ModelOp Center, adheres to the Spring Security Architecture for OAuth2 applications.
The next diagram provides a high level overview of the internal layers.
ModelOp Center supports ServerHttpSecurity configurations as:
OAuth2Login:
Mainly used by the Gateway, handling browser authentication.
ResourceServer:
Jwt:
Token local validations performed by JWKs.
Opaque:
Token validations performed by introspection; through token introspection resolvers ( in case more than one token introspection defined ).
Opaque-QueryParam.
Defining a MicroService as Resource Server (RS):
Identify the type of tokens to be supported
Define profiles accordingly
Add required YAML configurations.
Currently, three types of resource servers are supported:
JWT
Opaque Token
Opaque Query Param (This is a non-traditional type of Opaque Token required for one of our clients, and it is not used locally).
All of these resource servers share the following common configurations:
oauth2: feign: client-id: ${modelop.mm.client-id} client-secret: ${modelop.mm.client-secret} access-token-uri: ${modelop.provider.token-uri} scopes: ${modelop.mm.scope} group-base-access: oauth2-group-claim-name: memberOf admin-default-access-group: admin default-access-groups: ${oauth2.group-base-access.default-access-group}
JWT RS configurations
JWT RS is straight forward, only jwt
profile is required.
spring: profile: secured, jwt # Oauth2 Resource server PF Configuration security: oauth2: resourceserver: jwt: issuer-uri: https://authorization.server oauth2: resource-server: jwt: scope-claimname: scp base-conf: enduser-claimname: endUserClaimName oauth2client-claimname: oauth2ClientName
Opaque token RS configurations
At least one default RS opaque configuration is needed under
spring.security.oauth2.resourceserver.opaque-token
, so that related spring OAuth2 dependencies are properly instantiated.
Default configuration example:
spring: profile: secured, opaque # Oauth2 Resource server PF Configuration security: oauth2: resourceserver: opaque-token: #Default opaque introspector introspection-uri: ${modelop.mm.introspection-uri} client-id: ${modelop.mm.client-id} client-secret: ${modelop.mm.client-secret} default-client-registration-id: springClientRegistrationId
default-client-registration-id needs to point to a valid spring client registration id.
Adding additional Opaque RS introspectors:
ModelOp Center is able to handle additional Opaque introspectors for token introspection.
These introspectors can be defined under oauth2.resource-server.opaque
:
oauth2: resource-server: opaque: additional-registrations: feign: #clientRegistrationId client-id: "client-id-one" client-secret: "client-secre-onet" introspection-uri: "https://oauth2.provider.one/as/introspect.oauth2" okta-opaque-rs: #clientRegistrationId client-id: "client-id=two" client-secret: "client-secret=two" introspection-uri: "https://oauth2.provider.two/as/introspect.oauth2"
As a rule, each of the additional introspectors defined, need to be mapped with a Spring Client Registration associated with the same clientRegistrationId.
Opaque Query Param
ModelOp Center is able to support and introspect some non-standard OAuth2 idPs. By default ModelOp Center provides an implementation for a Opaque Query Param introspector, that can be defined as:
oauth2: # Values for Resource Servers. resource-server: # Specifically opaque-queryparam is for a specific client needs that supports 2 OAuth2 providers at the same time... opaque-queryparam: queryparam: otoken introspection-uri: https://authorization.server/rs/validate/AppIdClaim