[OT] Decent OAuth libraries?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[OT] Decent OAuth libraries?

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

All,

I'm looking at implementing OAuth/OAuth2 on the server for both
incoming and outgoing SSO with other systems. It doesn't look like
rocket surgery, but I figure: why reinvent the wheel?

Has anyone had any experiences in particular they'd like to share? I
think I'd prefer something that was explicitly geared-towards OAuth
and not something more general like Apache CXF, unless CXF is *super
good* as doing OAuth and also provides some other great thing that
maybe I didn't know I needed.

Thanks,
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl9fcjgACgkQHPApP6U8
pFiRcxAAtZ+rmO2i4PrFCRMPcEBWP6Z4z7IeBQUPfiotz5c84IvjOIqnJHyIx6RW
Qyy7uy/7lHXMeu5xw/4DFx4qFxdG/O1+B7mekkxBrRnDFxOFByZS5RjVo0c8SFjo
xiXvyeEy+/ucZb7Ca1M5Xryo5aIaTjXP8DSVkUWIfMqVyc9COrKt9Ds6gy/0xAll
OcUj7CrRW1LiCoZmIPhXkabHqsxHofu5oEGHzcFE1tdsFr9L8JEfAPAhSgGJnDky
yqW9P5LD8vH+34gVMqKCOOtHGVdNug7F4GTz+4z/ScHLhAcR/giRi/05ydigGvyL
umux/QLzj1C5y1Nu+7jkBGz7QnokzsMMOjHH5n29/dIBOz/LS+6P7BidKLVgycdu
HLomJpfmKRJaj6VHofMczYo6oCzGzrwdpeWBBvWwLE733CUU3IqQskUHvqIGj66C
fopFuTk0Uyeizh7TY2+NyIAdcGdQyNjb+qYHYoN19Td8V/eAM3HjcJsxC9j0WRlT
Sx16g0pMDLu36IjO2C4ltE7mUcKbD8yTZkTcs6ORTBX/88Kbj6dfymHj13DUUz5H
+d2PbLlm8NNz530OmSJ0FopnM6afjCRzlE/tfQUOmCnGyxKjo+piqnBLws6no7NB
4+I9auIX0gmXygc/h/S2e8SH4sElCNfgRj9Cw8sgK7znc6wKTpc=
=pwRm
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [OT] Decent OAuth libraries?

Luis Rodríguez Fernández
Hello Chris,

I can suggest you Keycloak [1]. It supports OIDC (extension of OAUTH2) [2],
it has adapters for apache tomcat [3] and it is quite easy to start with. I
made a little proof of concept protecting the good and old /manager tomcat
application using the "Client Credentials Flow". My setup looks like this:

- Keycloak server: docker run --name=keycloak_for_oidc_tests -e
KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin -p 9090:8080 -e
KEYCLOAK_IMPORT=/tmp/test-realm.json -v
$(pwd)/test-realm-with-users.json:/tmp/test-realm.json jboss/keycloak You
can find the test-realm.json here [4]
- Add this keycloak.json [5] to the $CATALINA_BASE/webapps/manager/WEB-INF/
folder. You can also generate via the admin console (localhost:9090/auth)
- Unzip [6] into $CATALINA_BASE/lib
- Declare the <Valve
className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/> in
the $CATALINA_BASE/webapps/manager/META-INF/context.xml

I will try to put all this in a little repo, maybe it can be helpful for
somebody else, but with the above steps you should be done. Maybe you want
to add some debugging to your $CATALINA_BASE/conf/logging.properties to see
what's happening under the hood:

org.keycloak.level = ALL
org.apache.catalina.realm.level = ALL
org.apache.catalina.authenticator.level = ALL

Hope it helps,

Luis

[1] https://www.keycloak.org
[2]
https://www.keycloak.org/docs/latest/securing_apps/index.html#openid-connect-2
[3]
https://www.keycloak.org/docs/latest/securing_apps/index.html#_tomcat_adapter
[4]
https://gist.github.com/lurodrig/6ecab404985683e6ed6cfe6c8fa8475f#file-test-realm-with-users-json
[5]
https://gist.github.com/lurodrig/ac51a5cdfd3482ea20680e19b77b2558#file-keycloak-json
[6]
https://downloads.jboss.org/keycloak/11.0.2/adapters/keycloak-oidc/keycloak-tomcat-adapter-dist-11.0.2.zip










El lun., 14 sept. 2020 a las 15:38, Christopher Schultz (<
[hidden email]>) escribió:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> All,
>
> I'm looking at implementing OAuth/OAuth2 on the server for both
> incoming and outgoing SSO with other systems. It doesn't look like
> rocket surgery, but I figure: why reinvent the wheel?
>
> Has anyone had any experiences in particular they'd like to share? I
> think I'd prefer something that was explicitly geared-towards OAuth
> and not something more general like Apache CXF, unless CXF is *super
> good* as doing OAuth and also provides some other great thing that
> maybe I didn't know I needed.
>
> Thanks,
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl9fcjgACgkQHPApP6U8
> pFiRcxAAtZ+rmO2i4PrFCRMPcEBWP6Z4z7IeBQUPfiotz5c84IvjOIqnJHyIx6RW
> Qyy7uy/7lHXMeu5xw/4DFx4qFxdG/O1+B7mekkxBrRnDFxOFByZS5RjVo0c8SFjo
> xiXvyeEy+/ucZb7Ca1M5Xryo5aIaTjXP8DSVkUWIfMqVyc9COrKt9Ds6gy/0xAll
> OcUj7CrRW1LiCoZmIPhXkabHqsxHofu5oEGHzcFE1tdsFr9L8JEfAPAhSgGJnDky
> yqW9P5LD8vH+34gVMqKCOOtHGVdNug7F4GTz+4z/ScHLhAcR/giRi/05ydigGvyL
> umux/QLzj1C5y1Nu+7jkBGz7QnokzsMMOjHH5n29/dIBOz/LS+6P7BidKLVgycdu
> HLomJpfmKRJaj6VHofMczYo6oCzGzrwdpeWBBvWwLE733CUU3IqQskUHvqIGj66C
> fopFuTk0Uyeizh7TY2+NyIAdcGdQyNjb+qYHYoN19Td8V/eAM3HjcJsxC9j0WRlT
> Sx16g0pMDLu36IjO2C4ltE7mUcKbD8yTZkTcs6ORTBX/88Kbj6dfymHj13DUUz5H
> +d2PbLlm8NNz530OmSJ0FopnM6afjCRzlE/tfQUOmCnGyxKjo+piqnBLws6no7NB
> 4+I9auIX0gmXygc/h/S2e8SH4sElCNfgRj9Cw8sgK7znc6wKTpc=
> =pwRm
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>

--

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett