Spring boot oauth2 client and eureka integration - netflix-eureka

Is there any way to integrate spring oauth2 client with eureka to make client take oauth2 server ip from eureka registry? I've read that article dated two years ago and hope there was some progress since.. Is it? Or the gateway is still the only way to go?

Related

SAML request authentication with Kong

we are using konghq as an API gateway for one of our customers but we are very new to it and therefore don't know how to tackle this authentication issue.
We have to authenticate our services with a SAML token. Our micro services are behind kong which is running on an EC2. The authentication process should be an independent micro services which validates the token from the request and it’s contents against another system. Instead of a service it could also be some serverless function on a k8s cluster. We don't want to use a lambda to stay cloud agnostic.
We were previously using AWS API gateway and lambda authorizers to tackle the scenario. The authorizer validated the token and took care of the authentication process.
I searched all the Kong forums and google but couldn't find a SAML plugin. Most similar is the JWT plugin but it won't work for us.
Is there something similar in Kong or is there development on Kong involved? If yes, are there any existing plugin which are similar or any tutorials related.
All help is greatly appreciated.
Thanks
Oldfighter

Secure javascript client or java server that hosts rest services with keycloak ? (Please read the description)

Sorry about the vague question.
So I have an apache webserver that is running my website. I use oracle jet for the website. I have already authenticated the website using keycloak, I put the authentication code within my javascript application and not on the top of apache web server.
Now, I want to send rest requests to my spring boot server from my website and want to include the keycloak login information so that I can both authenticate and also hit the right database schema through spring boot (multi tenancy).
Is it important to authenticate the rest service or just let it pass and just add a login id as a header ? And what is the best way to do this..
Any suggestions are welcome.
Thanks in advance.
-Vikram

two way SSL using AWS API Gateway

Can we use Two Way SSL feature using AWS API Gateway ? We want to use API Gateway as proxy for kinesis in our real-time streaming application.
Below is my requirement
The client make request to apigateway and apigateway needs to put the data in kinesis streams.
The only way to authenticate the clients is using two way SSL. our clients doesnt support other options.
Currently on-premise F5 loadbalancer does this work for us and we have tomcats running behind F5 placing data into kinesis.
Will i be able to achieve the same using API Gateway ? looks like even aws ELB seems to be not supporting this option.
I have taken a look at below link but this to authenticate API Gateway at server not apigateway authenticating the client.
https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html
Regards
Kalyan
API Gateway can authenticate itself to your back-end with TLS, as you have found, but it does not work in the opposite direction -- it does not support authenticating clients with TLS.

openID connect server with spring-cloud-securiy

we am trying to use open ID connect (OIDC) for authentication and authorization (AnA) for our micro-service architecture based on spring-cloud framework
As a part of requirement we want to achieve following:
Integrate (OIDC) with SSO Federation as a Identity provider which we are using federation to authenticate users (staff id)
How to customize access_token which in turn will be provided by a micro service (Authorization service)
I am looking at MITREid Connect as its based on spring framework and spring security
https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
As a resutl of that, all requests to our services have to go through (OIDC) for (AnA)
I also check on https://cloud.spring.io/spring-cloud-security/ as I understand the Zuul server will get an access_token to relay to proxied services. But our scenarios are different as we want to expose other micro-services to external parties as well so that we want to have secure our services.
Any advices is highly appreciated.

Securing Spring boot Rest services with CAS

Friends,
Recently I have created one web-services application using spring-boot and now its having few unsecured entry points. (This is a pure rest based application having only rest entry points doesn't have any UI components).
Now I would like to add CAS client with this application for securing the rest entry points.
My CAS server is ready and its up and running. And I have configured CAS Rest protocol as well in my cas server to access TGT/ST through rest call and I'm in the planning of using only the rest call rather than using login pages.
So, when an user tries to access my rest application, I'm going to call CAS rest entry points internally (by using restTemplate) to validate user credentials and generating TGT and ST.
Available CAS entry points are (from jasig reference docs),
POST /cas/v1/tickets HTTP/1.0
username=battags&password=password&additionalParam1=paramvalue
POST /cas/v1/tickets/{TGT id} HTTP/1.0
service={form encoded parameter for the service url}
DELETE /cas/v1/tickets/TGT-fdsjfsdfjkalfewrihfdhfaie HTTP/1.0
I think, I'm little clear on this part. Please correct me if I'm wrong.
And now my query here is, what should I do to add a ST ticket validator in my spring boot application? Do I need to add any filters using spring-security? Or do I need to call any other rest api for validating the ST? Please guide me to proceed further.
You can use existing Spring boot cas starter:
cas security spring boot starter
cas client autoconfig support
That will configure for you and magically your spring boot app with CAS authentication (and thus your application will be able to read ST or PT without effort).
I'm author of cas security spring boot starter, so I won't influence your choice but main difference from that project and cas client autoconfig support developed by Unicon is about Spring security integration.
Indeed cas security spring boot starter is fully compliant with spring security, thus you will be able to use any feature you know from spring security. Whereas cas client autoconfig support will instantiate and configure Apereo (Jasig) filters that is not designed to work out of box with Spring security.
You don't need a service ticket unless you want to call another service from your web service. Validating the received credentials via the CAS REST API is enough.
If you are looking for a security library to protect your web service via the CAS REST API, you should give a try to: https://github.com/pac4j/spring-webmvc-pac4j and especially this configuration: https://github.com/pac4j/spring-webmvc-pac4j-demo/blob/master/src/main/webapp/WEB-INF/demo-servlet.xml#L74