what about if i dont want jwt tokens? just like the old way which is using opaque token, is it possible? especially if the auth server and reaource server are in one project? hope you can have a demo
Help. It is statefull, isn't it?? because no sessionCreationPolicy configuration written. like customizer.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
If I am going to user Redis to store token data, how do I create a filter that will fetch the token first on Redis before proceeding with the checking of JWT? I am planning to use Redis as a cache and Postgresql as the DB
at the post request i'll always get {"error":"invalid_client"}, stackoverflow and github show solutions but only for version 0.2.. has someone an idea?
Ahh ok, so of course postman has the role in this example of a public client as such the clientAuthenticationMethod has to be ClientAuthenticationMethod.NONE according to registeredClient documentation... So either Mr. Spilca changed it and did no show it or he used some other trick..
@CSVXML FAN, Víctor Martín is right, you have to pass client_id and client_secret using Authorization Header: In Postman's Authorization tab select 'Basic Auth' in 'Type' dropdown menu and then type client_id/client_secret in appeared Username/Password fields.
Please can someone help me with the "code_challenge" i need to generate a SHA256 from any string like "anything" and in "code_verifier" i send "anything" ?
Where is the code challenge being maintained in the spring backend to validate against the code verifier? If it is in memory, it will cause an issue every time the server is restarted. The authenticated public client might use the non-existent code verifier.
@@sadiulhakim7814 I fixed it doing this if u still need it: @Bean public RegisteredClientRepository registeredClientRepository() { BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder(); RegisteredClient r1 = RegisteredClient.withId(UUID.randomUUID().toString()) .clientId("myclient") .clientSecret(passwordEncoder.encode("secret"))........
ok, spring changes the version, oauth2-server 0.3.0 will not work with spring 3.0.0, I needed to change ti to 1.0.1 version. I don't know what will spring do tomorrow. :) Now i follow all steps, but found a response invalid_request. Huuh, i don't know about this error at all.
Can this example be used in actual development? A friend of mine said that this example has drawbacks. After the server restarts, everyone will be disconnected. Is that true?
In looking through dozens of sites advising on this topic, it was super handy hearing him mention deprecated methods and implementations
I love this guys channel. He really knows his stuff.
Laur is a great teacher. I learned a lot from him!
How are you generation code verifier?
what about if i dont want jwt tokens? just like the old way which is using opaque token, is it possible? especially if the auth server and reaource server are in one project? hope you can have a demo
Great Explanation of OAUTH .......
I'm a beginner, I'm not really sure as to how that code_challenge was generated, can someone explain it?
public static void main(String[] args) throws NoSuchAlgorithmException {
SpringApplication.run(Application.class, args);
String codeVerifier=createCodeVerifier();
log.info("code verifier:"+codeVerifier);
log.info("code_challenge:"+createCodeChallenge(codeVerifier));
}
private static String createCodeChallenge(String value) throws NoSuchAlgorithmException {
MessageDigest md = MessageDigest.getInstance("SHA-256");
byte[] digest = md.digest(value.getBytes(StandardCharsets.US_ASCII));
return Base64.getUrlEncoder().withoutPadding().encodeToString(digest);
}
private static String createCodeVerifier(){
StringKeyGenerator secureKeyGenerator =
new Base64StringKeyGenerator(Base64.getUrlEncoder().withoutPadding(), 96);
return secureKeyGenerator.generateKey();
}
Help. It is statefull, isn't it?? because no sessionCreationPolicy configuration written. like customizer.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
Hi. Can i use a jjwt implementation instead of nimbous jwt?
Can we have multiple authentication manager configured for different purpose if yes then how?
Rename ProviderSettings -> AuthorizationServerSettings
I love this presentation! How to get the code and file on your presentation?
Does JWT need to be stored on the server?
how the resource server knows this token is from the authorization server? minute 7:36 the diagram misses this point .
If I am going to user Redis to store token data, how do I create a filter that will fetch the token first on Redis before proceeding with the checking of JWT? I am planning to use Redis as a cache and Postgresql as the DB
at the post request i'll always get {"error":"invalid_client"}, stackoverflow and github show solutions but only for version 0.2.. has someone an idea?
Ahh ok, so of course postman has the role in this example of a public client as such the clientAuthenticationMethod has to be ClientAuthenticationMethod.NONE according to registeredClient documentation... So either Mr. Spilca changed it and did no show it or he used some other trick..
@@csvxmlfan3853 the trick is the hidden Authorization tab in postman. Try adding --header 'Authorization: Basic Y2xpZW50OnNlY3JldA=='
@CSVXML FAN, Víctor Martín is right, you have to pass client_id and client_secret using Authorization Header: In Postman's Authorization tab select 'Basic Auth' in 'Type' dropdown menu and then type client_id/client_secret in appeared Username/Password fields.
Please can someone help me with the "code_challenge" i need to generate a SHA256 from any string like "anything" and in "code_verifier" i send "anything" ?
same question i have... if you find any solution please let me know
public static void main(String[] args) throws NoSuchAlgorithmException {
SpringApplication.run(Application.class, args);
String codeVerifier=createCodeVerifier();
log.info("code verifier:"+codeVerifier);
log.info("code_challenge:"+createCodeChallenge(codeVerifier));
}
private static String createCodeChallenge(String value) throws NoSuchAlgorithmException {
MessageDigest md = MessageDigest.getInstance("SHA-256");
byte[] digest = md.digest(value.getBytes(StandardCharsets.US_ASCII));
return Base64.getUrlEncoder().withoutPadding().encodeToString(digest);
}
private static String createCodeVerifier(){
StringKeyGenerator secureKeyGenerator =
new Base64StringKeyGenerator(Base64.getUrlEncoder().withoutPadding(), 96);
return secureKeyGenerator.generateKey();
}
Where is the code challenge being maintained in the spring backend to validate against the code verifier? If it is in memory, it will cause an issue every time the server is restarted. The authenticated public client might use the non-existent code verifier.
public static void main(String[] args) throws NoSuchAlgorithmException {
SpringApplication.run(Application.class, args);
String codeVerifier=createCodeVerifier();
log.info("code verifier:"+codeVerifier);
log.info("code_challenge:"+createCodeChallenge(codeVerifier));
}
private static String createCodeChallenge(String value) throws NoSuchAlgorithmException {
MessageDigest md = MessageDigest.getInstance("SHA-256");
byte[] digest = md.digest(value.getBytes(StandardCharsets.US_ASCII));
return Base64.getUrlEncoder().withoutPadding().encodeToString(digest);
}
private static String createCodeVerifier(){
StringKeyGenerator secureKeyGenerator =
new Base64StringKeyGenerator(Base64.getUrlEncoder().withoutPadding(), 96);
return secureKeyGenerator.generateKey();
}
Is it possible and supported in current version to change formLogin to httpBasic?
I loved the part where he mentioned about Log4J XD
I am getting error while using BCryptPasswordEncoder instead of NoOpPasswordEncoder. It says Encoded password does not look like BCrypt.
Did u fix it? I have the same problem but I want to use BCryptPasswordEncoder
@@xxxHipHopRap no
@@sadiulhakim7814 I fixed it doing this if u still need it:
@Bean
public RegisteredClientRepository registeredClientRepository() {
BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
RegisteredClient r1 = RegisteredClient.withId(UUID.randomUUID().toString())
.clientId("myclient")
.clientSecret(passwordEncoder.encode("secret"))........
why I am getting this error ?
Error creating bean with name 'securityFilterChainAs' defined in class path resource
it is actually the Noclassdef error for OAuth2AuthorizationServerConfiguration , anyone to help?
ok, spring changes the version, oauth2-server 0.3.0 will not work with spring 3.0.0, I needed to change ti to 1.0.1 version. I don't know what will spring do tomorrow. :)
Now i follow all steps, but found a response invalid_request. Huuh, i don't know about this error at all.
i do the same configuration but when i try to get access token on /oauth2/token it return 404 not found exception
Your issue resolved ?
@@kiranjawale8822 yes the problem was in query params and the Authorization header
Dude speaks like a MACHINE (nvm i had it on 1.25x)
🤣🤣
Helped me a lot thank you
Thanks!
the best
amazing
Is this the norm in actual development?
can anyone tell me how can i generate my own code chanllenge
I got answer. Its totally pkce. We can get it from online and generate our own pkce code
@@jafajarvis324 Hey, could you clarify how? It'll be really helpful, thanks
public static void main(String[] args) throws NoSuchAlgorithmException {
SpringApplication.run(Application.class, args);
String codeVerifier=createCodeVerifier();
log.info("code verifier:"+codeVerifier);
log.info("code_challenge:"+createCodeChallenge(codeVerifier));
}
private static String createCodeChallenge(String value) throws NoSuchAlgorithmException {
MessageDigest md = MessageDigest.getInstance("SHA-256");
byte[] digest = md.digest(value.getBytes(StandardCharsets.US_ASCII));
return Base64.getUrlEncoder().withoutPadding().encodeToString(digest);
}
private static String createCodeVerifier(){
StringKeyGenerator secureKeyGenerator =
new Base64StringKeyGenerator(Base64.getUrlEncoder().withoutPadding(), 96);
return secureKeyGenerator.generateKey();
}
Can this example be used in actual development? A friend of mine said that this example has drawbacks. After the server restarts, everyone will be disconnected. Is that true?
It can't be used, for the actual development you would probably want to use db instead of in-memory solution
@Rendell Jay Eyas no, but should be pretty easy, just read the documentation
@Rendell Jay Eyas Check the speakers channel. Has an ongoing playlist on the subject
In 0.3.0 version is it supporting password grant ?