Java Springboot OAuth2 Authorization Server and Resource Server.
I am currently writing a oauth2 authentication service, like google auth provider.
In my usecase i am storing user credentials in mongodb and storing sessions in a redis-server over springboot repositories that make that realy simple to use.
Currently i am struggling with writing the resource-server because i am thinking about how to plan the routes of the api-server and the problem that i got with this is that i am providing an PermissionGroup that Provides PermissionScopes like Authorities. The Client Application got a field with a list of PermissionScopes. That is because i wanna check if it has permission to request the data of a user for example. The Client Application has to be registered at my auth-server, checking redirectUrl, and the algrthm to secure the login for the user to the right frontend.
My Problems are the following. I got a Springboot SecureConfig that looks fine, and when i wanna reset my password for example it directly put me back to the login page. The Auth-server it self host the UI for the login, but only when the authorize url is called with a valid clientId that is registered in my mongodb. It also calls automaticly https://identity.seriuxmod.net/login but when i try to call https://identity.seriuxmod.net/authorize?clientId=.... it´redirects me to /login.
Please help.
16 Replies
⌛ This post has been reserved for your question.
Hey @Hosti! Please useTIP: Narrow down your issue to simple and precise questions to maximize the chance that others will reply in here./closeor theClose Postbutton above when your problem is solved. Please remember to follow the help guidelines. This post will be automatically marked as dormant after 300 minutes of inactivity.
💤 Post marked as dormant
This post has been inactive for over 300 minutes, thus, it has been archived.
If your question was not answered yet, feel free to re-open this post or create a new one.
In case your post is not getting any attention, you can try to use /help ping.
Warning: abusing this will result in moderative actions taken against you.A answer would be great
😝
Can you allow
/authorize in your SecurityFilterChain?Yeah i can do that, but i want to explain my problem
my host with my authorization-server runs on https://identity.seriuxmod.net
my api so my spring oauth2-resource-server runs on https://api.seriuxmod.net/health
i dont want to build a dashboard on the "identity-server", i want to do that on my homepage.
identity server is the api host?
and for modify my user or my authentication Principal i want to do that over my api.seriuxmod.net server
No, thats my authorization server
so what about that is the issue?
the issue that i got is an understanding problem
this is all based on oauth2, and Authorities, and Scopes.
But how can i manage that a client that i register in my storage that can access the authorization-server is allowed only to respond to a explicit permission
like not user permissions, more like application/client permissions, that defines what permissions the app can request of the user
you mean user consent?
No, listen i explain
or that the users via that cient only get specific permissions even if the user might have more permissions?
Not exactly, in my understanding its more like the client got permissions that it can request, and the user got permissions that it have.
and if the application/client cant request that, then it is what it is
For example.
I manage in my Resource Server, that my Shop with clientId: seriuxmod-shop, and clientSecret that it can manage to handle purchase
and other clients arent if they dont have permission to request payment endpoint for example
and in the second hand i want to check if the User got permissions or the Authority/Scope how ever, for example got "SHOP-PRODUCT-ADD" Scope to add a article to the product database
But only for application X like my shop
so you want to know how you can encode the permissions?
I want to know how to check if the application/oauth2 client has permission to request a specific permission scope of a user and how to check if the user has the explicit permission to use a function like
@Secured(hasAuthority = „Administrator“, hasScope = „bla bla“>
@GetMapping(„kick-test“)
This message has been formatted automatically. You can disable this using
/preferences.That I can use annotations for making my code way smaller
💤 Post marked as dormant
This post has been inactive for over 300 minutes, thus, it has been archived.
If your question was not answered yet, feel free to re-open this post or create a new one.
In case your post is not getting any attention, you can try to use /help ping.
Warning: abusing this will result in moderative actions taken against you.