Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd
Upload
121 views

Springboot OIDC Integration

The document provides steps to integrate Spring Boot applications with OpenID Connect (OIDC) for authentication and authorization. It includes: 1. Configuring an OIDC client ID and secret in an OIDC provider like Okta or PingFederate. 2. Adding Maven dependencies for Spring Security and OAuth2 libraries. 3. Configuring application properties with OIDC provider details and scopes. 4. Implementing authorization checks and retrieving user attributes from the OIDC ID token in Java code using Spring Security.

Uploaded by

ks_reddysekhar7966
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
121 views

Springboot OIDC Integration

The document provides steps to integrate Spring Boot applications with OpenID Connect (OIDC) for authentication and authorization. It includes: 1. Configuring an OIDC client ID and secret in an OIDC provider like Okta or PingFederate. 2. Adding Maven dependencies for Spring Security and OAuth2 libraries. 3. Configuring application properties with OIDC provider details and scopes. 4. Implementing authorization checks and retrieving user attributes from the OIDC ID token in Java code using Spring Security.

Uploaded by

ks_reddysekhar7966
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 5

Springboot OIDC Integration Guide

Table of Contents
Springboot OIDC Integration Guide............................................................................................................1
1. Create and configure an OIDC ClientID and Secret in OIDC provider system................................1
2. Add Maven Dependencies to enable OIDC (Using Okta OIDC client):...........................................1
OR Add Maven Dependencies to enable OIDC (Using Generic Spring Security Framework OIDC
client): 2
3. Application.yml(or application.properties) config :.......................................................................2
Using OKTA Client:..................................................................................................................................2
Using Generic Spring Security Framework OIDC client :........................................................................2
4. Java Code Changes :........................................................................................................................3
5. Getting User Attributes from OIDC ID Token :................................................................................3
6. Restrict access to a resource/endpoint based on Scope/Group or UserID :..................................4
- Endpoint level access control inside controller object:..................................................................4
- Global level access control in main class:.......................................................................................4
References...................................................................................................................................................4

Please follow below steps to secure a web application using OIDC.

1. Create and configure an OIDC ClientID and Secret in OIDC provider


system
- Using OKTA CCI Instance - https://myid-okta-int.cisco.com/createapp
- Using PMT to create client in PingFederate -
https://wampmtui.cloudapps.cisco.com/loggedIn#/oauth/clients/0/10

Save the ClientID and ClientSecret which will be needed for further configuration.

2. Add Maven Dependencies to enable OIDC (Using Okta OIDC client):


Edit the pom.xml file and add dependencies for Spring Security and Okta. They will
enable the Spring AND Okta OAuth 2.0 for your application.
<!-- security - begin -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-oauth2</artifactId>
</dependency>
<dependency>
<groupId>com.okta.spring</groupId>
<artifactId>okta-spring-boot-starter</artifactId>
<version>0.6.1</version>
</dependency>
<!-- security - end -->

OR Add Maven Dependencies to enable OIDC (Using Generic Spring Security Framework
OIDC client):

<!-- security - begin -->


<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-client</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-jose</artifactId>
</dependency>
<dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-springsecurity4</artifactId>
</dependency>
<!-- security - end -->

3. Application.yml(or application.properties) config :


You need to modify application.yml as follows (use client_id and client_secret provided by CCI-
OKTA/PMT-Ping dashboard to your application):

Using OKTA Client:


okta:
oauth2:
issuer: https://dev-id.cisco.com/oauth2/default
client-id: < clientId>
client-secret: <clientSecret>
redirect-uri: /authorization-code/callback(put specific to your app)

scopes:
- profile
- email
- openid

Using Generic Spring Security Framework OIDC client :

security:
oauth2:
client:
clientId: < clientId>
clientSecret: <clientSecret>
redirectUri: /authorization-code/callback(put specific to your app)
provider:
okta:
authorization-uri: https://{yourOktaDomain}/oauth2/default/v1/authorize
token-uri: https://{yourOktaDomain}/oauth2/default/v1/token
user-info-uri: https://{yourOktaDomain}/oauth2/default/v1/userinfo
jwk-set-uri: https://{yourOktaDomain}/oauth2/default/v1/keys

Restart your app and navigate to http://AppUrl again. You’ll see a


link to click on to log in with Okta/Ping.

4. Java Code Changes : Java code changes are required to add fine-grained authorization
policies and to retrieve user details from the OIDC token.

- Add WebSecurityConfigurerAdapte to the application’s main class as shown below.

@SpringBootApplication
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class CodeFlowExampleApplication {

public static void main(String[] args) {


SpringApplication.run(CodeFlowExampleApplication.class, args);
}

/**
* The default Spring logout behavior redirects a user back to
{code}/login?logout{code}, so you will likely want
* to change that. The easiest way to do this is by extending from {@link
WebSecurityConfigurerAdapter}.
*/
@Configuration
static class WebConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
// allow antonymous access to the root page
.antMatchers("/").permitAll()
// all other requests
.anyRequest().authenticated()

// set logout URL


.and().logout().logoutSuccessUrl("/")

// enable OAuth2/OIDC
.and().oauth2Client()
.and().oauth2Login();
}
}

5. Getting User Attributes from OIDC ID Token : An app can retrieve User
Attributes from an instance of class OAuth2AuthenticationToken as shown in below code
snippet.
@Controller
public class ExampleController {

@GetMapping("/profile")
@PreAuthorize("hasAuthority('SCOPE_profile')")
public ModelAndView userDetails(OAuth2AuthenticationToken authentication)
{
return new ModelAndView("userProfile" ,
Collections.singletonMap("details",
authentication.getPrincipal().getAttributes()));
}
}

Note : See available methods provided by OAuth2AuthenticationToken class in


documentation provided by Spring framework at
https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/
security/oauth2/client/authentication/OAuth2AuthenticationToken.html

6. Restrict access to a resource/endpoint based on Scope/Group or UserID :

- Endpoint level access control inside controller object: Spring provides


annotation PreAuthorize which can be used inside a controller to control access to a
resource based on available claims in OIDC token as shown in below examples.

@GetMapping("/profile")
@PreAuthorize("hasAuthority('SCOPE_profile')")
public ModelAndView userDetails(OAuth2AuthenticationToken authentication)
{
return new ModelAndView("userProfile" ,
Collections.singletonMap("details",
authentication.getPrincipal().getAttributes()));
}

- Global level access control in main class: Springboot supports adding complex
authorization rules in main java class inside WebSecurityConfigurerAdapter (explained
in step 4 above) config as shown in below example

@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
protected void configure(final HttpSecurity http) throws Exception {
http.antMatcher("/**")
.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/restricted").hasAuthority("SCOPE_custom")
.anyRequest().authenticated()
.and().oauth2Login(); // <-- THIS WAS CHANGED
}
}

Note : Find more details about expression based access control at documentation
provided by Spring framework at
https://docs.spring.io/spring-security/site/docs/5.0.7.RELEASE/reference/html/el-
access.html

References
(n.d.). Retrieved from https://developer.okta.com/blog/2019/06/20/spring-preauthorize

(n.d.). Retrieved from https://docs.spring.io/spring-security/site/docs/5.0.7.RELEASE/reference/html/el-


access.html

(n.d.). Retrieved from https://developer.okta.com/blog/2017/12/18/spring-security-5-oidc

(n.d.). Retrieved from https://docs.spring.io/spring-security/site/docs/5.2.12.RELEASE/reference/html/


oauth2.html

(n.d.). Retrieved from https://developer.okta.com/blog/2017/12/18/spring-security-5-oidc

You might also like