Enable CORS in Authorization Server for Secure Access Tokens by Public Clients

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi everyone welcome to javaras let's continue building authorization server in the previous video we have seen how to implement access token in the authorization server and we have tested that implementation using the confidential client and that confidential client was built in this playlist only in the initial videos in the initial videos we have created a public client as well now in this video we want to connect that public client to this authorization server in the previous video we were running both applications authorization server and confidential client on the same machine so they were both running on the Local Host but with a different domain name so authorization server was running on Local Host and confidential client was running on 127.0.0.1 so that is a one way to separate the applications which are running on the same machine and we did that because we want to separate their cookies or session now in this video as well we want to do that but I will show you another way uh by which you can do that now let's say we want to run our authorization server on some other domain let's say authorization server.com but if you do that it won't work obviously because your authorization server is not hosted there but uh let's say you want to tell your computer that whenever some request goes to authorization server it should go to your authorization server which is running on Local Host you can tell your computer to do that using a file which is called host file so in the Mac OS and Linux the file will be mostly under Etc directory but you can uh search on the internet like how to do that so I will just open that so we need the sudo privilege in order to edit that file so will open that file sudo Etc hosts sorry uh I want to open the file in editor Vim so I will just do that sudo vim and then the file name it will ask me for password so I will provide the password here now this is the file so if you see this line 127.0.0.1 space both. Local Host that was not there earlier I added that so what I'm telling is whenever there is a request to this domain o. Local Host then instead of doing uh some look up to DNS servers uh just return this IP address 127.0.0.1 and the request will go to this uh IP but the domain name will be o. Local Host and since the sessions and cookies are separated based on the domain name so there will not be any interference between two s separate domains so here you can see uh there is already this configuration so whenever you type Local Host in the browser the request is sent to 127.0.0.1 so either you can type local host or you can type this uh long IP address whatever you want and you can type colon colon one as well that will also work so that is a one way so let's say you have multiple uh servers running in your machine and you uh want to separate them so if you only use local host or this IP address then you will be able to run two services but if you have multiple Services then you can give each service different name and one thing to note here is that don't try to give the name like this one for example if I try to give it name like oath dot let's say d or. so don't try to give the top level domain which is well known because in that case your laptop will not look at this file it will try to contact DNS server to get the IP address for that domain name so I have used o. Local Host you can use anything you want but uh this Local Host is not a top level domain so I'm just using o. Local Host so that is out of the way now let's uh start our services so first of all I will start authorization server authorization server application and I will run it my database server is running here authorization server should be able to connect to that database and it is so it is running now let me show you whether that domain name to IP mapping is working or not so what I will do is I will easy one curly request so to http so instead of Local Host it will o. Local Host now I need to give the port which is 9,000 and reals you can see this is returning the realm now let's try to face the clients as well so reals the real ID Z and clients and if I pr print it so you can see we have this client here this is the client ID realm ID this is the name and if you see this is not a confidential client and these are the web Origins and like all the information about the client so we can see that this mapping is working so we can use this so let's uh do that I will copy this one and let's go to public client as so this is the single page application or public client which we built in the initial videos of this playlist so I will go to assets JS and constants do JS so here we are keeping all the constants required so first for the authorization and point so I have Local Host 0 0 RS and this one so this is the authorization end point when we were using key clock so I will just change it so I will change it to uh you know this will be changed to this one httv . loal host then this is the port RS and the realm ID Java and we just have o so this is the authorization endpoint now about token endpoint I will just copy it and I will paste it here and I will replace the o with token now client ID so this is the client ID which you will use I will copy it I will paste it here and redirect Ur suffix o call back so you can see redirect URI okay it is correct o call back so we don't need to change anything here now export const user info end point so here as well I will just you know do this sorry not that one I need to copy this one I will copy that and I will paste that here r z and user info but we have not implemented user info but what we are doing here is that we are displaying the access token um in the web page and if there is an error fetching the user we are not doing anything so we are not worrying about that here so that's all the changes which we need to do here now let's try to run it so here I am already inside public client ASA and what I will do is Python 3 and HTTP do server so you can you can isue this command hyph hyph help and then you can get the help for this command like how to serve files in the directory so I will just use this command M HTTP dot server now I need this B so this will be local host or I don't need to provide that so I think that default is all interfaces so I don't need to provide this binding address I just need to provide the directory so directory dot that means current directory and by default also it is the current directory I don't need to provide the HTTP version but I need to provide the port so the port will be 5,000 5,000 and it is ready and I will go to Local Host 5,000 and we can see welcome to O to public client demor and I will inspect because I want to see the request click on connect your account now you can see in the in the URL uh bar we have o do Local Host column 9000 9,000 and we are get this error invalid redirect urri so let's see why are we getting that so if we click here the redirect Ur HTTP local lost 5,000 C call back yeah so after call back we have this slash so we need to remove that so let's go there in the constants I will remove this SL let's save it and let's go back let's click on connect your account again now you can see we are getting this page Log to Java but if you see in the URL section we have o. localhost colon 9000 so let's give the username that is user one and I will provide the password for it and I will click on sign in now you can see we are asking the user for these Scopes and we have defined those somewhere so if you go to I guess o call. JS so here somewhere we should have those scop so let's go to UJS yeah here so when we are generating this URL authorization URL then we are passing open ID email and profile as a scope but let's pass two more Scopes contact do read and Conta dot WR let's save it and uh let's go back refresh it connect to your account now I think if we click on this request as well this cops are open ID email and profile only why do we have okay yeah so let's refresh it now click on connect your account if I go here okay so the scops are open at email and profile only we need to think I changed so okay let's save the file go back refresh it and uh okay so these files are coming from memory cash so I will just disable the cash here disable cash and then reload it and now they are not coming from the cash so I click on connect your account if you see in this request we are sending contact. read contact. WR Scopes as well let's provide the username which is user one and provide the password click on sign in button now you can see we are asking the user to provide consent for these five scops out of which three are required and two are optional now out of these two optional scope user will untick this edit your context scope and it will click on it will click on allow button click on allow and we can see this is authorization code and this is the state but when we are sending this request token request we are getting course error so we are sending this request with correct payload so we have client ID gr type code and redirect URI but still we are getting this course error because this is um on the different origin so we need to handle that course error we need to do some course configuration in the authorization server so that this request will be allowed now let's think about how we want to handle the course error so for that let's go to token controller now if you remember for public clients we have web Origins so if I going to the terminal and here you can see we have these two web Origins so what this means is these two web Origins should be allowed by authorization server to make access token request so we need to allow cross origin resource sharing request or course request from these Origins so let's do that so we can uh we cannot just put this cross origin annotation here because we don't know in advance what are all the URLs for which we need to allow the course request so for that we need to do something else so what we need to do is we need to create we need to create a filter so let's do that I will uh Mark the class as component so I will create a new class here and I will call it token course filter and this will extend once per reest filter now there is there is already course processor which is default course processor which process the course request given course configuration so we will create course configuration but first let's create course processor so I will create private final course processor will be new default course processor so this is the course processor now we are getting this error because we need to implement this method do filter internal so it is taking HTTP Cate request and HTTP Cate response and filter chain and it may throw these exceptions so here we have a request and response objects so we can get whatever information we want from the request and we can manipulate response if you want and after that we can call the next filter in the filter chain using this filter chain object so let's do that first of all I want to apply this course configuration based on the URL so I will I will get hold of one object of type URL based course configuration source so I will just do where Source equal to new URL based Force configuration Source now we need to create a course configuration so I will do that I will say where configuration equal to new course configuration in the configuration we need to provide the allow Origins adds and methods so let's do that but first of all I want to run this filter only when the request is for Access token so for that we need to get hold of the path of the request so let's say string you can say path info will be request do get path info so this will give us the information or the path of the request now we have this path info and and so the path info will have the uh Slash so path info will be of like this type slash let's say Realms then we will have realm ID and then we will have token so this is the this is the pattern of path so let's call it path now first I I want to check if the path starts with Slash so if path dot starts with this slash then I want to remove this SL so path will be path do substring 1 otherwise we will not modify the path now we have the path so now here we don't have this slash now we want to split the path based on this uh slashes so that we get all these three components of the path so let's do that path dot split using this slash and I will put it in a variable and I will call it call it path elements now I will write one condition here to check whether this request is token request or not so for that path elements do length should be three and path elements zero so the first part should be equal to Rams and the third element should be equal to token and the first element will be the realm ID so which you already know now let's get the realm ID here string realm ID will be path element 1 so this is the realm ID now what we want to do is for this realm we have many clients now out of all those clients I want to get all the web Origins so that those web Origins will be allowed so let's do that list string allowed Origins will be let's say this dot now here we need the client service or token service so let's say we need the realm service here so I will say realm service we need to inject the realm service here let's do that so instead of injecting real service let's say token service and here I will inject the token service private final token service token service and we need to inject it using Constructor so I will add Constructor parameter so this do token service dot get allowed Origins for this real now there is no method so I will create this method so for now let's just return list dot of this one for now we are just returning one empty string but we will complete this method later on so now we have all the origins which should be allowed now we will put all these allow origins in the this configuration in the cor configuration which we have created here so let's do that we will say configuration do set allowed Origins and allowed Origins now let's say we want to only support get and post method so configuration dot set allowed methods so list of options and head so these two methods are important or required and then we want to support get and post request now we need to set the allowed headers as well now let's say we want to allow all the headers so headers we can just set all header or add allow header so we will just add one allow header which will be stock that means all the headers are allowed now after that we will add this configuration in the source so let's do that Source do register course configuration and the pattern of the request will be this one and let's just register this configuration so that means for all the request register this configuration but if we are inside this if condition that we know that this request is for token request only so that means that we are registering this configuration for all the token token request or the current to token current request if it is a token request now uh we are coming out of this if condition now here what we want to do is we want to get the course configuration from this source which is for the current request we could have done this inside if but we are doing this outside if so for example in the future we need to add another course configuration for different type of request then we don't need to duplicate the uh rest of the code so here I will just say course configuration course configuration will be Source dot get course configuration for the given request so this will give us the course configuration which is applicable for the current request now after that Boolean is or now we already have this course processor so we will use that course processor course processor dot process request and it will have the configuration which is this course configuration then request and we have respon so if we have we are calling process request method of course processor so it will process the course request based on this configuration this request and this response and it will return as so let's put it inside a variable is valid that means if the request is valid according to this configuration or not so let's say if the request is not valid or if it is if it is not valid but it is pre-flight request so request in that case we don't want this request to go ahead so we will just return here but in all cases we'll just do filter chain dot do filter so we will call the next filter using filter CH and we will pass the request and response here so that is the configuration which we need okay now let's reun the authorization server so I will just run the authoriz server here but we forgot to do one change in the token service we are returning this m list of one string which is empty but here we need to return the actual wave Origins which are registered for this ra so first of all what I will do is let's say uh list string allowed origin will new array list so for the given real first of all I will fetch all the clients so let's do that this do client service. get all okay let's go to client service think there should be get all method okay but it is not public so let's make it public now the get method is public we have one related problem here okay don't get all and it needs a realm ID so this will give us all the clients for the given realm ID and for for each client we will get the allowed Origins so we have the client so client. get web Origins so this will be and this will be one string with commas so this is a list of allowed wave Origins and which are comma separated so we will split them using comma split comma and then we will get an array of strings so and I will call it Origins now we need to add add all these Origins inside allow origin so collections dot add all so inside all Origins I will add all the origins okay so this add all okay so we will add all the elements inside Origins into allowed Origins and this list and at the end we will just return this all Origins list so that was it so what we did is we fed all the clients and for each client there are many web Origins so we put all these web Origins inside allowed Origins so I guess that was all we need to do now uh I will just go to authorization code and here in the in the previous CH in the previous video I changed the lifetime of this authorization code to 10 minutes but let's just say 30 seconds again so this authorization code will be valid for 30 seconds only let's restart the authorization server and okay so this is the public C which is already running now I will go go here 5,000 let's click on connect your account we have internal server error let's see what is the error here we are getting some error cannot invoke strings dot starts with a string because path is null okay so I guess I will go to token controller here yeah so yeah there are two types of path so one is seret path and another is the this path info so we need to add both of these paths so let's do that so first I will do request.get Ser path and I will put it in a variable but if let's say Cate path is null then I will just make it empty string and then we have this path info so let's say request not get PA info and I will put it in a variable path info let's see path info is n in that case we will say path info is an empty string and then path will be Cate path plus path info so now we have the correct path and we are working with path here let's restart the server and go here okay so let's click on connect to your account now we have username and password here so username is user one password is this one and we are getting this authorization interface okay let's untick this edit your context click on allow now you can see we are getting some error in user info but don't worry about that because we have not implemented user info but if you go above and we see this token request we have sending the token request here and we are getting the response back but if you see in the preview response you will not see anything why because I think in the response header we have cash control noise store so I mentioned that in the previous video and the video before that as well that we will set this header cash control noise store so that access token is not visible and it is not stored anywhere but we are displaying that here let's copy it I will copy the access token and jw. IU I will go to jw. and I will paste the access token here I will paste it here now you can see the header in the header type JWT algorithm is RS 256 that means s 256 with RSA this is the iser and we have this is the xire time of this access token this is the audience this is the subject or the username or user ID the user this is the client ID who requested to face the access token this is the time stom when the access token was issued this is the unique identifier of this token and in this scope we are getting open ID profile contact. read and email we are not getting contact. right because uh we unticked that scope that is how we solve the course problem for public clients that is it for this video thank you for watching it we I will meet you in the next one bye

Info

Channel: Java Rush

Views: 52

Rating: undefined out of 5

Keywords: access token, authorization server, token signing, jwt, jws, private key, public key, client application, confidentail client, api security, oauth, oauth2, programming tutorial, token verification, cors, cors configuration, public clients, spa, spring boot, spring, spring authorization server, spring oauth2

Id: IWDaaohmuYY

Channel Id: undefined

Length: 32min 39sec (1959 seconds)

Published: Mon Jun 24 2024