Flutter with REST backend Springboot - rest

I am developing a Flutter mobile application with a Spring Boot backend. I want to have three types of login methods (1). username & password (2). Facebook (3). Google.
I have following questions.
1) If I handle the Authentication part in the mobile App via Firebase Authentication (And store all the user on Firebase), do I need to write authentication code on my Spring Boot side? Or I need to keep my authentication on the Sprin Bboot side only?
2) I want the JWT token for all the authentication system (Facebook, Google and username & password). The mobile app will send the JWT token for every requests it make to the Springboot app.
3) I am looking for a step by step tutorial that shows how can I integrate all these login methods in my Springboot REST APIs. I have looked many but all they have some different different methods or dependencies. Like some are adding Facebook dependency in the maven and some only add the Oauth2.
Thanking you in advance

You can integrate your Spring Boot back-end with external authentication provider using JWT by defining a custom security filter in your spring boot app. This filter will read the JWT issuer (iss) and define where it comes from (Facebook or Google). Then, based on the provider, use the appropriate public key to verify the signature included in the JWT (normally, you can use the JWKS URI provided by the authentication providers to get the key). If all good, authentication is success.

I use
Flutter
Spring for database access (REST)
Firebase for authentication
The problem was: how do I authenticate REST requests?
The short answer: send the Firebase access token to the Spring server where the token is validated. If it is valid, grant acces. Else return 403 forbidden.
The more detailed answer:
Authenticate in Flutter
FirebaseAuth.instance.signInWithPopup(GoogleAuthProvider())
Get the JWT access token IFF login was successful. (You may rather use userCredential.user instead of currentUser)
FirebaseAuth.instance.currentUser!.getIdToken();
Add the token to your http-request header
final response = await http.get(
Uri.parse('https://example.com/example'),
headers: {
HttpHeaders.authorizationHeader: 'your_api_token_here',
},
);
Then validate the token on server side. Read this for details:
https://firebase.google.com/docs/auth/admin/verify-id-tokens#java
FirebaseToken decodedToken = FirebaseAuth.getInstance().verifyIdToken(idToken);
String uid = decodedToken.getUid();
Your Spring application will be able validate that the token is correct and not yet expired.
I highly suggest to send the token over https only! Do not use http.

Related

Approah on creating clients/realms for separate service (frontend and backend)

I'm new to keycloak and would like to check what is the common design on the said architecture.
I have 1 backend(quarkus) 1 frontend (angular) and 1 flutter.
I would like to see if I could leverage the features of client. My idea is to have a separate client within the realm. For example
REALM = MyAppRealm
Client = backend-client and front-endclient
Is it possible that the token i got from front-endclient can be use to access the api from the backend?
Reason I have this setup is that the front-endclient has a public accesstype while the backend has confidential
to sum up. I would like to see if i can reuse the token i got from front-endclient to my backend-client
Yes of course you can do that.
The purpose of openid is to share authentication and authorization between a diversity of clients without needing to share credentials (no password is known by any of the clients). A trusted third party (here Keycloak) will give back a signed token in exchange for credentials. And this token will be a proof of who the user is and what he is allowed to do in the communications between the frontend and backend.
To sum up :
Your angular frontend authenticates an user using a public client and an implicit flow. When successfully authenticated, the frontend obtains an access token and a refresh token.
When making a REST call to the backend, your frontend needs to set the header Authorization using the access token as a bearer token ('Authorization: Bearer insert access token here'). You can automate this by using an interceptor (example)
Finally, when your backend receive an API request it can check the Authorization header to ensure the request is authenticated and authorized. For how to do that with Quarkus, everything is explained in this documentation page : https://quarkus.io/guides/security-openid-connect

I want to have Custom Keycloack Authentication/Authorization or Identity Provider

I'm googling since long and i'm bit confused now should i create Custom iDP or Authentication provider in Keycloak.
Below is my requirements.
I have multiple clients and each client having login API which also returns JWT token on successful login so what business needs is that when user try to login i want keycloack to consume client API to Authenticate User and once user successfully authenticated by Client API Keycloack should generate token for further operations.
One more problem is can i use same token return from client as Keycloack token because there are some apis on client side which decode token and use some info from token.
Please suggest and i'm bit stressed to looking for different solution and couldn't help. I will be grateful if you can share sample code with it.
What do you mean by "I have multiple clients and each client having login API" (does that mean different endpoints secured by different realms?? I supose that's not what you want).
What you mention here:
"what business needs is that when user try to login i want keycloack to consume client API to Authenticate User and once user successfully authenticated by Client API Keycloack should generate token for further operations."
that is indeed the standard behaviour of Keycloak, why do you need a custom Authentication (user federated Authentication/ identity Provider)? You haven't made clear from the description of your problem, why do you need a custom Identity Provider SPI /custom Authentication federation? If you really need an Authentication SPI, please read chapter 8 from here:
https://www.keycloak.org/docs/latest/server_development/index.html#_auth_spi
that's the best documentation on that topic. Are you authenticating against a custom Auth service of your company that doesn't support openid connect? If not, then you don't need a custom Authentication SPI.
regarding:
"can i use same token return from client as Keycloack token because there are some apis on client side which decode token and use some info from token."
I don't know exactly what you mean there, but depending on your client adapter there are slight variations on the way you get/extract a bearer token & secure your endpoints in general. Plase read chapter 3.1 from here: https://www.keycloak.org/docs/latest/securing_apps/index.html#_client_registration
There you'll find base implementations/suggestions for the different client adapters, or at least should move you forward in your search.
Hope it helps.

registering a rest API with OAuth

I have written a web application which makes REST API calls to a message broker. The message broker contains already written REST APIs to which can be used to get message broker data. The message broker is written in a way in which each REST API call sends the user name and password which is encoded with base64. I need to make a login to my web app and authenticate it with OAuth.Does anyone know how to do this? How to authenticate the REST APIs with OAuth?
Step 1: Add OAuth 2.0 to your web server. This is very standard with lots of libraries available. You did not specify the Identity Provider that you will use (Google, Facebook, Auth0, Okta, etc), but each vendor has documents and libraries for you to use in your desired language.
Step 2: Add an Authorization Header to your API calls. The standard method is to add the HTTP header Authorization: Bearer access_token when making an API call.
Step 3: Add OAuth token verification to your API. When your API receives a request, it extracts the Authorization header and verifies the Bearer token. How this is done depends on the Identity Provider. For example, some vendors provide a Signed JWT (which you verify with the vendors public certificate), others provide an opaque access token (which you verify by calling the vendor's token endpoint). Add internal caching of tokens so that you don't need to verify on every API call.
If you understand OAuth 2.0 the above steps are straightforward to implement. If you don't Oracle has a set of videos which are excellent for getting started understanding OAuth.
Oracle Cloud Primers
If your desired OAuth implementation does not require users logging in and is a server to server service that you control on both ends, then you can use just part of OAuth which is Signed JWT (JWS). You create a Json data structure with your desired content and sign it with a private key. This creates a token that you can use in the above steps. You would then validate the token using your public key. You can use self-generated keypairs generated by OpenSSL or similar products for your signing and verification.

Laravel 5 REST Api

I am using laravel 5.1
I want to make login using REST api. I have searched about Sentry. But there is no documentation for Laravel 5. I don't know it will work with laravel 5. I just want to know what is the best way to login my laravel application using REST?
Laravel for Rest API development Good Choice
Even I am using it for Rest API development
For Login I am using a session field from database which acts as token for validating user accessing the API
so, if the request has the session token and it matches to the token from database then its a valid request
this approach is taken by me for validating request to my API, And every login I am resetting the token
How to create the token
Token should be able to identify the user i.e. which user is sending the token for that I am creating token by hashing userID + salt(Random and very long string).
How it works
User who is able to access the API sends login credentials, if the credentials are valid I am creating token for the user and storing the token in database with the user whose credentials are provided and sending the token value to the user as response and next time I am validating each request with the Access token
Recommendation
Instead of Laravel you can consider using Lumen(A micro-framework by Laravel) also for developing rest API.
For detailed information about rest and rest authentication
How to do authentication with a REST API right? (Browser + Native clients)
What exactly is RESTful programming?
What is REST? Slightly confused
RESTful Authentication

Grails & Spring Security & Facebook & Oauth2 - Restfull server

What would be the actual solution to build a server with Grails and Spring Security that meets the following requirements :
Access to the server would be restfull, so only by third party clients (mobile,...)
The authentication would use the oauth2 facebook services and the client would use a facebook SDK to provide a token to the server
The authentication would be on per request basis so the token would be passed on the request as GET parameter (not POST as the Rest API uses it)
No need to access Facebook user's information, only authentication
I tried Spring Security Facebook but the Json filter only returns user details so no per request or per session authentication.
I noticed Spring Security Oauth2 Provider but to me it's a provider and not a consumer that could plug into another provider like Facebook so no clue on how to use it.
Spring Social doesn't seem to meet my requirements.
As a result of this search for information, I intend to write a plugin to create a Restfull server connected to facebook.
Thanks in advance
You could implement a security filter on the top of all your requests, and then if the request contains an auth header for the API you respond with as a restful API, otherwise you redirect your users to the login page, handled by the oauth authentication service, where you let the users login with the oath method (facebook, mozilla persona or whatever you like)