2 and spring cloud together. but I think a good guide for getting say, the auth server and spring social working together would really help the people just getting to know those pieces.

As soon as I have some time over I’ll have a look at writing a guide :)

Leon Radley
@leon
May 12 2015 13:34
What’s the difference between @EnableResourceServer and @EnableOAuth2Resource?
Dave Syer
@dsyer
May 12 2015 13:36
The latter is Spring Cloud/Boot - it does more by convention.
Leon Radley
@leon
May 12 2015 13:37
Which one is the right one for an already configured @EnableAuthorizationServer?
I’m trying to configure the @AuthorizationServer to also have a couple of end points, but I’m not getting the logged in user
One thing that’s been a bit of a mystery to me is the config for the AuthorizationServer
spring.oauth2.resource:
id: openid
serviceId: ${PREFIX:}resource
Isn’t that for when you use @EnableOAuth2Resource, and in that case it would auto configure the ResourceServerConfigurerAdapter
Leon Radley
@leon
May 12 2015 13:43
Since I’m using JWT I’m not use the user details endpoint, so is this needed in my config, or is that only used when the client calls back to the authorizationserver to get it’s details?
sorry about the 1001 questions :)
Collin Peters
@collinpeters
May 12 2015 14:16
This is good stuff. +1 for a sample with SSO and a public API. I am working on this structure myself at the moment.
My approach is currently to have a simple gateway in front and to route /api and /oauth directly to the resource and auth servers. Then have a UI 'middleware' server like in the tutorials for my first party app.
The gateway will route all /client traffic to the middleware server.
And the front-end SPA will call /client/api and /client/oauth. So the UI server is also a reverse proxy.
Got it mostly all working yesterday, my only remaining problem is that with this double proxy approach the redirect URL is messed up on login. Just looking at that now.
Dave Syer
@dsyer
May 12 2015 14:25
There is a sample with SSO and an API in the tutorial
Do we need a short guide that duplicates some of that?
Collin Peters
@collinpeters
May 12 2015 14:38
You are right. Perhaps let me clarify my use case and you can shed some light on how you might have gone about it.
My use case is to have a public API that 3rd parties can use 'normally', meaning regular authcode & implicit grant types, directly using the auth server and resource server. In the tutorial sample it seems to be exclusively for 1st party through the sample UI.
To work around this I am adding a gateway in front, similar to your final example. Except that this gateway is just a reverse proxy, it has no UI and no session like in your final example
Dave Syer
@dsyer
May 12 2015 14:40
I'm not really sure I follow, since the auth server is pretty vanilla in the tutorial
Why is it not usable "normally" from a 3rd party?
Collin Peters
@collinpeters
May 12 2015 14:41
Right, but how would you run it in production? e.g. in my use case all traffic (UI, API, auth server) has to go through one URL
so foo.bar/ui foo.bar/api and foo.bar/auth
how I'm trying to solve it is by placing a Zuul reverse proxy in front
But that introduces some oddities with how you have to configure the internal oauth configuration in the UI (e.g. @EnableOAuth2Sso
Right now I have this
accessTokenUri: http://localhost:9999/uaa/oauth/token
userAuthorizationUri: http://localhost:8080/ui/auth/oauth/authorize
So the redirect portion has to use the gateway port/url, but the internal part is direct to the auth server
Dave Syer
@dsyer
May 12 2015 14:52
I'm not 100% sure I follow that
Proxies are the usual way to get everything on the same host though
Not that you'd have to use Zuul for such a simple use case
Collin Peters
@collinpeters
May 12 2015 15:00
One problem I have is that when I put the proxy in front of the ui server, the ui server will do a 302 to /login, which will then 302 to the /oauth/authorize endpoint. However, the first 302 will have a Location header that uses the internal address of the UI server (port 8081 in my case). Any idea on how to solve that.
Dave Syer
@dsyer
May 12 2015 15:05
Probably it's a missing feature in the server
When it sends a redirect it should check the X-Forwarded-* headers and rewrite the location appropriately
(Spring does that in general, but the OAuth redirect might be generated in a different way)
Collin Peters
@collinpeters
May 12 2015 15:07
I see there is code to looked at the 'Referred-By' header
Dave Syer
@dsyer
May 12 2015 15:17
There is?
Collin Peters
@collinpeters
May 12 2015 15:32
Yeah, let me find it. I don't think it is spring cloud or security specific though
AbstractAuthenticationTargetUrlRequestHandler#determineTargetUrl has
        if (useReferer && !StringUtils.hasLength(targetUrl)) {
            targetUrl = request.getHeader("Referer");
            logger.debug("Using Referer header: " + targetUrl);
        }
Dave Syer
@dsyer
May 12 2015 16:37
That's the client app redirecting in Spring Security?
Collin Peters
@collinpeters
May 12 2015 17:08
Sorry, for the slow replies. Notifications in Gitter aren't great. Can I send you a DM with a drawing of the topology?