Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 14 Next »

ModelOp Center, adheres to the Spring Security Architecture for OAuth2 applications.

The next diagram provides a high level overview of the internal layers.

ModelOp Center supports ServerHttpSecurity configurations as:

  • OAuth2Login:

    • Mainly used by the Gateway, handling browser authentication.

  • ResourceServer:

    • Jwt:

      • Token local validations performed by JWKs.

    • Opaque:

      • Token validations performed by introspection; through token introspection resolvers ( in case more than one token introspection defined ).

      • Opaque-QueryParam.


Securing Microservice to microservice communication

In secured environments, microservice to microservice communication is token protected. This process is internally managed by feign clients. Feign clients uses an OAuth2 FeignInterceptor implementation in charge of requesting/refreshing tokens and adding them as headers as part of each request.

To improve performance, our FeignInterceptor is adding an additional tenant-id header inside request, allowing downstream resource servers (RS) to identify faster the right introspector/token validator to be used at runtime, saving time and resources, specially when used with Opaque environments with multiple OAuth2 idP defined.


Defining a MicroService as Resource Server (RS):

  1. Identify the type of tokens to be supported

  2. Define profiles accordingly

  3. Add required YAML configurations.

Currently, three types of resource servers are supported:

  • JWT

  • Opaque Token

    • Opaque Query Param (This is a non-traditional type of Opaque Token required for one of our clients, and it is not used locally).

All of these resource servers share the following common configurations:

oauth2:
  feign:
    client-id: ${modelop.mm.client-id}
    client-secret: ${modelop.mm.client-secret}
    access-token-uri: ${modelop.provider.token-uri}
    scopes: ${modelop.mm.scope}
  group-base-access:
    oauth2-group-claim-name: memberOf
    admin-default-access-group: admin
    default-access-groups: ${oauth2.group-base-access.default-access-group}


JWT RS configurations

JWT RS is straight forward, only jwt profile is required.

spring:
  profile: secured, jwt

  # Oauth2 Resource server PF Configuration
  security:
    oauth2:
      resourceserver:
        jwt:
          issuer-uri: https://authorization.server

oauth2:
  resource-server:
    jwt:
      enduser-claimname: endUserClaimName
      oauth2client-claimname: oauth2ClientName
      scope-claimname: scp
    
    base-conf:
      enduser-claimname: endUserClaimName
      oauth2client-claimname: oauth2ClientName


Opaque token RS configurations

At least one default RS opaque configuration is needed under

spring.security.oauth2.resourceserver.opaque-token , so that related spring OAuth2 dependencies are properly instantiated.

Default configuration example:

spring:
  profile: secured, opaque

  # Oauth2 Resource server PF Configuration
  security:
    oauth2:
      resourceserver:
        opaque-token:
          #Default opaque introspector
          introspection-uri: ${modelop.mm.introspection-uri}
          client-id: ${modelop.mm.client-id}
          client-secret: ${modelop.mm.client-secret}
          default-client-registration-id: springClientRegistrationId 

default-client-registration-id needs to point to a valid spring client registration id.

Adding additional Opaque RS introspectors:

ModelOp Center is able to handle additional Opaque introspectors for token introspection.

These introspectors can be defined under oauth2.resource-server.opaque:

oauth2:
  resource-server:
    opaque:
      additional-registrations:
        feign: #clientRegistrationId
          client-id: "client-id-one"
          client-secret: "client-secre-onet"
          introspection-uri: "https://oauth2.provider.one/as/introspect.oauth2"

        okta-opaque-rs: #clientRegistrationId
          client-id: "client-id=two"
          client-secret: "client-secret=two"
          introspection-uri: "https://oauth2.provider.two/as/introspect.oauth2"
          

As a rule, each of the additional introspectors defined, need to be mapped with a Spring Client Registration associated with the same clientRegistrationId.

Opaque Query Param

ModelOp Center is able to support and introspect some non-standard OAuth2 idPs. By default ModelOp Center provides an implementation for a Opaque Query Param introspector, that can be defined as:

oauth2:
  # Values for Resource Servers.
  resource-server:
  
    # Specifically opaque-queryparam is for a specific client needs that supports 2 OAuth2 providers at the same time...
    opaque-queryparam:
      queryparam: otoken
      introspection-uri: https://authorization.server/rs/validate/AppIdClaim

  • No labels