Using OpenID Connect in gluu to secure a simple spring boot web app client

By: matt dillenkoffer user 14 Jan 2016 at 1:48 p.m. CST

9 Responses
matt dillenkoffer gravatar
It appears that one must be authenticated to hit this end point... https://mygluuserver/oxauth/seam/resource/restv1/oxauth/token To me that seems problematic because my spring boot web app client doesn't pass credentials when calling for the token. Please explain to me what's wrong in my line of thinking here User tries to connect to my spring boot web app client Spring sees that no one has been authenticated so Spring redirects my browser to the .../oxauth/authorize endpoint, gluu sees that no one is authenticated so it forces me to login. After logging in Gluu redirects my browser back to my spring boot app client's /login endpoint with some request parameters such as session_id, and authorization_code. Having this new information the spring boot app client constructs a json object to post to the .../oxauth/token endpoint. The json object contains the session_id, client_id, client_secret, redirect_url and authorization_code. Everything stops here because, my browser, NOT my spring boot app client has authenticated to Gluu. Should the .../oxauth/token endpoint require authentication? If there's no way to turn that off how would I tell spring that when it calls to the .../oxauth/token endpoint that it needs to pass login credentials?
None
closed

Answers

By Michael Schwartz Account Admin 14 Jan 2016 at 2:06 p.m. CST

Copy
Michael Schwartz gravatar
Can you post the ldif for the client registered? # /opt/opendj/bin/ldapsearch -h localhost -p 1389 -D "cn=directory manager" \ -j ~/.pw -b "o=gluu" 'inum=client-id' Replace "client-id" with your client id, and write the admin password to the ~/.pw file (and remove it when you're done!) Note the single quotes around the filter.

By matt dillenkoffer user 14 Jan 2016 at 2:19 p.m. CST

Copy
matt dillenkoffer gravatar
Here is that info, sorry I didn't understand what you were asking for last time you asked for the ldif from the client. GLUU.root@remigluu:/opt/opendj/bin# ./ldapsearch -h localhost -p1389 -D "cn=directory manager" -j ./pw -b "o=gluu" 'inum=@!1565.489B.E582.E70F!0001!156A.784D!0008!922A.2F73' dn: inum=@!1565.489B.E582.E70F!0001!156A.784D!0008!922A.2F73,ou=clients,o=@!1565 .489B.E582.E70F!0001!156A.784D,o=gluu oxAuthScope: inum=@!1565.489B.E582.E70F!0001!156A.784D!0009!F0C4,ou=scopes,o=@!1 565.489B.E582.E70F!0001!156A.784D,o=gluu oxPersistClientAuthorizations: true oxAuthAppType: web oxAuthResponseType: code oxAuthResponseType: id_token oxLastAccessTime: 20160114192231.199Z oxAuthClientSecret: FsQ28arxjgRyoim40/xWZg== objectClass: oxAuthClient objectClass: top oxAuthTokenEndpointAuthMethod: client_secret_basic oxAuthRedirectURI: https://magellan:8443/login oxAuthTrustedClient: true oxAuthIdTokenSignedResponseAlg: RS256 displayName: mattTestClient inum: @!1565.489B.E582.E70F!0001!156A.784D!0008!922A.2F73

By matt dillenkoffer user 14 Jan 2016 at 3:16 p.m. CST

Copy
matt dillenkoffer gravatar
This is my spring boot app client logging behavior 2016-01-14 15:14:47.924 DEBUG 10120 --- [nio-8443-exec-6] o.s.web.client.RestTemplate : Created POST request for "https://remigluu/oxauth/seam/resource/restv1/oxauth/token" 2016-01-14 15:14:47.925 DEBUG 10120 --- [nio-8443-exec-6] g.c.AuthorizationCodeAccessTokenProvider : Encoding and sending form: {grant_type=[authorization_code], code=[8c46a127-1d56-43f7-b764-fa025547ba11], redirect_uri=[https://magellan:8443/login], client_id=[@!1565.489B.E582.E70F!0001!156A.784D!0008!922A.2F73], client_secret=[superSecret]} 2016-01-14 15:14:47.986 DEBUG 10120 --- [nio-8443-exec-6] uth2ClientAuthenticationProcessingFilter : Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Could not obtain access token

By matt dillenkoffer user 14 Jan 2016 at 3:18 p.m. CST

Copy
matt dillenkoffer gravatar
From what I've read the client_id and client_secret should successfully authenticate the client app to the token endpoint.

By Javier Rojas staff 14 Jan 2016 at 3:44 p.m. CST

Copy
Javier Rojas gravatar
Hello Matt, The Client must authenticate to token endpoint by using one of the following available methods: - client_secret_basic - client_secret_post - client_secret_jwt - private_key_jwt In case the client is not able to authenticate, then you can use the Implicit Flow. Regards Javier

By matt dillenkoffer user 14 Jan 2016 at 9:57 p.m. CST

Copy
matt dillenkoffer gravatar
I bet spring is using client secret jwt by default. I will try that first thing in the AM. Thanks

By matt dillenkoffer user 15 Jan 2016 at 9:25 a.m. CST

Copy
matt dillenkoffer gravatar
It looks like the post to the token endpoint from spring boot web app client doesn't contain scope. I wonder if that's the problem. "OpenID Connect requests MUST contain the openid scope value. If the openid scope value is not present, the behavior is entirely unspecified. Other scope values MAY be present. Scope values used that are not understood by an implementation SHOULD be ignored."

By matt dillenkoffer user 18 Jan 2016 at 10:48 a.m. CST

Copy
matt dillenkoffer gravatar
I understand the different authentication mechanisms at my disposal. Unfortunately no matter which one I use I always get the same error. Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Could not obtain access token While investigating this I ran across your documentation which states you have to install a custom mod into apache2 to make OpendID Connect work. http://www.gluu.org/docs/reference/mod_auth_oidc/ubuntu-installation/ Am I correct to assume that following the regular install instructions for Gluu is not sufficient to make OpenID Connect work. Do I need to take these extra steps after following the regular instructions outlined here http://www.gluu.org/docs/admin-guide/deployment/ubuntu/ ???

By matt dillenkoffer user 21 Jan 2016 at 8:37 a.m. CST

Copy
matt dillenkoffer gravatar
Ok I finally figured out what my problem was. For some reason the BadCredentialsException was masking the real error which was that Java didn't want to talk to Gluu over a secure connection to the token endpoint because java didn't trust the Gluu certificate. With Gluu in client_secret_post authentication mode and my spring boot client using the properties security.oauth2.client.authentication-scheme=form security.oauth2.client.client-authentication-scheme=form everything works great now that I have imported the Gluu certificate into my jvm's cacerts java keystore.

Post an answer