Versions Compared

Version Old Version 1 New Version Current
Changes made by

Dave Trier

Miguel Rosas

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

ModelOp follows the next security architecture:Image Removed

...

Technical implementation details:

  • The architecture provides AuthenticationResolvers implementations available for MVC and Reactive environments.

  • Each AuthenticationResolver iterates over the list of available AuthenticationManagers trying to find the best suited to perform the local authentication/authorization for the current request in order to build the User.

  • Each AuthenticationManager implementation perform the next steps:

    • Read and validate token.

    • Get user details out of token or from User details endpoint.

    • Get list of user groups.

    • Get list of GrantedAuthorities.

    • Upload current authenticated user into the SecurityContextHolder.

  • The next 3 key services are required during the local authentication/authorization and current authenticated user process:

    • AccessTokenService :

      • JwtAccessTokenService

      • OpaqueAccessTokenService

    • GrantedAuthoritiesService

    • UserDetailsService

      • TraditionalUserDetailsService

      • IntrospectionUserDetailsService

...

  • Main points of entry:

    • OAuth2Login

    • ResourceServer

  • For the ResourceServer implementation, the architecture supports JWT and Opaque independently.

    • Jwt:

      • Token local validations performed by JWKs.

    • Opaque:

      • Token validations performed by introspection; through an token introspection resolver ( in case more than one token introspection defined ).

...

To define a MicroService as Resource Server (RS):

  1. Identify the type of tokens to be supported

  2. Define profiles accordingly

  3. Add required YAML configurations.

...

Code Block
spring:
  profile: secured, jwt

  # Oauth2 Resource server PF Configuration
  security:
    oauth2:
      resourceserver:
        jwt:
          issuer-uri: https://authorization.server

Opaque Token

Opaque Token RS uses an introspection endpoint to validate the token.

Code Block
spring:
  profile: secured, opaque

  # Oauth2 Resource server PF Configuration
  security:
    oauth2:
      resourceserver:
        opaque-token:
          introspection-uri: ${modelop.mm.introspection-uri}
          client-id: ${modelop.mm.client-id}
          client-secret: ${modelop.mm.client-secret}

Opaque Query Param

Opaque Query Param RS uses an introspection endpoint to validate the token.

Code Block
oauth2:
  # Values for Resource Servers.
  resource-server:
  
    # Specifically opaque-queryparam is for a specific client needs that supports 2 OAuth2 providers at the same time...
    opaque-queryparam:
      queryparam: otoken
      introspection-uri: https://authorization.server/rs/validate/AppIdClaim

...

JWT detailed architecture overview

Image Added

Opaque detailed architecture overview

...

Multiple Authorization Servers architecture

...

...

Jwt & Opaque token interactions with Security Conext Holder

Image Added