Add support for OAuth 2.0 to Flowable's REST APIs

Contemporary application’s use OpenID Connect for Authentication and OAuth 2.0 (scopes and claims) for Authorization.

Describe the solution you’d like
Add support for OAuth 2.0 to Flowable’s REST APIs.

See:

Describe alternatives you’ve considered
Currently, Flowable only supports Basic Auth.

See: https://github.com/flowable/flowable-engine/issues/660#issue-274448784

Additional context
See: Flowable Issues - 2126

I agree it’s nice to have, but it’s currently not on our roadmap. Or are you thinking about a contribution (with which we can assist of course)?

@joram

I’ve had a look at Spring Security’s support for OAuth 2.0.

git clone https://github.com/spring-projects/spring-security.git

Build:

cd ~/spring-security/samples/boot/oauth2resourceserver
gradle clean build

Run:

java -jar ./build/libs/spring-security-samples-boot-oauth2resourceserver-5.3.0.BUILD-SNAPSHOT.jar

The hard coded tokens work as expected.

I updated the application.yml to point to my Authorization Server (Keycloak):

spring:
  main:
    banner-mode: "off" 

---
logging:
  level: 
    root: INFO 

---
logging:
  level:
    org.springframework.security: DEBUG

---
spring:
  security:
    oauth2:
      resourceserver:
        jwt:
          jwk-set-uri: http://localhost:10001/auth/realms/development/protocol/openid-connect/certs

curl http://localhost:10001/auth/realms/development/protocol/openid-connect/certs

{
    "keys": [
        {
            "kid": "Zzq49qnky3j2seAxDtRsJU0QdUj4cfMhw44QlDcBAi8",
            "kty": "RSA",
            "alg": "RS256",
            "use": "sig",
            "n": "jLZBNwKjf6-ENABVI_mkhcwlwbs5DIEP6o4zvlM2GpSiSCEgP9No-irYPeP5tugbXyeQGKmqUkmNBfVjqUMxVgG7_zmqfgsABMEkwWhgFfFoGa0jjN43wsDV7nqLs3erQkSB81vyuFq0fXvTWwwXny0v11IcR2OWmPENzPzgNb194JoODuNInW9ymt6TTaV0BvLNGAj3_8W3_WijUfZuudxdkZ00ciwJrjAJ-5Bz4DRaBCB64EZc5A1DtbSWgpftZtOjRX5_CAVctZnV0bxZad2h7e4df98Mla0S15b79TjCFywAXOlBqDqFL8sNQZR9nbrYo0qtvPsViaAbpj2Fsw",
            "e": "AQAB",
            "x5c": [
                "MIICmzCCAYMCBgFvIWexnTANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZtYXN0ZXIwHhcNMTkxMjIwMDM0MjIxWhcNMjkxMjIwMDM0NDAxWjARMQ8wDQYDVQQDDAZtYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCMtkE3AqN/r4Q0AFUj+aSFzCXBuzkMgQ/qjjO+UzYalKJIISA/02j6Ktg94/m26BtfJ5AYqapSSY0F9WOpQzFWAbv/Oap+CwAEwSTBaGAV8WgZrSOM3jfCwNXueouzd6tCRIHzW/K4WrR9e9NbDBefLS/XUhxHY5aY8Q3M/OA1vX3gmg4O40idb3Ka3pNNpXQG8s0YCPf/xbf9aKNR9m653F2RnTRyLAmuMAn7kHPgNFoEIHrgRlzkDUO1tJaCl+1m06NFfn8IBVy1mdXRvFlp3aHt7h1/3wyVrRLXlvv1OMIXLABc6UGoOoUvyw1BlH2dutijSq28+xWJoBumPYWzAgMBAAEwDQYJKoZIhvcNAQELBQADggEBADMNWMWqzFcfMbNcyCSRsI+GmjVSnvEHR7lrAGZJjnqN2MIKN1cHYPfzzxqvkfWODJIyGsO25Tw+sNiFlg1f+o+dh3Szh2T+3ZLiC8VLT+bhdDOjvAaGomRzZC4haYIs8jzJb2p9y9+5pqk/TvUaoJLWrSuBUNxPj6paYmiksP88NWvWO35SRAq5o8G7XuZE4UCJK0ytqPpiasDFOfDS6nASuZEy2/s4RtDFeTt04oaW6EHOjcCv7vDtGHyi8o34sr1iKT/zYs298yniJdI7sHhwzDs2y77+/LOWT5D8Xtma8T9449cla7XxfQhUNKmSRvdhI3pn7s4lm5D5YEx3+QY="
            ],
            "x5t": "srWjtAz9zfU3P4QEQ8scY3Aft4Y",
            "x5t#S256": "SRhwmA6NSKFv8gFL1Jk-q--ew69oAl8Bl7Ik3QFl7xM"
        }
    ]
}

I rebuilt the sample:

gradle clean build -x test -x integrationTest

Run:

java -jar ./build/libs/spring-security-samples-boot-oauth2resourceserver-5.3.0.BUILD-SNAPSHOT.jar

I used Postman to obtain a valid token from Keycloak:

And, it worked :slight_smile:

I then created my own sample REST API (using Spring Boot, JPA, HATEOAS, Spring Security, …).

See:

It seems pretty straight forward to add support for OAuth 2.0 JWT access tokens.

@joram

I’ve also had a look at the Flowable Spring Boot Starters.

For example (pom.xml):

    <!-- Add Flowable dependencies -->
  
    <dependency>
      <groupId>org.flowable</groupId>
      <artifactId>flowable-spring-boot-starter-process-rest</artifactId>
      <version>${flowable.version}</version>
    </dependency>
    
    <dependency>
      <groupId>org.flowable</groupId>
      <artifactId>flowable-ldap</artifactId>
      <version>${flowable.version}</version>
    </dependency>

Which works as expected:

H2 console:

Wow, that’s amazing work. So basically you’ve got the starters + JWT pretty much going? Planning to write a blog about it :smiley:?

@joram

See: Flowable OAuth2 Resource Server

Thank for good blog.
But with authentication resource server we only wrap flowable rest into spring.
We can’t using this user information for identity service. same as log user when finish task…
How to change httpBasic (which support default by flowable) to AuthenticationResource without change root code

That would need some changes indeed - however Flowable is using Spring Security behind the scenes, so all changes should be properly documented in the Spring Boot docs.