Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Change recommended keystore type and add HTTPS #2

Merged
merged 3 commits into from
Apr 24, 2020
Merged

Change recommended keystore type and add HTTPS #2

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
1b27730
Use PKCS12
ju-cu Apr 23, 2020
8eaaa00
Run with HTTPS
ju-cu Apr 23, 2020
a53b7d6
Fix note in readme
ju-cu Apr 23, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,10 @@
# Key material and certificates
*.keystore
*.truststore
*.p12
*.cer
*.pem
*.crt

# Compiled class file
*.class
Expand Down
42 changes: 31 additions & 11 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,23 +4,42 @@ This repository contains an example implementation that demonstrate how to use S
There are only two things to consider when configuring the client in the Curity Identity Server:

* choose the authentication method `mutual tls` and make sure it uses the self-signed certificate created below.
* register the following redirect uri for your client: `http://localhost:8080/login/oauth2/code/idsvr`.
* register the following redirect uri for your client: `https://localhost:9443/login/oauth2/code/idsvr`.

The redirect uri is the path of the application where the Curity Identity Server will redirect to after the user was authenticated. In this case we assume that this example will be hosted on `localhost`.

## Create a Self-Signed Certificate
## Create a Self-Signed Server Certificate for HTTPS
We secure this client application with HTTPS on port `9443` and need a certificate for that. Since this is just an example we create a self-signed certificate. Do not use self-signed certificates in production environments.

```bash
keytool -genkeypair -alias https -keyalg RSA -keysize 4096 -keystore server.p12 -storepass Secr3t -storetype pkcs12 -validity 10 -dname "CN=localhost, OU=Example, O=Curity AB, C=SE"
```
Place the key store `server.p12` in `src/main/resources`. Update the application configuration file `src/main/resources/application.yml` to run HTTPS on port `9443`:

```yaml
server:
port: 9443
ssl:
key-store: classpath:server.p12
key-store-password: Secr3t
key-store-type: pkcs12
key-store-alias: https
```
> **Note**: The browser will not trust this self-signed server certificate. You may notice an `SSLHandshakeException` in the console when running this example. Make sure your browser trusts the certificate if you want to get rid of the error.

## Create a Self-Signed Certificate for MTLS
For mutual TLS client authentication to work you need a client certificate. Create a Java keystore with the self-signed certificate.

```bash
keytool -genkey -alias demo-client -keyalg RSA -keysize 4096 -keystore demo-client.keystore -storepass Secr3t -validity 10 -dname "CN=demo-client, OU=Example, O=Curity AB, C=SE"
keytool -genkeypair -alias demo-client -keyalg RSA -keysize 4096 -keystore demo-client.p12 -storepass Secr3t -storetype pkcs12 -validity 10 -dname "CN=demo-client, OU=Example, O=Curity AB, C=SE"
```

Place the key store in `src/main/resources`. See [Configure Application](#configure-application) for details.

Export the certificate and use it to configure the client at the Curity Identity Server. See [Curity Identity Server Configuration](#curity-identity-server-configuration).

```bash
keytool -export -alias demo-client -keystore demo-client.keystore -storepass Secr3t -file demo-client.cer
keytool -export -alias demo-client -keystore demo-client.p12 -storepass Secr3t -storetype pkcs12 -file demo-client.cer
```

## Curity Identity Server Configuration
Expand Down Expand Up @@ -51,7 +70,7 @@ To run this example you need to setup some configurations in the Curity Identity

![image](./docs/images/client-capabilities.png)

1. Update the `Redirect URIs` setting for the `demo-client`. The redirect URI should be `http://localhost:8080/login/oauth2/code/idsvr`.
1. Update the `Redirect URIs` setting for the `demo-client`. The redirect URI should be `https://localhost:9443/login/oauth2/code/idsvr`.

![image](./docs/images/client-redirect-uri.png)

Expand Down Expand Up @@ -91,15 +110,16 @@ Place the keystore created above in the `resources` folder and configure the SSL
custom:
client:
ssl:
key-store: demo-client.keystore
key-store: demo-client.p12
key-store-password: Secr3t
key-store-type: pkcs12
```

## Trust Server Certificate
The application, in particular the underlying `WebClient` implementations that handle the requests to the token server namely to the Curity Identity Server, must trust the certificate provided by the server. Put the server certificate in a trust store:
The application, in particular the underlying `WebClient` implementations that handle the requests to the token server namely to the Curity Identity Server, must trust the certificate provided by the server. Put the server certificate (`idsvr.cer`) in a trust store:

```bash
keytool -import -file localhost.cert -alias myServer -keystore localhost.truststore
keytool -import -file idsvr.cer -alias idsvr -keystore idsvr.p12 -storepass changeit -storetype pkcs12 -noprompt
```

Place the trust store in the `resources` folder and update the SSL/TLS settings for the oauth client in `application.yml`:
Expand All @@ -108,9 +128,9 @@ Place the trust store in the `resources` folder and update the SSL/TLS settings
custom:
client:
ssl:
trust-store: localhost.truststore
trust-store: idsvr.p12
trust-store-password: changeit
#trust-store-type: jks
trust-store-type: pkcs12
```

> **Note** You may use a self signed certificate for the Curity Identity Server but make sure it is a valid certificate for the server name, i.e the certificate must include the hostname of the server in the subject or the list of subject alternative names. The client will otherwise reject the certificate and communication with the server will not work.
Expand All @@ -122,7 +142,7 @@ To start the application run
./gradlew bootRun
```

Open `http://localhost:8080` in your browser. It will automatically start a login flow.
Open `https://localhost:9443` in your browser. It will automatically start a login flow.

## More Information
More information about OAuth 2.0, OpenID Connect and the Curity Identity Server can be found here:
Expand Down
Binary file modified docs/images/client-redirect-uri.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
15 changes: 11 additions & 4 deletions src/main/resources/application.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,10 @@
server:
port: 8080
port: 9443
ssl:
key-store: classpath:server.p12
key-store-password: Secr3t
key-store-type: pkcs12
key-store-alias: https

logging:
level:
Expand Down Expand Up @@ -33,7 +38,9 @@ spring:
custom:
client:
ssl:
key-store: demo-client.keystore
key-store: demo-client.p12
key-store-password: Secr3t
trust-store: localhost.truststore
trust-store-password: changeit
key-store-type: pkcs12
trust-store: idsvr.p12
trust-store-password: changeit
trust-store-type: pkcs12