Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • 12:03
    smitchell commented #1676
  • 12:03
    smitchell commented #1676
  • Aug 20 20:28
    smitchell commented #1676
  • Aug 20 17:08
    naavo commented #1740
  • Aug 20 16:44
    naavo commented #1740
  • Aug 20 16:25
    smitchell commented #1676
  • Aug 20 15:48
    jgrandja commented #1676
  • Aug 20 15:45
    jgrandja commented #1676
  • Aug 20 14:30
    an0nh4x0r commented #1328
  • Aug 20 11:20
    sanskritiagarwal commented #1088
  • Aug 19 23:08
    naavo opened #1740
  • Aug 16 13:19
    erlendfg commented #1681
  • Aug 15 11:49
    ThirdLibResearch opened #1739
  • Aug 14 13:36
    rwinch assigned #1676
  • Aug 14 13:20
    smitchell commented #1676
  • Aug 14 12:58
    HJK181 commented #1676
  • Aug 09 14:46
    pivotal-issuemaster commented #1738
  • Aug 09 14:46
    ThomasPerkins1123 opened #1738
  • Aug 08 10:22
    bencody commented #1442
  • Aug 07 18:47
    skolisetty commented #834
Jon Hines
@jonhines
and it seems to work really well. i just wasnt sure what the "correct" way to do it was
Abdlrhman Ibrahim
@woodyinho
Hi
I'm an undergraduate and I've started learning spring boot recently and I need good tutorials to read about userDetailsServices thanks in advance
Abhishek Sharma
@abhishekhbd
What is the best way to disable spring security if I cannot remove dependency ? Should I extends WebsecurityConfigutationAdaptor or exclude Security configuration?
João Pedro Leite S Lisboa
@IronJhon
What is the difference between ClientDetailsServiceConfigurer and HttpSecurity?
???w
Brian Quach
@Brian-Quach
Not sure if this is the right place to ask this, but I'm trying to change an authenticated user's user group mid-session, is there a way to change a user's authorities on the fly?
Nasibulloh
@Nasibulloh
@dsyer Hi, I am using spring-security-oauth2 . I am sending a request but I am getting the only previous token until the token has expired. But I don't need getting a single token for a user. I want to get a new token for every request. This for multiple users session. The problem is when I get a token, I use it in a device. But I have multiple devices with a single account. If I want to log out(invalidate the token), All my sessions are logging out. This is not a suitable way.
Deepak
@dgakhar
@Nasibulloh Did you get the solution?
mlk5060
@mlk5060
Morning all. Bit of an opinion question here but, what are the use cases for RunAsmanager? It seems like a heavyweight solution and should be used sparingly?
Attoumane
@akuma8

@jzheaux Hi,
Is there an OAuth2 counterpart of this event AuthenticationSuccessEvent? I have a problem when using it. I use a password grant type to authenticate users, the problem is when the user enters wrong credentials an AuthenticationSuccessEvent is sent (because client credentials are correct), but I have this result:

{
    "error": "invalid_grant",
    "error_description": "Bad credentials"
}

Wich is the expected result.
I would like an event for a real success authentication (client + user). Thanks a lot for your help

Joshua Street
@jjstreet
hopefully a simple question: I am trying to replicate one of the spring boot samples for oauth2 login. I have an application.yaml file defining my security oauth2 client information as described in the samples. However, I do not get a link in the login page to take me to my oauth2 provider
i only ever have a form login page
the samples do not have any sort of configuration other than that within the application.yaml so i am confused as to what else i need
Joshua Street
@jjstreet
server:
  port: 8080

logging:
  level:
    root: INFO
    org.springframework.web: INFO
    org.springframework.security: INFO

spring:
  thymeleaf:
    cache: false
  security:
    oauth2:
      client:
        registration:
          google:
            client-id: your-app-client-id
            client-secret: your-app-client-secret
i am assuming that this application.yaml file will turn on client oauth2, such that when i access my app, there should be a link to authenticate with google
there is no link that shows up for me, only the standard login form
i have no configuration java classes that extend WebSecurityConfigurerAdapter
Joshua Street
@jjstreet
figured it out. seems that the sample apps did not use the security-starter
er spring-boot-starter-security
Sudhakar
@sudhakarbetha
I m trying to have an OAuth2Client using authorization_code grant type, I can authorize the user and redirect the url, but when I try to access the resource using OAuth2RestTemplate, I get 401 UnAuthorized
Is there something I need to do for the OAuth2RestTemplate to add the Authorization header ?
 @GetMapping("/")
    public OAuth2User hello(@AuthenticationPrincipal OAuth2User oAuth2User){
        logger.info("User="+oAuth2User.getAttributes().get("unique_name"));
        String response = oAuth2RestTemplate.getForObject("https://localhost:8090/me", String.class);
        return oAuth2User;
    }


@Bean
    public OAuth2RestTemplate oauth2RestTemplate(OAuth2ClientContext oauth2ClientContext) {
        return new OAuth2RestTemplate(azureDetails(),oauth2ClientContext);
    }

 @Bean
    public AuthorizationCodeResourceDetails azureDetails() {
        AuthorizationCodeResourceDetails details = new AuthorizationCodeResourceDetails();
        details.setClientId("myclientId");
        details.setClientSecret("myclientsecret");
        details.setAccessTokenUri("https://login.microsoftonline.com/common/oauth2/token");
        details.setUserAuthorizationUri("https://login.microsoftonline.com/common/oauth2/authorize");
details.setScope(Arrays.asList("openid","profile","User.Read","Calendars.Read","Chat.Read","Files.Read","Mail.Read","Notes.Read","Tasks.Read"));
        return details;
    }
Nasibulloh
@Nasibulloh
@dgakhar Not yet
Sudhakar
@sudhakarbetha
@sudhakarbetha Can someone help on this ?
Sudhakar
@sudhakarbetha
@sudhakarbetha I realized I was using oauth1 version of urls, when I changed to oauth2 version of urls, I was able to get 200 OK response
Urls obtained from
https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration
Tejo Gowtham Katta
@tejokatta
DefaultOAuth2ClientContext is in session scope....and it stores preserved state....to avoid CSRF attacks.....
is there any way, this can be done without session? Basically my app is distributed and I want to avoid sessions
Raj
@rajjaiswalsaumya
Hi, can someone please point me to an example of authorization code grant flow where we connect to a third party auth server such as okta or norton and retrieve auth token
azharsquared
@azharsquared
Hi, is there any possibility of timeout while uploading a file with large size (I'm using jwt token for authorization)?
Akshit Goyal
@akshitgoyal1998
how to implement in oauth client in microservice architecture any leads?
Piotr Kucharski
@Sketusky
Hello, is it possible to create OAuth2 PKCE server with Spring Security?
Andreas Falk
@andifalk
@Sketusky if you mean creating an OAuth2 authorization server with PKCE support then this feature is planned as part of Spring Security 5.3. See https://github.com/spring-projects/spring-security/milestone/147
Piotr Kucharski
@Sketusky
@andifalk Thank you for your response. So it will be done in the next year. I need something to provide secure authentication and authorization for my application REST + Android. Will it be a bad idea to use OAuth2 without PKCE and then try to migrate?
Andreas Falk
@andifalk
@Sketusky Using Android client without PKCE takes the risk that an attacker can decompile the APK and get the client secret. Without PKCE and dynamic challenge+code verifier the attacker could misuse the auth code flow. Why don’t you just some other production grade authserver like for example Keycloak?
Akshit Goyal
@akshitgoyal1998
Iam using oAuth2 google authorization server
and facing issue while redirecting from google login

spring:
security:
oauth2:
client:
registration:
google:
provider: google
clientId: {client Id}
client-secret: {Client Secret}
authorization-grant-type: authorization_code
redirect-uri: http://localhost:8090/home
scope: openid,profile,email
provider:
google:
authorization-uri: https://accounts.google.com/o/oauth2/v2/auth
token-uri: https://oauth2.googleapis.com/token
user-info-uri: https://openidconnect.googleapis.com/v1/userinfo
user-name-attribute: sub
jwk-set-uri: https://www.googleapis.com/oauth2/v3/certs

server:
port: 8090

above is my application.yml file
and this is my configuration class

package com.example.Oauth;

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableOAuth2Client;

@Configuration
@EnableWebSecurity
@EnableOAuth2Client
public class SecurityConfig extends WebSecurityConfigurerAdapter {

  @Override protected void configure(HttpSecurity http) throws Exception {

      http.authorizeRequests()
      .anyRequest().authenticated()
      .and()
      .oauth2Login()
            /* .loginPage("/oauth2/authorization/google") */
      .failureUrl("/login?error")
      .permitAll()
      .and()
      .logout()
      .logoutSuccessUrl("http://www.google.com")
      .and()
      .oauth2Client();
  }

}

while google redirecting getting this
Capture.PNG
any help??
unable to identify problem
mpnsk
@mpnsk_gitlab
did you tell google to redirect you to /oauth2/authorization/google ?
Akshit Goyal
@akshitgoyal1998
no
mpnsk
@mpnsk_gitlab
it works when you add .oauth2Login().redirectionEndpoint().baseUri("/home") to your securityconfig, and it has to be accessible. But i just wouldn't make it custom
mpnsk
@mpnsk_gitlab
wait a minute, this is finally my chance to grab some stackoverflow points :D
Jan Heuer
@jtheuer
Hey, when I want to customize the creation of a refresh token in https://github.com/spring-projects/spring-security-oauth/blob/master/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/DefaultTokenServices.java I need to write my own implementation right? There is no extension point for that?
Bruce Zhang
@niyaode
Infinite redirection after successful SSO authorization
This is my code. The database is configured.