-
Notifications
You must be signed in to change notification settings - Fork 582
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Configurable OAuth2 login page #5350
base: main
Are you sure you want to change the base?
Conversation
...-web/src/main/java/org/springframework/cloud/common/security/OAuthSecurityConfiguration.java
Outdated
Show resolved
Hide resolved
Hey @onobc - I am not that good in Spring Security configuration, but I thought when I call Other than that the OAuth2 Angular login is working. |
Hi @klopfdreh , |
Thanks a lot! |
Hey @onobc - I think I found a solution - see: klopfdreh#2 The UI already checks the security in the root path. So I adjusted the settings so that the login page is allowed. The with this you can now login without having an impact on other services. But please verify that I did not missed anything. Here are some screenshots what happens:
|
One further good thing to mention is that you still can use the spring-security login page if you want to - I just forgot about this! |
@klopfdreh thanks for the updates. I did not get a chance to get to this yesterday. I will be sure to dedicate some time early this work week to thoroughly review the proposal. Again, thank you for all you do. |
No worries - I am glad to help a bit in my free time. |
fix: Configurable OAuth2 login page security
@onobc - Build is repaired 👍 - I am adjust the skipper to work the same way in SkipperOAuthSecurityConfiguration. |
The last thing I could think about is what The standard spring-security OAuth2 login form also filters for Currently I would stick to this, but this could be improved that the all |
I tested the toggle between
and
both is working now. |
@klopfdreh Thank you for this contribution. |
All right! If there are any further questions just ping me. 👍 |
|
||
ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry security; | ||
|
||
if (AuthorizationProperties.FRONTEND_LOGIN_URL.equals(this.authorizationProperties.getLoginUrl())) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Those security settings need to be checked before merging.
Let me know when you are able to have a look at this change. Might be cool to get a fancy Angular Login page instead of simple text. 😄 |
Resolved the conflicts to integrate the updates for the AboutController. |
@klopfdreh we will need to wait post Thanks for your patience. |
@onobc - just a short reminder - would be nice to have this implemented as we can adjust our CSP settings to not allow any content from the bootstrap CDN anymore 👍 (zero trust) Important hint: A review needs to be done before merging: #5350 (comment) |
Hi @klopfdreh - thanks for the reminder. Not exactly sure when we will get to this but it is on the front burner again w/ your ping :) |
Awesome! 😄 |
c0462f2
to
f0fb797
Compare
@klopfdreh You will probably find the latest snapshot behaving a lot better. |
We are using a custom OAuth2 integration - no Keycloak. Will the new behavior also cover the standard OAuth2 integration as well as the new with realms? That would be very important for us. |
This is why I asked that you test the latest snapshot. It should support all latest spring-security configuration along with the dataflow specific security configuration. |
All right - I try to create a test setup, but this will take a bit. |
I upgraded our parent to <dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-dataflow-rest-client</artifactId>
<version>3.0.0-SNAPSHOT</version>
</dependency> corretly. but the classes of the packages I just wanted to remove Edit: I was able to solve it. Was a local problem. When I cleaned the cache it was working like expected: We refactored everything so that schemaTarget is not used any longer. |
When we update to the most recent SNAPSHOT we receive the following error: Caused by: java.lang.ClassNotFoundException: io.fabric8.kubernetes.client.KubernetesClientBuilder
at java.base/java.net.URLClassLoader.findClass(URLClassLoader.java:445)
at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:592)
at org.springframework.boot.loader.net.protocol.jar.JarUrlClassLoader.loadClass(JarUrlClassLoader.java:107)
at org.springframework.boot.loader.launch.LaunchedClassLoader.loadClass(LaunchedClassLoader.java:91)
at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:525)
... 28 more We checked the version and in 5.12.4 the class is indeed missing. This is because of kubernetes-fabric8-client.version needs to be > 6.x.x and java-cfenv > 3.3.x Edit: <java-cfenv.version>3.3.0</java-cfenv.version>
<kubernetes-client-bom.version>6.13.4</kubernetes-client-bom.version> |
***************************\nAPPLICATION FAILED TO START\n***************************
Description:
An attempt was made to call a method that does not exist. The attempt was made from the following location:
org.springframework.cloud.dataflow.server.config.DataFlowServerConfiguration.transactionManager(DataFlowServerConfiguration.java:88)
The following method did not exist:
'void org.springframework.boot.autoconfigure.transaction.TransactionManagerCustomizers.customize(org.springframework.transaction.PlatformTransactionManager)'
The calling method's class, org.springframework.cloud.dataflow.server.config.DataFlowServerConfiguration, was loaded from the following location:
jar:nested:/deployments/spring-cloud-data-flow-server-1.0.0-feature-scdf300test-SNAPSHOT-exec.jar/!BOOT-INF/lib/spring-cloud-dataflow-server-core-3.0.0-SNAPSHOT.jar!/org/springframework/cloud/dataflow/server/config/DataFlowServerConfiguration.class
The called method's class, org.springframework.boot.autoconfigure.transaction.TransactionManagerCustomizers, is available from the following locations:
jar:nested:/deployments/spring-cloud-data-flow-server-1.0.0-feature-scdf300test-SNAPSHOT-exec.jar/!BOOT-INF/lib/spring-boot-autoconfigure-3.4.0.jar!/org/springframework/boot/autoconfigure/transaction/TransactionManagerCustomizers.class
The called method's class hierarchy was loaded from the following locations:
org.springframework.boot.autoconfigure.transaction.TransactionManagerCustomizers: jar:nested:/deployments/spring-cloud-data-flow-server-1.0.0-feature-scdf300test-SNAPSHOT-exec.jar/!BOOT-INF/lib/spring-boot-autoconfigure-3.4.0.jar!/
\nAction:
Correct the classpath of your application so that it contains compatible versions of the classes org.springframework.cloud.dataflow.server.config.DataFlowServerConfiguration and org.springframework.boot.autoconfigure.transaction.TransactionManagerCustomizers\n |
The login error I previously mentioned was due to an infra issue on our side - so basically the login is working, but with this weird behavior. This weird in-between page is standard Spring Security behaviour. |
Hey @corneil - I saw you edited my post and responded to me. Does the in-between page also show up if you mix client credential flow and authorization code flow as that is a normal usecase for most of the SCDF customers I think. Like: security:
oauth2:
resourceserver:
opaquetoken:
introspection-uri: '...'
client-id: '...'
client-secret: '...'
client:
registration:
user_login:
provider: user_login
client-id: '...'
client-secret: '...'
client-authentication-method: client_secret_post
redirect-uri: '...'
authorization-grant-type: authorization_code
scope:
- '...'
program_login:
provider: program_login
client-id: '...'
client-secret: '...'
authorization-grant-type: client_credentials
scope:
- ...
provider:
user_login:
token-uri: '...'
user-info-uri: '...'
user-name-attribute: email
authorization-uri: '...'
program_login:
token-uri: '...' Then the in-between page would be shown all the time as the IdP for client credential flow and authorization code flow is always the same. This is required as we login with users to the ui, but also start applications with a technical user via REST-API. |
You might find this out by checking the |
Address the issue: spring-cloud/spring-cloud-dataflow-ui#1887
When OAuth2 is enabled and there are
client-registrations
withauthorization-grand-type
authorization_code
all those are going to be listed within the Angular-Login, now. Also when you logout and login again you are redirected correctly.You can see the appearance here: spring-cloud/spring-cloud-dataflow-ui#1923
❗ There is one issue left I couldn't solve yet. When I fill the
getAuthenticatedPaths()
the loginUrl can be accessed because of to many redirects - even ifthis.authorizationProperties.getPermitAllPaths().add(authorizationProperties.getLoginUrl());
is added. I am going to mark this as a comment.To test OAuth2 locally I used the following configuration (important properties are
login-url: "/dashboard/#/authentication-required"
and the client registrationuser_login
):and in the server I switched to my locally build UI with:
pom.xml in spring-cloud-dataflow-server