Use jwt for authentication

ayrshid99 · October 23, 2019, 8:41am

we have a system in place which authenticates users and return JWT tokens, so instead of using flowable-idm we have to use that token to give access to users to flowable applications. can any point where i can start from? thanks

pstapleton · October 25, 2019, 7:55am

Hi,

I’ve done something similar previously and I got it working by replacing the FlowableCookieFilter class in the flowable-modeler (and other) application. In this class the cookie is read and checked for validity against flowable-idm. But instead you could just check that the JWT is valid and contains the correct access rights directly.

github.com

flowable/flowable-engine/blob/master/modules/flowable-ui-common/src/main/java/org/flowable/ui/common/filter/FlowableCookieFilter.java

/* Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.flowable.ui.common.filter;

import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Base64;

This file has been truncated. show original

Regards,
Paul

ayrshid99 · October 29, 2019, 5:52am

thank you for the reply. Apart from this what else did you change for fetching users and groups.

bwangfdu · October 29, 2019, 11:02pm

I did some work to support JWT token issued from Azure AD. I added a PreAuthentication to Flowable-IDM and verify the token there. But I still use IDM to managing the privileges.

ayrshid99 · October 30, 2019, 9:08am

i am trying to do something similar, but my users and groups will come from the rest api something similar to LDAP.

bwangfdu · October 30, 2019, 3:02pm

If you are doing some work really similar to LDAP, I think you can create a IdentityService implement similar with LDAPIdentityServiceImpl and initial it as bean in IDM app. The only problem of this service interface is it can only verify user by username and password. That’s the reason I use PreAuthenticatedAuthenticationToken. Another benefit is it can support the original authentication at the same time.

ACoulson · May 30, 2020, 9:15pm

@bwangfdu I’m also wanting to use a previously issued JST token. Can you describe in a little more detail what you mean by adding PreAuthentication to Flowable-IDM?

bwangfdu · May 31, 2020, 5:31pm

You can create a filter, which filters only your login callback. In the filter, you can get the token from request object, and then verify it. If verified you can get the user details from UserDetailService injected, and create a PreAuthenticatedAuthenticationToken from the user details, then put it into the SecurityContext. You will get your user logged in. You can also inject IdmIdentityService to manipulate the user entity.

umutkazan · April 24, 2022, 11:51am

I guess I am necroposting but I am trying to do the same thing recently but no luck so far. Users already logged in via keycloak and I wanted to use jwt. This is my security config

.and()
.oauth2Login()  //redirect to login if no token or session is provided
.and()
// .addFilterBefore(keycloakTokenFilter, UsernamePasswordAuthenticationFilter.class)
//  .and()
.oauth2ResourceServer().jwt(); //validate JWT Bearer token

if there is no sesion or token, it redirects users to keycloak login and it works fine because it produces Oauth2AuthenticationToken, but oauth2ResourceServer() produces JwtAuthenticationToken and it leads to “org.flowable.ui.common.service.exception.NotFoundException” for some reason. How did you create PreAuthenticatedAuthenticationToken, can you explain further?

Any help would be appreciated. Thanks in advance

Topic		Replies	Views
Authentication from another app Flowable Engine	5	1655	September 5, 2017
Authentication for api rest Flowable Engine	2	2335	September 29, 2017
Authenticate user - REST API Flowable Engine	1	909	August 6, 2018
Hard coupling of Flowable Admin to Flowable IDM Flowable Application	0	462	February 24, 2021
Usage of Flowable IDM Flowable Application	2	491	September 14, 2020

Use jwt for authentication

Related Topics