Integrate Spring SAML with Oauth2 token for REST API access
With the Spring SAML Extension i am able to configure the SAML Authentication and able to get the Assertion back to SP, followed the link ,
now , it is returning to this "/landing", and getting Assertion and Authentication Object in SAMLUserDetailsService and SAMLAuthenticationProvider,UserDetails Object is populated in SAMLUserDetailsService.
@Bean
public SavedRequestAwareAuthenticationSuccessHandler successRedirectHandler() {
SavedRequestAwareAuthenticationSuccessHandler successRedirectHandler =
new SavedRequestAwareAuthenticationSuccessHandler();
successRedirectHandler.setDefaultTargetUrl("/landing");
return successRedirectHandler;
}
Now my question is , how can i generate the Auth token? from this point, there is not much details available so far i tried , created custom Filter , which intercept "/landing" and tried to modify the URL to /oauth/token?grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=AssertionToBase64Url( followed ), but not able to generate token. My current configuration, Spring security with oauth implementation and spring saml is also working independently , so now i want use this two features jointly.
my ResourceServerConfiguration.java
@Configuration
@EnableResourceServer
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
private static final String RESOURCE_ID = "my_rest_api";
@Override
public void configure(ResourceServerSecurityConfigurer resources) {
resources.resourceId(RESOURCE_ID).stateless(false);
}
@Override
public void configure(HttpSecurity http) throws Exception {
http.
anonymous().disable()
.requestMatchers().antMatchers("/user/**")
.and().authorizeRequests()
.antMatchers("/user/**").access("hasRole('ADMIN')")
.and().exceptionHandling().accessDeniedHandler(new OAuth2AccessDeniedHandler());
}
}
my AuthorizationServerConfiguration.java
@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {
private static String REALM="MY_OAUTH_REALM";
@Autowired
private TokenStore tokenStore;
@Autowired
private UserApprovalHandler userApprovalHandler;
@Autowired
@Qualifier("authenticationManagerBean")
private AuthenticationManager authenticationManager;
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("my-trusted-client")
.authorizedGrantTypes("password", "authorization_code", "refresh_token", "implicit")
.authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT")
.scopes("read", "write", "trust")
.secret("secret")
.accessTokenValiditySeconds(120).//Access token is only valid for 2 minutes.
refreshTokenValiditySeconds(600);//Refresh token is only valid for 10 minutes.
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.tokenStore(tokenStore).userApprovalHandler(userApprovalHandler)
.authenticationManager(authenticationManager);
}
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer.realm(REALM+"/client");
}
}
can anyone suggest, how to integrate this, so that, authentication done in IDP and return to SP after successful assertion(Authorization part is done) from IDP will generate a auth access,refresh token , with that token user able to access the api. Can anyone provide some sort of solution...
A while back I hit the same challenge, and after figuring it out I have written an article (which cannot be posted here...). Basically, your oAuth authorization-server is a "bridge" that adapts your SAML backend to oAuth, and vise-versa... find it here:
How-to-integrate-Spring-oAuth-with-Spring-SAML
There is also a repo in GitHub with all the sources, as an example:
https://github.com/OhadR/spring-oAuth2-SAML-integration
I know it just links, but again - article is too long and detailed.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.