JUGNsk Meetup#9. Евгений Горбачёв: "Как натянуть сову на глобус — кластеризуем Spring OAuth2"

Transcript

1. Как натянуть сову на глобус - кластеризуем Spring OAuth2 Евгений

   Горбачев meetup #9, 13 июня 2019

2. Sun JavaSoft • Classic VM HotSpot Client/Server VMs under Lars

   Bak’s tech leadership Initially as an add-on for Java 1.2, the part of Java since 1.3 • Serviceability Team ❖ Logging ❖ JPDA: JVMTI (JVMDI + JVMPI), JDWP, JDI ❖ Dtrace ❖ etc. -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=8020 2

3. What Is OAuth2 & OpenID Connect ⚫ OAuth 2.0 is

   the industry-standard protocol for authorization that enables Clients to obtain limited access to User accounts on an HTTP service. It works by delegating user authentication to the Service that hosts the User account, and authorizing third-party Clients to access the User account. ⚫ OpenID Connect 1.0 (OIDC) is a simple identity layer on top of the OAuth 2.0. It allows Clients to verify the identity of the User based on the authentication performed by an Authorization Server, as well as to obtain profile information about the User. ⚫ Single Sign-On (SSO) 3

4. Authentication with the OIDC Authorization Code Flow + state +

   state 4

5. Local machine - just perfectly! 5

6. Deployment on production 6

7. Spring is a wisdom owl... 7

8. But sometimes it turns into... 8

9. Architecture state state state s e s s i o

   n 9

10. Clustered Architecture (2 nodes) state state state 2 1 10

11. Clustered OAuth2 (2 nodes) state state state 2 1 s

    t a t e s t a t e state 11

12. Spring OAuth2 Authorization Flow 12 interface o.s.security.oauth2.client.OAuth2 ClientContext class DefaultOAuth2ClientContext

    implements OAuth2ClientContext

13. Filtering System of the Spring Security o.springframework.security.web.FilterChainProxy : ... at

    position 2 of 15 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' o.s.s.web.context.HttpSessionSecurityContextRepository : HttpSession returned null object for SPRING_SECURITY_CONTEXT o.s.s.web.context.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: org.springframework.session.web.http.SessionRepositoryFilter$SessionRepositoryRequestWra pper$HttpSessionWrapper@b4e842f. A new one will be created. o.springframework.security.web.FilterChainProxy : ... at position 3 of 15 in additional filter chain; firing Filter: 'HeaderWriterFilter' ... o.springframework.security.web.FilterChainProxy : ... at position 12 of 15 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter' o.s.s.web.authentication.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@915d6074: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: c6b30a8e-d652-44f1-bfe2-37b4bfb8764a; Granted Authorities: ROLE_ANONYMOUS' 13

14. Filtering System of the Spring Security o.springframework.security.web.FilterChainProxy : ... at

    position 2 of 15 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' o.s.s.web.context.HttpSessionSecurityContextRepository : HttpSession returned null object for SPRING_SECURITY_CONTEXT o.s.s.web.context.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: org.springframework.session.web.http.SessionRepositoryFilter$SessionRepositoryRequestWra pper$HttpSessionWrapper@b4e842f. A new one will be created. o.springframework.security.web.FilterChainProxy : ... at position 3 of 15 in additional filter chain; firing Filter: 'HeaderWriterFilter' ... o.springframework.security.web.FilterChainProxy : ... at position 12 of 15 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter' o.s.s.web.authentication.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@915d6074: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: c6b30a8e-d652-44f1-bfe2-37b4bfb8764a; Granted Authorities: ROLE_ANONYMOUS' 14

15. Saving the State in Redis 15

16. Implementation of Saving public class OAuth2ClientContextSavingRedirectStrategy extends DefaultRedirectStrategy { public

    void sendRedirect(HttpServletRequest request, HttpServletResponse response, String url) throws IOException { HttpSession session = request.getSession(false); AccessTokenRequest accessTokenRequest = oAuth2Context.getAccessTokenRequest(); String stateKey = accessTokenRequest.getStateKey(); Object preservedState = accessTokenRequest.getPreservedState(); session.setAttribute(OAuth2.CLIENT_CONTEXT_STATE_ATTR_NAME, stateKey); session.setAttribute(OAuth2.CLIENT_CONTEXT_PRESERVED_URI_ATTR_NAME, preservedState); super.sendRedirect(request, response, url); } 16

17. Restoring the State from Redis 17

18. Implementation of Restoring public class OAuth2ClientContextRestoringFilter extends OncePerRequestFilter { public

    void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { HttpSession session = request.getSession(false); String contextKey = session.getAttribute(OAuth2.CLIENT_CONTEXT_STATE_ATTR_NAME); String contextState = session.getAttribute(OAuth2.CLIENT_CONTEXT_PRESERVED_URI_ATTR_NA ME); oAuth2Context.setPreservedState(contextKey, contextState); filterChain.doFilter(request, response); } 18

19. Authorization Process initiated on Node 1 org.springframework.security.web.FilterChainProxy : ... firing

    Filter: 'OAuth2ClientContextFilter' ... c.t.accounts.uaa.oidc.OIdCAuthenticationProcessingFilter : Getting an access token c.t.a.uaa.oidc.OAuth2ClientContextSavingRedirectStrategy : The user's authorization required by redirecting to https://accounts.google.com/o/oauth2/v2/auth?client_id=843319630440-v2brjoe8qmp2fp c50842k5vejjitpj50.apps.googleusercontent.com&redirect_uri=http://localhost:8503/oidc -google-login&response_type=code&scope=openid%20email%20profile&state=RPFhAe c.t.a.uaa.oidc.OAuth2ClientContextSavingRedirectStrategy : Preserving the key 'RPFhAe' and state 'http://localhost:8503/oidc-google-login' for the session '4c8092c2-565d-419f-8304-5ece562b7b99' c.t.a.uaa.oidc.OAuth2ClientContextSavingRedirectStrategy : Redirecting to 'https://accounts.google.com/o/oauth2/v2/auth?client_id=843319630440-v2brjoe8qmp2f pc50842k5vejjitpj50.apps.googleusercontent.com&redirect_uri=http://localhost:8503/oid c-google-login&response_type=code&scope=openid%20email%20profile&state=RPFhAe' 19

20. Authorization Process continues on Node 2 org.springframework.security.web.FilterChainProxy : /oidc-google-login?state=RPFhAe&code=4%2FYwE2GohNeOxDmTgkYbHaI-1QD2ynCbzacAfeobw33tlA4YzB2yPoQE4jT Pgux00bBki3Dm2oNHKky-7gH01fIEc&scope=email+profile+openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2

    Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile&authuser=0&session_state=1ac09b dacdb6923592c725f6fd8756b4b182ba6d..441c&prompt=consent at position 6 of 15 in additional filter chain; firing Filter: 'OAuth2ClientContextRestoringFilter' c.t.accounts.uaa.oidc.OIdCAuthenticationProcessingFilter : Restoring the key 'RPFhAe' and state 'http://localhost:8503/oidc-google-login' for the session '4c8092c2-565d-419f-8304-5ece562b7b99' org.springframework.security.web.FilterChainProxy : ... at position 7 of 15 in additional filter chain; firing Filter: 'OAuth2ClientContextFilter' ... c.t.accounts.uaa.oidc.OIdCAuthenticationProcessingFilter : Getting an access token o.s.s.o.c.t.grant.code.AuthorizationCodeAccessTokenProvider : Retrieving token from https://oauth2.googleapis.com/token org.springframework.web.client.RestTemplate : Created POST request for "https://oauth2.googleapis.com/token" o.s.s.o.c.t.grant.code.AuthorizationCodeAccessTokenProvider : Encoding and sending form: {grant_type=[authorization_code], code=[4/YwE2GohNeOxDmTgkYbHaI-1QD2ynCbzacAfeobw33tlA4YzB2yPoQE4jTPgux00bBki3Dm2oNHKky-7gH01fIEc], redirect_uri=[http://localhost:8503/oidc-google-login]} org.springframework.web.client.RestTemplate : POST request for "https://oauth2.googleapis.com/token" resulted in 200 (OK) o.springframework.web.client.HttpMessageConverterExtractor : Reading [interface org.springframework.security.oauth2.common.OAuth2AccessToken] as ... 20

21. Summary ⚫ The problem is obvious, but amazingly Spring OAuth2

    is no clustered. ⚫ The proper way is to implement Redis and/or JDBC versions of the interface org.springframework.security.oauth2.client.OAuth2ClientContext But surprisingly nobody did. ⚫ The implemented solution: ⚫ Saving the state in the overwritten method sendRedirect() of DefaultRedirectStrategy when OAuth2ClientContext is fully formed. ⚫ Restoring the state in the overwritten method doFilterInternal() of OncePerRequestFilter before the Spring checks its value in OAuth2ClientContextFilter. 21

22. Wish You a Long Lazy Summer 22