Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Crowd for OAuth with Spring Security REST API

SPence
SPence May 12, 2014

Has anyone used Crowd as the authentication mechanism for a Spring REST API? The idea would be JS clients would use Crowd to authenticate against and access a Spring REST API using Spring Security.

Watch
Like Ludovic Maître likes this
1529 views

1 answer

1 accepted

Comments for this post are closed

Community moderators have prevented the ability to post new answers.

Post a new question

1 vote
Answer accepted
Caspar Krieger
Caspar Krieger
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 12, 2014

The idea would be JS clients would use Crowd to authenticate against and access a Spring REST API using Spring Security.

If by that you mean your server uses Crowd's Spring Security integration to handle incoming requests (from javascript clients or otherwise), then yes, that should work (irrespective of whether you're using Spring's facilities to create REST APIs).

If that's not what you were asking (it does seem a pretty general interpretation of your question on my part), then please feel free to clarify :)

View More Comments
SPence
SPence May 12, 2014

Yes, the idea is the JS client probably on NGINX would send an auth request to Crowd then receive a JWT or some type of token to let Spring Security know that the client has been authorized and with what roles.

Then Spring Security would hanlde the security from the Spring side of the application until Spring Security decides to expire the token.

Is that what you were thinking I meant?

Like
Caspar Krieger
Caspar Krieger
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 13, 2014

I'm not sure why you would need the javascript client / nginx interceptor here; as indicated by the link in my answer, Crowd ships with ready-to-use Spring Security integration.

(By the way, there also appears to be a third party Nginx module for Crowd, which you may want to investigate.)

If you do choose to write your own integration using Crowd's REST APIs, you should be aware that Crowd's tokens aren't strictly speaking JWTs (even though they are tokens that can be fetched in JSON form), and that Crowd has its own idea of when a token will be expired, so you'll likely be doing some wheel-reimplementing, so to speak.

Like
SPence
SPence May 13, 2014

Maybe I don't fully understand the concept as a whole. My thought is the js client would need to ask Crowd for authentication. Then with this authentication go talk to Spring. Spring itself only commiunicates to Crowd to know who can talk to it at any given time. Could be an IOS app for that matter.

Like
Caspar Krieger
Caspar Krieger
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 13, 2014

That approach will work too :)

Like
SPence
SPence May 13, 2014

In a sense I would be using Crowd as an Oauth provider to verify access to a given backend application. Syncronizing users and rols amoung the backend applications with crowd. Clients being anything. Crowd being a SSO way of keeping track of everything. Techincally could use spring and roll our own. Would rather use Crowd to avoid building out something.

When you say no support for JWT. Is that something in the pipe or must use the toekns provided by Crowd?

Like
Caspar Krieger
Caspar Krieger
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 13, 2014

We aren't planning any support for JWT. Somewhat surprisingly, it looks like you're the first person who might want it, because there's no issue to track adding support for it to Crowd on jira.atlassian.com. You can create an issue for it if you like (be sure to include as much detail as possible), but of course it's highly unlikely we would get around to implementing it in time for you to use it.

Like
Reply
Atlassian logo
Answers Developer Questions
TAGS
AUG Leaders

Atlassian Community Events

    See all events