Spring security 6.0 - oauth2Login with MS Azure and CSRF token - how to login there in Postman?

By -

I'm beginner in Spring Security configuration and my purpose is set 2 things:

  1. CSRF token
  2. Authorization by Microsoft Azure

Firstly I've added oauth client in properties:

spring.security.oauth2.client.provider.azure.issuer-uri=https://login.microsoftonline.com/${id}/v2.0
spring.security.oauth2.client.registration.azure-dev.provider=azure
spring.security.oauth2.client.registration.azure-dev.client-id=${clientId}
spring.security.oauth2.client.registration.azure-dev.client-secret=${secret}
spring.security.oauth2.client.registration.azure-dev.scope=openid,email,profile

And all my GET endpoints started proxy my requests to Microsoft Login page -> after login all GET endpoints are available.

So I created security config:

@Configuration
@EnableWebSecurity
public class SecurityConfig {

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
                .authorizeHttpRequests(authz -> authz
                        .requestMatchers("/").permitAll()
                        .requestMatchers("/oauth2/authorization/azure-dev").permitAll()
                        .requestMatchers("/login").permitAll()
                        .requestMatchers(HttpMethod.POST, "/logout").permitAll()
                        .requestMatchers( "/api/v1/**").authenticated()
                        .requestMatchers(HttpMethod.POST, "/api/v1/**").authenticated()
                        .requestMatchers(HttpMethod.PUT, "/api/v1/**").authenticated()
                )
                .csrf(httpSecurityCsrfConfigurer -> httpSecurityCsrfConfigurer
                        .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()))
                .logout(l -> l
                        .logoutSuccessUrl("/")
                        .logoutRequestMatcher(new AntPathRequestMatcher("/logout")))
                .oauth2Login(Customizer.withDefaults());

        return http.build();
    }
}

Option withHttpOnlyFalse should add CSRF token to headers automatically, but I couldn't find it in GET requests, but it probably will be add only to POST/PUT/DELETE requests. Then I tried to send some requests from Postman, but it's secured under Microsoft Azure login, and response is always:

<html dir="ltr" class="" lang="en">
<head>
    <title>Sign in to your account</title>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=2.0, user-scalable=yes">
    <meta http-equiv="Pragma" content="no-cache">
    (...)

So it's HTML to login page, but I can't open it, or handle (in browser after log in one time - I have access all the time to all requests). Again, I can't find any header/cookie which auth me in browser (to paste it in postman).

  1. Where is this oAuth2 key, after login to Microsoft in Browser? I want to copy it to postman (I even tried to get it from OAuth2AuthorizedClient authorizedClient with authorizedClient.getAccessToken().getTokenValue(), and there was value, but this token doesn't work in postman -> it still returns microsoft HTML page).
  2. Is spring security configured correctly in your opinion?
  3. I'm wondering how to auth with this login page and csrf tokens from frontend, if I can't find any tokens in browser? Should I create some special endpoint (in Spring app)?


Comments

Post a Comment

Popular posts from this blog

Today Walkin 14th-Sept

By -
Image
14th Sept 2017 ( GO Through all List) Read Walkin details properly , Try to call company before attending if possible !!! ==================================== 1. Myntra through fresherworld (Call Based , Venue shared to shortlisted candidates) _____________________________ 2. Magna : Hiring for Client Harman : C++
Read more

Spring Elasticsearch Operations

By -
Elasticsearch Operations Spring Data Elasticsearch uses two interfaces to define the operations that can be called against an Elasticsearch index. These are ElasticsearchOperations and ReactiveElasticsearchOperations. Whereas the first is used with the classic synchronous implementations, the second one uses reactive infrastructure. The default implementations of the interfaces offer: Read/Write mapping support for domain types. A rich query and criteria api. Resource management and Exception translation. ElasticsearchTemplate The ElasticsearchTemplate is an implementation of the ElasticsearchOperations interface using the Transport Client. @Configuration public class TransportClientConfig extends ElasticsearchConfigurationSupport {   @Bean   public Client elasticsearchClient() throws UnknownHostException {                      Settings settings = Settings.builder().put("cluster.name", "elasticsearch")....
Read more

Hibernate Search - Elasticsearch with JSON manipulation

By -
Elasticsearch with JSON manipulation Elasticsearch ships with many features. It is possible that at some point, one feature you need will not be exposed by the Search DSL. To work around such limitations, Hibernate Search provides ways to: Transform the HTTP request sent to Elasticsearch for search queries. Read the raw JSON of the HTTP response received from Elasticsearch for search queries. Direct changes to the HTTP request may conflict with Hibernate Search features and be supported differently by different versions of Elasticsearch. Similarly, the content of the HTTP response may change depending on the version of Elasticsearch, depending on which Hibernate Search features are used, and even depending on how Hibernate Search features are implemented. Thus, features relying on direct access to HTTP requests or responses cannot be guaranteed to continue to work when upgrading Hibernate Search, even for micro upgrades (x.y.z to x.y.(z+1)). Use this at your own risk....
Read more