Can anybody point me in a direction for configuring the jhipster gateway to use an external OpenID Connect (OIDC) provider instead of bundling all the UAA stuff? I know of the jhipster UAA server, but that seems to be a standalone auth server.
My use case is that my (many) different jhipster microservice projects will have their authentication and JWT generation stuff handled by an external OIDC provider - not the jhipster gateway itself.
Btw, I'm aware of these projects:
github.com/jhipster/jhipster-openid-connect
github.com/sdoxsee/jhipster-openid-connect-microservices
And I've read through this lengthy discussion which seems to conclude that and OpenId Connect alternative is in the making:
https://github.com/jhipster/jhipster-experimental-microservices/issues/3
I have some ideas:
Set up a microservices stack to use the UAA server. Then, in some way, instead of using the jhipster UAA server, point at my external OIDC provider.
Look at what mraible has done with regards to the Stormpath (and soon to come Okta) subgenerator.
Experiment with "social logins"(jhipster.github.io/tips/012_tip_add_new_spring_social_connector.html)
Would anybody like to discuss?
You may be already aware but OpenID Connect support has been merged and is due to come out in the next jhipster release (4.10.0?)
Here's the merged pull request and more support is coming.
Related
I am planning on building a K8s cluster with many microservices (each running in pods with services ensuring communication). I'm trying to understand how to ensure communication between these microservices is secure. By communication, I mean HTTP calls between microservice A and microservice B's API.
Usually, I would implement an OAuth flow, where an auth server would receive some credentials as input and return a JWT. And then the client could use this JWT in any subsequent call.
I expected K8s to have some built-in authentication server that could generate tokens (like a JWT) but I can't seem to find one.
K8s does have authentication for its API server, but that only seems to authenticate calls that perform Kubernetes specific actions such as scaling a pod or getting secrets etc.
However, there is no mention of simply authenticating HTTP calls (GET POST etc).
Should I just create my own authentication server and make it accessible via a service or is there a simple and clean way of authenticating API calls automatically in Kubernetes?
Not sure how to answer this vast question, however, i will try my best.
There are multiple solutions that you could apply but again there is nothing in K8s for auth you can use.
Either you have to set up the third-party OAuth server or IAM server etc, or you write and create your own microservice.
There are different areas which you cannot merge,
For service interconnection service A to service B it would be best to use the service mesh like Istio and LinkerD which provide the mutual TLS support for security and are easy to set up also.
So the connection between services will be HTTPS and secured but it's on you to manage it and set it up.
If you just run plain traffic inside your backend you can follow the same method that you described.
Passing plain HTTP with jwt payload or so in backend services.
Keycloak is also a good idea to use the OAuth server, i would also recommend checking out Oauth2-proxy
Listing down few article also that might be helpful
https://medium.com/codex/api-authentication-using-istio-ingress-gateway-oauth2-proxy-and-keycloak-a980c996c259
My Own article on Keycloak with Kong API gateway on Kubernetes
https://faun.pub/securing-the-application-with-kong-keycloak-101-e25e0ae9ec56
GitHub files for POC : https://github.com/harsh4870/POC-Securing-the--application-with-Kong-Keycloak
Keycloak deployment on K8s : https://github.com/harsh4870/Keycloack-postgres-kubernetes-deployment
I'm reading about of UAA server, and have one doubt...
If i have a project with microservices (MS), with:
UAA server
MS type gateway (using UAA authentication)
MS type application (using UAA authentication)
I understand that the UAA server, creates User entity in your own database (for example db_uaa), but my doubt is born when i think about the MS gateway.
The MS gateway too creates another User entity in your own database (db_gateway) or the MS gateway no creates User entity in your database (db_gateway), because it uses the UAA authentication.
I hope you can help me to clarify this doubt, thanks.
Users are stored on UAA side only.
The Gateway which supports the client side (i.e., authentication and user-management) will access to users through some exposed UAA services.
If you need to access to the user entity from another microservice, look at the #Feign concept.
Hope this helps.
What's the difference between Jhipster UAA and cloud foundry UAA, are they compatible with each other?
This doesn't describe it entirely but from http://jhipster.github.io/using-uaa/
JHipster UAA is a user accounting and authorizing service for securing JHipster microservices using the OAuth2 authorization protocol.
To clearly distinct JHipster UAA from other “UAA”s as cloudfoundrys UAA, JHipster UAA is an fully configured OAuth2 authorization server with the users and roles endpoints inside, wrapped into a usual JHipster application. This allows the developer to deeply configure every aspect of his user domain, without restricting on policies by other ready-to-use UAAs.
I'd say that JHipster UAA is simply a spring-boot app (tweaks a-la jhipster...but without the angular client-side) that uses the #EnableAuthorizationServer to make the UAA app to serve as an oauth2 authorization server--granting tokens to client apps (jhipster gateways in this case) to call resource servers and providing the public key that resource servers would use to verify tokens. JHipster UAA is predominantly a server-side app at the moment. It has the authorization server code and stores the actual user information but has no UI itself for managing those users (the UI to manage it is duplicated on each gateway app). JHipster's UAA also can't do single sign on (SSO) (unlike cloudfoundry uaa) because it doesn't expose a login endpoint in the browser needed to create the session on the authorization server to enable SSO between client (or gateway) apps.
Cloudfoundry's UAA is much more comprehensive but does much the same thing (as far as doing what oauth2 authorization servers do). As it stands right now, cloudfoundry is a more mature and flexible app but isn't integrated with jhipster out of the box...yet.
I currently still have an old public github repo that integrates jhipster with cloudfoundry uaa but jhipster has changed a lot since. https://github.com/sdoxsee/jhipster-openid-connect-microservices
Can I use spring-security-rest as a replacement of Oauth?. My app has server side part and java script client side part where I found that spring-security-rest plugin fits most. But I want to be able to authenticate other apps who want to consume my service (I want to be something like Oauth provider). Does spring-security-rest plugin support this? or should I use another plugin?
The plugin is not a fully OAuth provider. Or said in OAuth terminology, is not a full Authorisation Server.
In that case I recommend you Spring Security OAuth 2 Provider Plugin
If you are looking only for a simplistic token based authentication for your service, you could leverage the spring security rest plugin and tweak it a little bit based on your need without having to implement the full blown Spring Security OAuth2 Provider plugin. I managed to accomplish something similar with by extending some of the base classes of spring security rest plugin to modify the login payload and authentication and exposed a token/validate as a REST endpoint. I put up this as an independent authentication service that uses the /api/login API for token generation in tandem with the /token/validate to accomplish some kind of validation on token. Not a full blown Oauth scenario but serves the purpose of authentication between consumer and provider services.
we would like to develop a new node.js based application using some SSO technology.
More applications will join then after using the same SSO infrastructure and logic.
We do not have specific requirements on the SSO itself, but it need to authenticate users
via a local DB (managing user name and passwords)
via our enterprise AD
via some external/federated SSO (I guess via SAML or so)
Also if it would support XACML it would be great.
I believe one of the most complete solutions on the market is the WSO2 Identity Server... but we would be open for others too.
The main question though is simply:
Is it possible to have such a solution in node.js?
Or do we need to shield node.js behind some (Apache) server to get SSO?
What would be the best approach?
Any inputs would be appreciated.
I've used azure active directory in my node.js projects for authentication, this might work as you are using active directory. Here is a sample.