Hi Josh, I have a similar key rotation but what I don't understand is why you would want the KID to stay the same? It appears in the Jwt and Identifies the Jwk to use for decryption. Resource servers hold the entire set and identifies the JWK to use based on the KID in the JWT header. On top of that it makes suspending the particular key and all issued/signed JWTs easy.
Both presentations on spring auth server was magnificent, loved the content and completely understood many concepts. Great job mate. I was wondering if there's any simpler approach regarding key rotation.
Hi - thanks ! Here’s an example github.com/spring-tips/spring-authorization-server/tree/main/authorization-server/src/main/java/bootiful/authorizationserver/keys basically this example stores keys (encrypted) in a JDBC DataSource and exposes a mechanism - an event - by which to reload the key 🔑
Hi Josh, I hope you're doing good. I am beginner to cloud/oAuth. Have a question - Can we make cloud gateway introspect the opaque tokens, authorise the requests and forward only valid requests to the underlying microservices, without making each microservice a resource-server (say I have dozens of microservices under the gateway) and introspect the requests themselves?
[Note]: I tried to use Session table file from classpath of Spring session jdbc that contains Char type so during session deserilization it failed so have to use character.
Hi, Once again, you made a very informative video. Do you have any experience with Spring Authorization Server and Two-Factor Authentication. In what way can I implement this. Can you point me in the right direction? Thanks.
Josh, sadly i missed your livestream but i was wondering if the client server you just set up handled the whole authorization grant flow automatically or am i misunderstanding something? Because normally you would have your React or Angular front end application handling the redirects, correct? Or in this case, could/would supplement your client application with e.g. Thymeleaf?
When using the OAuth2 client login Spring Security will by default initiate the authorization code flow by redirecting the browser. Like you say, this works for server-side rendered web apps such as Thymeleaf based apps. For JavaScript frontends you need to handle redirects there. So what you typically do is to configure the exception handling in Spring Security to return a 401 status with the Location-header set to the redirect URL. Then when the JavaScript frontend gets a 401 from the API it just gets the URL from the header and redirects the browser.
@@onlyteo I really appreciate your reply teo, thanks a lot. It is still much to take in but your comment has at least given me insight into how i will be able to solve it. You wouldn't by any change have a online resource for me to peek at which implements such an frontend application?
it's very hard to watch your video , the code not visible properly. make it beginners friendly sir use IDE like eclipse will be easier for to understand also . i request you to make a complete video of spring security for all the microservices using gateway.
Hello Josh I have been watching you from 2017 you are such a awesome contributor to spring community.
Hi Josh, I have a similar key rotation but what I don't understand is why you would want the KID to stay the same? It appears in the Jwt and Identifies the Jwk to use for decryption. Resource servers hold the entire set and identifies the JWK to use based on the KID in the JWT header. On top of that it makes suspending the particular key and all issued/signed JWTs easy.
Both presentations on spring auth server was magnificent, loved the content and completely understood many concepts. Great job mate. I was wondering if there's any simpler approach regarding key rotation.
Hi - thanks ! Here’s an example github.com/spring-tips/spring-authorization-server/tree/main/authorization-server/src/main/java/bootiful/authorizationserver/keys basically this example stores keys (encrypted) in a JDBC DataSource and exposes a mechanism - an event - by which to reload the key 🔑
@@coffeesoftware thanks mate. Keep it up 💪🏻
Hi Josh, I hope you're doing good. I am beginner to cloud/oAuth.
Have a question - Can we make cloud gateway introspect the opaque tokens, authorise the requests and forward only valid requests to the underlying microservices, without making each microservice a resource-server (say I have dozens of microservices under the gateway) and introspect the requests themselves?
thank you, ur very knowledable with this stuff, very helpful
Cirgkeki
[Note]: I tried to use Session table file from classpath of Spring session jdbc that contains Char type so during session deserilization it failed so have to use character.
Hi, Once again, you made a very informative video.
Do you have any experience with Spring Authorization Server and Two-Factor Authentication.
In what way can I implement this. Can you point me in the right direction?
Thanks.
Thanks for watching ! We’ve got at least one prototype of a webauthn integration in spring security here github.com/rwinch/spring-security-webauthn
Josh, sadly i missed your livestream but i was wondering if the client server you just set up handled the whole authorization grant flow automatically or am i misunderstanding something? Because normally you would have your React or Angular front end application handling the redirects, correct? Or in this case, could/would supplement your client application with e.g. Thymeleaf?
When using the OAuth2 client login Spring Security will by default initiate the authorization code flow by redirecting the browser. Like you say, this works for server-side rendered web apps such as Thymeleaf based apps. For JavaScript frontends you need to handle redirects there. So what you typically do is to configure the exception handling in Spring Security to return a 401 status with the Location-header set to the redirect URL. Then when the JavaScript frontend gets a 401 from the API it just gets the URL from the header and redirects the browser.
@@onlyteo I really appreciate your reply teo, thanks a lot. It is still much to take in but your comment has at least given me insight into how i will be able to solve it. You wouldn't by any change have a online resource for me to peek at which implements such an frontend application?
Hi checkout github.com/coffee-software-show/the-durable-spring-authorization-server
Awesome video. Like and subscribe. How to donate ?
No need to donate but check out start.spring.io :-)
it's very hard to watch your video , the code not visible properly. make it beginners friendly sir use IDE like eclipse will be easier for to understand also . i request
you to make a complete video of spring security for all the microservices using gateway.