Add support for OAuth 2.0 to Flowable's REST APIs

Flowable Engine
1

Contemporary application’s use OpenID Connect for Authentication and OAuth 2.0 (scopes and claims) for Authorization.

Describe the solution you’d like
Add support for OAuth 2.0 to Flowable’s REST APIs.

See:

Describe alternatives you’ve considered
Currently, Flowable only supports Basic Auth.

See: https://github.com/flowable/flowable-engine/issues/660#issue-274448784

Additional context
See: Flowable Issues - 2126

2

I agree it’s nice to have, but it’s currently not on our roadmap. Or are you thinking about a contribution (with which we can assist of course)?

3

@joram

I’ve had a look at Spring Security’s support for OAuth 2.0.

git clone https://github.com/spring-projects/spring-security.git

Build:

cd ~/spring-security/samples/boot/oauth2resourceserver
gradle clean build

Run:

java -jar ./build/libs/spring-security-samples-boot-oauth2resourceserver-5.3.0.BUILD-SNAPSHOT.jar

The hard coded tokens work as expected.

I updated the application.yml to point to my Authorization Server (Keycloak):

spring:
  main:
    banner-mode: "off" 

---
logging:
  level: 
    root: INFO 

---
logging:
  level:
    org.springframework.security: DEBUG

---
spring:
  security:
    oauth2:
      resourceserver:
        jwt:
          jwk-set-uri: http://localhost:10001/auth/realms/development/protocol/openid-connect/certs

curl http://localhost:10001/auth/realms/development/protocol/openid-connect/certs

{
    "keys": [
        {
            "kid": "Zzq49qnky3j2seAxDtRsJU0QdUj4cfMhw44QlDcBAi8",
            "kty": "RSA",
            "alg": "RS256",
            "use": "sig",
            "n": "jLZBNwKjf6-ENABVI_mkhcwlwbs5DIEP6o4zvlM2GpSiSCEgP9No-irYPeP5tugbXyeQGKmqUkmNBfVjqUMxVgG7_zmqfgsABMEkwWhgFfFoGa0jjN43wsDV7nqLs3erQkSB81vyuFq0fXvTWwwXny0v11IcR2OWmPENzPzgNb194JoODuNInW9ymt6TTaV0BvLNGAj3_8W3_WijUfZuudxdkZ00ciwJrjAJ-5Bz4DRaBCB64EZc5A1DtbSWgpftZtOjRX5_CAVctZnV0bxZad2h7e4df98Mla0S15b79TjCFywAXOlBqDqFL8sNQZR9nbrYo0qtvPsViaAbpj2Fsw",
            "e": "AQAB",
            "x5c": [
                "MIICmzCCAYMCBgFvIWexnTANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZtYXN0ZXIwHhcNMTkxMjIwMDM0MjIxWhcNMjkxMjIwMDM0NDAxWjARMQ8wDQYDVQQDDAZtYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCMtkE3AqN/r4Q0AFUj+aSFzCXBuzkMgQ/qjjO+UzYalKJIISA/02j6Ktg94/m26BtfJ5AYqapSSY0F9WOpQzFWAbv/Oap+CwAEwSTBaGAV8WgZrSOM3jfCwNXueouzd6tCRIHzW/K4WrR9e9NbDBefLS/XUhxHY5aY8Q3M/OA1vX3gmg4O40idb3Ka3pNNpXQG8s0YCPf/xbf9aKNR9m653F2RnTRyLAmuMAn7kHPgNFoEIHrgRlzkDUO1tJaCl+1m06NFfn8IBVy1mdXRvFlp3aHt7h1/3wyVrRLXlvv1OMIXLABc6UGoOoUvyw1BlH2dutijSq28+xWJoBumPYWzAgMBAAEwDQYJKoZIhvcNAQELBQADggEBADMNWMWqzFcfMbNcyCSRsI+GmjVSnvEHR7lrAGZJjnqN2MIKN1cHYPfzzxqvkfWODJIyGsO25Tw+sNiFlg1f+o+dh3Szh2T+3ZLiC8VLT+bhdDOjvAaGomRzZC4haYIs8jzJb2p9y9+5pqk/TvUaoJLWrSuBUNxPj6paYmiksP88NWvWO35SRAq5o8G7XuZE4UCJK0ytqPpiasDFOfDS6nASuZEy2/s4RtDFeTt04oaW6EHOjcCv7vDtGHyi8o34sr1iKT/zYs298yniJdI7sHhwzDs2y77+/LOWT5D8Xtma8T9449cla7XxfQhUNKmSRvdhI3pn7s4lm5D5YEx3+QY="
            ],
            "x5t": "srWjtAz9zfU3P4QEQ8scY3Aft4Y",
            "x5t#S256": "SRhwmA6NSKFv8gFL1Jk-q--ew69oAl8Bl7Ik3QFl7xM"
        }
    ]
}

I rebuilt the sample:

gradle clean build -x test -x integrationTest

Run:

java -jar ./build/libs/spring-security-samples-boot-oauth2resourceserver-5.3.0.BUILD-SNAPSHOT.jar

I used Postman to obtain a valid token from Keycloak:

Screen Shot 2020-01-31 at 16.52.59
Screen Shot 2020-01-31 at 16.52.59627×574 31.7 KB

And, it worked :slight_smile:

I then created my own sample REST API (using Spring Boot, JPA, HATEOAS, Spring Security, …).

See:

It seems pretty straight forward to add support for OAuth 2.0 JWT access tokens.

4

@joram

I’ve also had a look at the Flowable Spring Boot Starters.

For example (pom.xml):

    <!-- Add Flowable dependencies -->
  
    <dependency>
      <groupId>org.flowable</groupId>
      <artifactId>flowable-spring-boot-starter-process-rest</artifactId>
      <version>${flowable.version}</version>
    </dependency>
    
    <dependency>
      <groupId>org.flowable</groupId>
      <artifactId>flowable-ldap</artifactId>
      <version>${flowable.version}</version>
    </dependency>

Which works as expected:

Screen Shot 2020-02-04 at 11.47.04
Screen Shot 2020-02-04 at 11.47.041012×335 28.8 KB

H2 console:

Screen Shot 2020-02-04 at 11.50.12
Screen Shot 2020-02-04 at 11.50.121017×605 44.7 KB

5

Wow, that’s amazing work. So basically you’ve got the starters + JWT pretty much going? Planning to write a blog about it :smiley:?

6

@joram

See: Flowable OAuth2 Resource Server

7

Thank for good blog.
But with authentication resource server we only wrap flowable rest into spring.
We can’t using this user information for identity service. same as log user when finish task…
How to change httpBasic (which support default by flowable) to AuthenticationResource without change root code

8

That would need some changes indeed - however Flowable is using Spring Security behind the scenes, so all changes should be properly documented in the Spring Boot docs.

9

yes. I agree with Joram about it.
Because we can add your filter and provider for your security.

From adapter we can use AuthenticationContext for get user info.
It is a way for get user info when we use other security system.