Versions Compared

Version Old Version 1 New Version 2
Changes made by

Dave Trier

Miguel Rosas

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

ModelOp follows the next security architecture:

Image RemovedImage Added

Technical implementation details:

  • There are 2 main points of entry:

    • OAuth2Login

    • ResourceServer

  • The architecture provides AuthenticationResolvers implementations available for MVC and Reactive environments.

  • Each AuthenticationResolver iterates over the list of available AuthenticationManagers trying to find the best suited to perform the local authentication/authorization for the current request in order to build the User.

  • Each AuthenticationManager implementation perform the next steps:

    • Read and validate token.

    • Get user details out of token or from User details endpoint.

    • Get list of user groups.

    • Get list of GrantedAuthorities.

    • Upload current authenticated user into the SecurityContextHolder.

  • The next 3 key services are required during the local authentication/authorization and current authenticated user process:

    • AccessTokenService :

      • JwtAccessTokenService

      • OpaqueAccessTokenService

    • GrantedAuthoritiesService

    • UserDetailsService

      • TraditionalUserDetailsService

      • IntrospectionUserDetailsService

  • image from above represents the Gateway architecture specifically for JWT.

  • The Resource server will be using JWT and local validations through JOSE to validate the token.

...

How to define a MicroService as Resource Server (RS):

...

Code Block
spring:
  profile: secured, jwt

  # Oauth2 Resource server PF Configuration
  security:
    oauth2:
      resourceserver:
        jwt:
          issuer-uri: https://authorization.server

Opaque Token

Opaque Token RS uses an introspection endpoint to validate the token.

Code Block
spring:
  profile: secured, opaque

  # Oauth2 Resource server PF Configuration
  security:
    oauth2:
      resourceserver:
        opaque-token:
          introspection-uri: ${modelop.mm.introspection-uri}
          client-id: ${modelop.mm.client-id}
          client-secret: ${modelop.mm.client-secret}

Opaque Query Param

Opaque Query Param RS uses an introspection endpoint to validate the token.

Code Block
breakoutModewide
oauth2:
  # Values for Resource Servers.
  resource-server:
    ##Base RS conf
    base-conf:
      user-info-uri: https://authorization.server/idp/userinfo.openid

    # Traditional approaches will require only introspection-uri, this approach uses NimbusOpaqueTokenIntrospector
    opaque:
      client-id: model-manage-client
      client-secret: client-secret
      introspection-uri: https://internal.pf.modelop.center/as/introspect.oauth2

    # Specifically opaque-queryparam is for a specific client needs that supports 2 OAuth2 providers at the same time...
    opaque-queryparam:
      queryparam: otoken
      introspection-uri: https://authorization.server/rs/validate/AppIdClaim