Protecting pages with access token/oauth2

Hello,

We use an external hosted login (OIDC/OAUTH2) solution for customer authentication. We would like to connect our CMS to this solution so we can have certain pages on our site require the customer to login. When a customer logs in they get an access token from our auth provider. We would like the CMS to look for the access token to determine if the user can access the page or not.

Has anyone done anything like this before? I haven’t been able to find clear documentation on how to integrate this.

Thanks,
Tim

you can check spring security plugin and add your own handlers/security providers,
see:
https://bloomreach-forge.github.io/hst-spring-security/hippouserdetails.html

Hi @machak,

I did find that plugin but honestly I find the documentation very confusing for the plugin and for delivery tier authentication configuration on the Bloomreach site. I was hoping since OAuth2 and OIDC are very common authentication and authorization protocols someone would have done this before and could share how they did it. I’m going to keep digging into the plugin anyways.

Thanks,

Tim

I can understand why it seems confusing.

Basically the goals of the forge project is just to provide a way to integrate with spring-security and spring-security-* in our CMS web applications.
Just by configuring spring-security servlet filter(s) - by either beans XML or annotations in traditional one or boot project - you can use most features of the spring security, except of the user/role(s) resolutions/mapping to those in HST-2 user/role concepts used in access controls.
The forge project fills in this gap, simply by mapping spring security user/role(s) to HST’s.

The first difficulty nowadays is, I guess, it is a bit hard to find a good example to configure all spring-security-* configurations in XML beans, as many examples on the net are based on boot projects.

Anyway, if you can find a good example using XML bean definitions instead and overwrite the example with that, the next steps will be very straightforward.

Regards,

Woonsan

We also try to secure our site application with OIDC. Until now we did it with LDAP. We changed most parts of the configuration from XML to Java. So we only have the spring-security.xml to add the springSecurityValve and the web.xml. All the configuration in applicationContext.xml whe shift to Java.

Now in an implementation of WebSecurityConfigurerAdapter we have something like that:

	@Override
	protected void configure(HttpSecurity http) throws Exception {
	
		http
                                // ...
				.oauth2Login()
				.clientRegistrationRepository(clientRegistrationRepository())
				.authorizedClientService(authorizedClientService());
		}
		
	@Bean
	public ClientRegistrationRepository clientRegistrationRepository() {
		return new InMemoryClientRegistrationRepository(this.oidcClientRegistration());
	}

	@Bean
	public OAuth2AuthorizedClientService authorizedClientService() {
		return new InMemoryOAuth2AuthorizedClientService(clientRegistrationRepository());
	}
	
	private ClientRegistration oidcClientRegistration() {
		return ClientRegistration.withRegistrationId("forgerock")
				.clientId("clientId")
				.clientSecret("clientSecret")
				.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
				.authorizationUri("https://identity-provider-url/authorize")
				.tokenUri("https://identity-provider-url/access_token")
				.issuerUri("https://identity-provider-url")
				.redirectUri("https://localhost:8443/site/callback")
				.scope("openid,profile,email")
				.build();
	}

When calling a restricted site, spring security forwards the request to /oauth2/authorization/. In vanilla spring applications this request is forwarded to the configured identity provider with all necessary parameters. But in our case the request is handled inside the site application and leads to an error.

Does anybody know how to configure that the authorize request is handled by spring security and not by brxm?