6

We are using Ping Federate as authentication server and plan to build microservices on top of Spring boot. The idea is that Ping Federate will handle the login and provide access tokens (JWT) to client apps which then use those to access the REST services.
To validate the token, Ping Federate exposes the certificate containing the public key via an URL. It simply returns the certificate like that:

-----BEGIN CERTIFICATE-----
MIIDAjCCAeqgAwIBAgIGAVKHvf+JMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAkNBMRAwDgYD
VQQKEwdVbml0cm9uMSEwHwYDVQQDExhpbnQtc2lnbm9uLm15dW5pdHJvbi5jb20wHhcNMTYwMTI4
MTAxODQxWhcNMjEwNzIwMDkxODQxWjBCMQswCQYDVQQGEwJDQTEQMA4GA1UEChMHVW5pdHJvbjEh
MB8GA1UEAxMYaW50LXNpZ25vbi5teXVuaXRyb24uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAk2PRFPfaQjjhVllok1Xq+Tybkg9Nv3XhSRjpq06iV8CzjJ8T8uwK//TLYM2Z7rqP
NDrMmzUhjwEM4WVAJf6stj7D2uQ01MU8sZTlQ3mygWm9qnJnijMyk0081oe429iabRGYfik2SvLd
Nqj53UUP858Qfk82LFjXdC2G2XkxB2ejwirsdQ/8ud6Sduom5NdIXNzMN3uucZ996wIdHwEhFBzV
eMSlY1LJAiKtwsTq6aP/A/GPBrEBa5Duiiz/z91KBNIlfiXEcxRjPgkJVgVpfVv0o7XBIoKnS4y8
uurlBlpT3fg6JLifBtkYe+Y8tV0DjFdE8LSMzpYOXdT4h069LwIDAQABMA0GCSqGSIb3DQEBBQUA
A4IBAQAaibNAZ7/fmdsoTg0vb4jqYFR1WrsqZ7M+7D0fMRNtBAziLBjzlsv2CuP+Zn3tvoon0QQO
/PzEIxTlWXv+F25ej2owK7J3ovyZyQBVNyjv8S/YZfSYkbKQo1DtbKhEAzQyBMiY611jbcbo2TDz
mvH436SipBgZqG0vK+ZzMcp4HVp2xAtwD567oj0AbP6VHkJUgWyiE7HOf+FSlq07jPuy/Hbw2/lJ
ZI1inmPVpuUCJ3pdfzfI2f4ETLzroQ588BnGnsLPIUH6W3r2JMAA1m5WbWc9w1VWJJelzHxlIdFg
yoEGcZn7wctVooeEzS/ghoelwFVXCKad30GnmtXdoXj+
-----END CERTIFICATE-----

When setting the security.oauth.resource.jwt.key-uri property to that endpoint, the auto configuration in ResourceServerTokenServicesConfiguration fails because it expects not just a simple string but wants to map it into a map. In a second step the JwtAccessTokenConverter would also fail because it expects a "plain" public key but not a public key wrapped in a certificate.

What is the best approach to extend the spring security oauth component to support my IDP? I was thinking about overriding some of the configurations in ResourceServerTokenServicesConfiguration but it looks like the one interesting for me (JwtAccessTokenConverter) does not support overriding.

David Gehrig
  • 61
  • 1
  • 4
  • I came across your question while searching for "pingfederate spring boot" :-) Did you work out an answer for yourself in the meantime or did the issue stay open? How is your PingFederate integration with your Spring Boot based services going? – Bernd Jan 08 '18 at 22:11
  • We ended up creating a security library that is extending the spring boot oauth2 logic in order to support AccessToken validation via public keys. Those can either be available on a endpoint accepting a x5t thumbprint as parameter (for Ping Identity) or stored within a JWKS (for IdentityServer). In general, for the x5t approach, we extended the JwtAccessTokenConverter to support multiple IDPs and then created an own Resource server Spring boot autoconfiguration to get that initialized during the startup. We might publish the library on GitHub if you are still interested. – David Gehrig Feb 10 '18 at 20:47
  • Indeed very much interested, still. Many thanks in advance. Btw, did you bring your finding forward with the Spring Security oAuth2 project? It seems that either PingFederate doesn't comply with the public key retrieval endpoint, or Spring Security oAuth2 should be more flexible in what to expect on such endpoints. What do you think? – Bernd Feb 11 '18 at 21:07
  • Ok, I've pushed the library to [Github](https://github.com/sonova/oauth2-spring-boot-starter), feel free to have a look at the code and reuse as you like. If you just need to support one IDP within your services, then the property `security.oauth2.resource.jwk.key-set-uri` (I think was added in [2.2.0](https://github.com/spring-projects/spring-boot/issues/10022) ) could already solve your issue as Ping Federate has added support for [JWKS in 8.2](https://ping.force.com/Support/Topic-Detail/JWK) – David Gehrig Mar 01 '18 at 23:09
  • Nice. Thanks. Will be able to make use of that one. I'll star it. :-) One more question: Do you by chance have some pointers to Spring Boot/Spring Security oAuth2 based configuration samples using PingFederate? I would now start to do this, and I was hoping to find some sample apps doing that out there, but without much luck. – Bernd Mar 16 '18 at 16:01

1 Answers1

0

I've made a demo app available at https://github.com/berndgoetz/spring-boot-oauth2-pingfederate for Spring Boot 2 using PingFederate 8.6 (+). It's basically implementing the least necessary code to override the default Spring oAuth2 behavior. I hope this helps others that pursue to use PingFederate with Spring Security+oAuth2

Bernd
  • 370
  • 4
  • 16