Documentation: Using rest API through OpenShift-OAuth2 authentication

[klopfdreh]

Problem description: We finally managed to configure our SCDF Server to work with OAuth2 in OpenShift4. The OAuth2 Server of our setup supports the flows authentication_code and implicit. My issue now is that we can't make the rest client to run authenticated.

config:

spring:
  cloud:
    dataflow:
      client:
        serverUri: https://hostname:8443
        authentication:
          client-id: clientid
          client-secret: secret
          token-uri: https://hostofoauth/oauth/token
          scope:
            - scope

Because OpenShift requires the client-id to use colons there is an issue which causes the connection attempt to fail with an error message mentioning this. In spring-security-oauth2 there is a method to use POST instead of GET "client-authentication-method: post" which is not available in the Spring Cloud Data Flow Config. (see https://github.com/spring-projects/spring-security-oauth/issues/1709)

Solution description: Beside the issue with the colon, is there any example available for implicit or authentication_code flows for the rest client so that I can see how I should configure it?

[klopfdreh]

Just wanted to know if there are any updates to update the documentation / on this ticket so far? I just had a look into the auto configuration of the client rest API (https://github.com/spring-cloud/spring-cloud-dataflow/blob/main/spring-cloud-dataflow-rest-client/src/main/java/org/springframework/cloud/dataflow/rest/client/config/DataFlowClientAutoConfiguration.java) and found out 4 ways to configure the client:

Basic Authentication:

spring:
  cloud:
    dataflow:
      client:
        authentication:
          basic:
            username: ...
            password: ...

Client Credentials:

spring:
  cloud:
    dataflow:
      client:
        serverUri: https://hostname:8443
        authentication:
          client-id: clientid
          client-secret: secret
          token-uri: https://hostofoauth/oauth/token
          scope:
            - firstscope
            - anotherscope

Access Token:

spring:
  cloud:
   dataflow:
     client:
       authentication:
         access-token: <token>

Bearer Token:

spring:
  cloud:
   dataflow:
     client:
       authentication:
         oauth2:
           clientRegistrationId: clientid also used for client credentials mode
           username: <username> # User to authenticate with
           password: <password> # Password to authenticate with

Client Credentials, Access Token and Bearer Token require the SCDF-Server to configure the resourceserver either with jwt or opaque token validation. (Docs can be found here: https://github.com/spring-projects/spring-security/blob/main/docs/manual/src/docs/asciidoc/_includes/servlet/oauth2/oauth2-resourceserver.adoc)

My issue that there is no configuration for "client-authentication-method: post" is also still opened.

I just noticed that Spring Security did a recent update on this configuration (https://github.com/spring-projects/spring-security/blob/main/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/ClientAuthenticationMethod.java) - see "client_secret_post"

Thanks in advance :)

[jvalkeal]

I added a second sample for keycloak https://github.com/jvalkeal/randomstuff/tree/master/dataflow-keycloak-basic which may give some ideas how to configure client side as shell works atop of rest.

[klopfdreh]

We finally managed to build in the authentication with the Client Credentials flow and used the configuration mentioned in my previous comment. It would be nice to have this documentation of how to configure the client's spring boot application yaml somewhere in the spring cloud data flow manual. Other than that I would close the ticket, because all is working like expected.