Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 11 Next »

ModelOp Center, adheres to the Spring Security Architecture for OAuth2 applications.

The next diagram provides a high level overview of the internal layers.

ModelOp Center supports ServerHttpSecurity configurations as:

  • OAuth2Login:

    • Mainly used by the Gateway, handling browser authentication.

  • ResourceServer:

    • Jwt:

      • Token local validations performed by JWKs.

    • Opaque:

      • Token validations performed by introspection; through token introspection resolvers ( in case more than one token introspection defined ).

      • Opaque-QueryParam.


Defining a MicroService as Resource Server (RS):

  1. Identify the type of tokens to be supported

  2. Define profiles accordingly

  3. Add required YAML configurations.

Currently, three types of resource servers are supported:

  • JWT

  • Opaque Token

    • Opaque Query Param (This is a non-traditional type of Opaque Token required for one of our clients, and it is not used locally).

All of these resource servers share the following common configurations:

oauth2:
  feign:
    client-id: ${modelop.mm.client-id}
    client-secret: ${modelop.mm.client-secret}
    access-token-uri: ${modelop.provider.token-uri}
    scopes: ${modelop.mm.scope}
  group-base-access:
    oauth2-group-claim-name: memberOf
    admin-default-access-group: admin
    default-access-groups: ${oauth2.group-base-access.default-access-group}


JWT RS configurations

JWT RS is straight forward, only jwt profile is required.

spring:
  profile: secured, jwt

  # Oauth2 Resource server PF Configuration
  security:
    oauth2:
      resourceserver:
        jwt:
          issuer-uri: https://authorization.server

oauth2:
  resource-server:
    jwt:
      scope-claimname: scp
    
    base-conf:
      enduser-claimname: endUserClaimName
      oauth2client-claimname: oauth2ClientName


Opaque token RS configurations

At least one default RS opaque configuration is needed under

spring.security.oauth2.resourceserver.opaque-token , so that related spring OAuth2 dependencies are properly instantiated.

Default configuration example:

spring:
  profile: secured, opaque

  # Oauth2 Resource server PF Configuration
  security:
    oauth2:
      resourceserver:
        opaque-token:
          #Default opaque introspector
          introspection-uri: ${modelop.mm.introspection-uri}
          client-id: ${modelop.mm.client-id}
          client-secret: ${modelop.mm.client-secret}
          default-client-registration-id: springClientRegistrationId 

default-client-registration-id needs to point to a valid spring client registration id.

Adding additional Opaque RS introspectors:

ModelOp Center is able to handle additional Opaque introspectors for token introspection.

These introspectors can be defined under oauth2.resource-server.opaque:

oauth2:
  resource-server:
    opaque:
      additional-registrations:
        feign: #clientRegistrationId
          client-id: "client-id-one"
          client-secret: "client-secre-onet"
          introspection-uri: "https://oauth2.provider.one/as/introspect.oauth2"

        okta-opaque-rs: #clientRegistrationId
          client-id: "client-id=two"
          client-secret: "client-secret=two"
          introspection-uri: "https://oauth2.provider.two/as/introspect.oauth2"
          

As a rule, each of the additional introspectors defined, need to be mapped with a Spring Client Registration associated with the same clientRegistrationId.

Opaque Query Param

ModelOp Center is able to support and introspect some non-standard OAuth2 idPs. By default ModelOp Center provides an implementation for a Opaque Query Param introspector, that can be defined as:

oauth2:
  # Values for Resource Servers.
  resource-server:
  
    # Specifically opaque-queryparam is for a specific client needs that supports 2 OAuth2 providers at the same time...
    opaque-queryparam:
      queryparam: otoken
      introspection-uri: https://authorization.server/rs/validate/AppIdClaim

  • No labels