Use spring-security-oauth2-client on client side only

1
votes

We try to use spring-security-oauth2-client Version 5.3.0.RELEASE with client-credentials flow. With that we try to use it purely on the Client side, all endpoints - such as actuators - should not be secured at all.

Basically we have the client credentials added like this:

spring:
  security:
    oauth2:
      client:
        registration:
          my-client:
            authorization-grant-type: client_credentials
            client-id: foo
            client-secret: bar
            provider: my-provider
        provider:
          my-provider:
            tokenUri: http://token.uri/

Our interceptor looks as follows:

class OAuth2AuthorizedClientInterceptor implements ClientHttpRequestInterceptor {

  OAuth2AuthorizedClientManager manager
  String clientId
  AnonymousAuthenticationToken PRINCIPAL = new AnonymousAuthenticationToken("key", "anonymous", createAuthorityList("ROLE_ANONYMOUS"))

  OAuth2AuthorizedClientInterceptor(OAuth2AuthorizedClientManager manager, String clientId) {
    this.manager = manager
    this.clientId = clientId
  }

  @Override
  ClientHttpResponse intercept(
      HttpRequest request, byte[] body, ClientHttpRequestExecution execution)
      throws IOException {
    OAuth2AuthorizeRequest authorizedRequest = OAuth2AuthorizeRequest
        .withClientRegistrationId(clientId)
        .principal(PRINCIPAL)
        .build()
    OAuth2AuthorizedClient authorizedClient = this.manager.authorize(authorizedRequest)
    if (!authorizedClient?.accessToken?.tokenValue) {
      throw new IllegalArgumentException("No access token for client '${clientId}'")
    }
    request.headers.setBearerAuth(authorizedClient?.accessToken?.tokenValue)
    return execution.execute(request, body)
  }
}

It is a spring-boot service and includes the spring-boot-autoconfigure dependency in version 2.2.5.RELEASE. The client functionality works fine, but we run into the problem, that the actuator endpoints are not free to access anymore, but are secured with oauth as well.

This is confusing, as we just included the spring-security-oauth2-client dependency and not the resource-server dependencies.

We found this Adapter . We are not sure, if this is the only place adding security on server side, but to disable the security we had to add the following configuration:

@Configuration
@Order(1)
class ManagedEndpointsAuthenticationConfig extends WebSecurityConfigurerAdapter {

  private static final String NOOP_PASSWORD_PREFIX = "{noop}"

  @Autowired
  SecurityProperties properties

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http.antMatcher("/actuator/**")
        .authorizeRequests()
        .requestMatchers(EndpointRequest.to("info")).permitAll()
        .requestMatchers(EndpointRequest.to("health")).permitAll()
        .requestMatchers(EndpointRequest.to("prometheus")).permitAll()
        .requestMatchers(EndpointRequest.toAnyEndpoint()).hasRole("ACTUATOR")
        .and()
        .httpBasic()
  }

  @Override
  protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    SecurityProperties.User user = properties.getUser()
    List<String> roles = user.getRoles()
    auth.inMemoryAuthentication()
        .withUser(user.name)
        .password(NOOP_PASSWORD_PREFIX + user.password)
        .roles(StringUtils.toStringArray(roles))
  }
}

This feels like an odd hack to us as we just want oauth2 on client side. Therefore the question: How can I use oauth2 with spring-security JUST on client side?

2
spring-bootspring-securityoauth-2.0

2 Answers

-1
votes

What about just:

@Configuration
@EnableWebSecurity
class ManagedEndpointsAuthenticationConfig extends WebSecurityConfigurerAdapter {

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests().anyRequest().permitAll();
  }
}
-1
votes

In spring boot 2 migration guide, it suggest something like you did:

https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-2.0-Migration-Guide#actuator-security

But i used another aproach, with a dependency that has both configuration for oauth server and oauth client. It works for me:

Maven dependency:

        <dependency>
            <groupId>org.springframework.security.oauth</groupId>
            <artifactId>spring-security-oauth2</artifactId>
            <version>2.3.3.RELEASE</version>
        </dependency>

Configuration file:




@Configuration
public class OAuth2RestTemplateConfig {

    @Bean
    protected OAuth2ProtectedResourceDetails resource() {
        ClientCredentialsResourceDetails resource = new ClientCredentialsResourceDetails();
        resource.setAccessTokenUri("https://oauth.server/oauth2/token");
        resource.setClientId("foo");
        resource.setClientSecret("bar");
        resource.setGrantType("client_credentials");
        return resource;
    }

    @Bean
    public OAuth2RestOperations oAuth2RestTemplate() {
        AccessTokenRequest atr = new DefaultAccessTokenRequest();
        return new OAuth2RestTemplate(resource(), new DefaultOAuth2ClientContext(atr));
    }
}

to use, just do:

@Autowired
private OAuth2RestOperations restOperations;