ModelOp Center, adheres to the Spring Security Architecture for OAuth2 applications.
The next diagram provides a high level overview of the internal layers.
ModelOp Center supports ServerHttpSecurity configurations as:
OAuth2Login:
Mainly used by the Gateway, handling browser authentication.
ResourceServer:
Jwt:
Token local validations performed by JWKs.
Opaque:
Token validations performed by introspection; through token introspection resolvers ( in case more than one token introspection defined ).
Opaque-QueryParam.
Defining a MicroService as Resource Server (RS):
Identify the type of tokens to be supported
Define profiles accordingly
Add required YAML configurations.
Currently, three types of resource servers are supported:
JWT
Opaque Token
Opaque Query Param (This is a non-traditional type of Opaque Token required for one of our clients, and it is not used locally).
All of these resource servers share the following common configurations:
oauth2:
group-base-access:
oauth2-group-claim-name: memberOf
oauth2:
feign:
client-id: ${modelop.mm.client-id}
client-secret: ${modelop.mm.client-secret}
access-token-uri: ${modelop.provider.token-uri}
scopes: ${modelop.mm.scope}
group-base-access:
oauth2-group-claim-name: memberOf
admin-default-access-group: admin
default-access-groups: ${oauth2.group-base-access.default-access-group}
JWT RS configurations
JWT RS is straight forward, only jwt profile is required.
spring:
profile: secured, jwt
# Oauth2 Resource server PF Configuration
security:
oauth2:
resourceserver:
jwt:
issuer-uri: https://authorization.server
oauth2:
resource-server:
jwt:
scope-claimname: scp
base-conf:
enduser-claimname: endUserClaimName
oauth2client-claimname: oauth2ClientName
Opaque token RS configurations
At least one default RS opaque configuration is needed under
spring.security.oauth2.resourceserver.opaque-token , so that related spring OAuth2 dependencies are properly instantiated.
Default configuration example:
spring:
profile: secured, opaque
# Oauth2 Resource server PF Configuration
security:
oauth2:
resourceserver:
opaque-token:
#Default opaque introspector
introspection-uri: ${modelop.mm.introspection-uri}
client-id: ${modelop.mm.client-id}
client-secret: ${modelop.mm.client-secret}
default-client-registration-id: springClientRegistrationId
default-client-registration-id needs to point to a valid spring client registration id.
Adding additional Opaque RS introspectors:
ModelOp Center is able to handle additional Opaque introspectors for token introspection.
These introspectors can be defined under oauth2.resource-server.opaque:
oauth2:
resource-server:
opaque:
additional-registrations:
feign: #clientRegistrationId
client-id: "client-id-one"
client-secret: "client-secre-onet"
introspection-uri: "https://oauth2.provider.one/as/introspect.oauth2"
okta-opaque-rs: #clientRegistrationId
client-id: "client-id=two"
client-secret: "client-secret=two"
introspection-uri: "https://oauth2.provider.two/as/introspect.oauth2"
As a rule, each of the additional introspectors defined, need to be mapped with a Spring Client Registration associated with the same clientRegistrationId.
Opaque Query Param
ModelOp Center is able to support and introspect some non-standard OAuth2 idPs. By default ModelOp Center provides an implementation for a Opaque Query Param introspector, that can be defined as:
oauth2:
# Values for Resource Servers.
resource-server:
# Specifically opaque-queryparam is for a specific client needs that supports 2 OAuth2 providers at the same time...
opaque-queryparam:
queryparam: otoken
introspection-uri: https://authorization.server/rs/validate/AppIdClaim