JWT Authentication is not implemented in Oasp4j Archetype 2.6.0

[jdiazgon]

Currently, the new OASP4J archetype 2.6.0 does not implement JWT authentication properly. My objective is being able to login with an Ionic application (phone app) just by using the OASP4J archetype. Right now, this is not possible by default.

For doing so, I had to do a workaround by adding a bunch of files that you will see below:

These files are actually used in the MyThaiStar app.

It would be really nice if this functionality was added for the next release, because we should support a wider range of authentication methods.

What do you think @maybeec and @sjimenez77 ?

[maybeec]

@hohwille that's what I meant in the call yesterday, although I was not correct with the missing module. @jdiazgon said, security module was missing. But anyhow, the issue here is more, that the JWT authentication implemented, we can connect with Angular APPs to the server, but not with Ionic APPs. The implementation given in MyThaiStar seems like a workaround for me, which is more a hack ;)

@sjimenez77 should not more about it. Can you elaborate what the issue here is? It would most probably be better to provide a fix for the oasp4j implementation to make the server work with different client out of the box.

[hohwille]

First of all I agree that such cross-cutting functionality as an JWT-login should be available as a module. Ideally in spring(-security) itself and otherwise if not possible as a oasp4j module. In case that

The implementation given in MyThaiStar seems like a workaround for me, which is more a hack ;)

we would of course need to rework here. My first check would be to see if some spring module already offers such a feature. Further from my experience you can not get JWT auth with zero config. The best practice is to use asymmetric encryption for signature (RSA 4096). Therefore you would need to configure a public key what leads to the next point:

Second we should discuss if that stuff is enabled by default in a regular OASP4J app by default. We had long discussions about Opt-in vs. Opt-out in Yammer and many users complained that there is too much enabled by default. Also from a IT security point of view it is better not have this by default and manually opt-in such a feature. Of course we could have that dependency present but commented out if that helps. Going even further we could add a property that triggers the archetype to include such features while by default you get a "minimal" app. I guess this aspect might need some further discussion while we can already agree on the first point and go ahead with that.

[hohwille]

https://github.com/oasp/my-thai-star/blob/develop/java/mtsj/core/src/main/java/io/oasp/application/mtsj/general/security/TokenAuthenticationService.java#L79

Indeed hackish. We IMHO need to create a new module/approach.

How about:

<dependency>
  <groupId>org.springframework.security.oauth</groupId>
  <artifactId>spring-security-oauth2</artifactId>
</dependency>

[hohwille]

From

<dependency>
  <groupId>org.springframework.security</groupId>
  <artifactId>spring-security-jwt</artifactId>
</dependency>

You get these classes:

org.springframework.security.jwt.Jwt
org.springframework.security.jwt.JwtHelper

Still a little low-level (you have to provide signer manually, etc.) but therefore flexible. Ideally you could however configure algorithm (RSA, ECDSA, etc.) simply in application.properties rather than in the code.

[maybeec]

I am totally fine to not have it as part of the Archetype, but we should at least have to have some support here. Maybe also an HowTo to guide developers. We will have a look into the spring-security modules available. Thanks for the pointers.

[hohwille]

So IMHO we should use spring-security-jwt but build something on top and provide a starter for it to make usage as simple as possible. Unfortunately I am booked out for entire July. I guess I will not be able to make this feature for 3.0.0 on my own. Contributions are most welcome. Otherwise we will have to wait for 3.1.0 then...