I have a Spring cloud API gateway talking to keycloak server for JWT authentication. If I run my application from eclipse and keycloak as single docker container, it works fine. However when I run my spring boot application as docker container(using docker compose or kubernetes) its unable to authorize with keycloak throws following error.
org.springframework.security.oauth2.jwt.JwtDecoderInitializationException: Failed to lazily resolve the supplied JwtDecoder instance
at org.springframework.security.oauth2.jwt.SupplierReactiveJwtDecoder.wrapException(SupplierReactiveJwtDecoder.java:48) ~[spring-security-oauth2-jose-5.7.6.jar!/:5.7.6]
Suppressed: reactor.core.publisher.FluxOnAssembly$OnAssemblyException:
.
.
Caused by: java.lang.IllegalArgumentException: Unable to resolve the Configuration with the provided Issuer of "http://keycloak-server:8080/realms/master"
at org.springframework.security.oauth2.jwt.JwtDecoderProviderConfigurationUtils.getConfiguration(JwtDecoderProviderConfigurationUtils.java:161) ~[spring-security-oauth2-jose-5.7.6.jar!/:5.7.6]
at org.springframework.security.oauth2.jwt.JwtDecoderProviderConfigurationUtils.getConfigurationForIssuerLocation(JwtDecoderProviderConfigurationUtils.java:79) ~[spring-security-oauth2-jose-5.7.6.jar!/:5.7.6]
Are there any additional configurations required for this situation?
If the keycloak and springboot applications are deployed in different namespace, you would need to include the namespace in the keycloak url configured in your springboot application (https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#namespaces-of-services).
Also you might need to check if the kubernetes service for keycloak is configured correctly.
To solve this modified few things
Created new realm instead of using default master realm
Instead of using keycloak kubernetes service name in issuer url, used host.docker.internal ip
While generating JWT from postman used same host.docker.internal ip in the token generation url
Related
I am running Spring Cloud Gateway with Spring Boot version 2.5.8 and Spring Cloud version 2020.0.5.
I am trying to configure Spring Cloud Gateway to validate JWT access tokens using Spring Security and thus the gateway needs to connect to the OAuth2 Authorization server external to my company's network. As per company standard, I am using a proxy host to connect to the external Authorization server and I have set the http.proxy* and https.proxy* environment variables ie
-Dhttp.proxyHost=my-proxy.com -Dhttp.proxyPort=3328 -Dhttps.proxyHost=my-proxy..com -Dhttps.proxyPort=3328 -Dhttp.proxySet=true -Dhttps.proxySet=true
and well as the properties in application.yml. ie
spring:
cloud:
httpclient:
proxy:
host: my-proxy.com
port: 3328
But I am getting timeout error when connecting to the external Authorization Server. The proxy host and port are correct and are working for other Spring Boot projects using Spring MVC. I saw this question/answer
spring-boot app as spring-cloud-gateway has to use a proxy: JVM arguments not used NOR spring.cloud.gateway.httpclient.proxy.****
But my entries in application.yml is not working. Would appreciate if someone can provide some advice on resolving the issue.
Thanks
I have keycloak running in Docker and have another container running a spring based java app that is attempting to connect to keycloak. The error message I keep getting is: Unable to resolve Configuration with the provided issuer of "http://keycloak:8080/auth/realms/someproject". the realm name does exist in the keycloak DB. I can curl to the above URL from any other container. But the web app keeps giving me that message. Any hints would help. Thanks, Bill
Try to expose your keycloak container port and set provided issuer like this http://docker-host-ip:exposed-port/auth/realms/someproject
I'm trying to run a Spring Boot Admin application on Kubernetes using Spring Cloud Discovery (without Eureka or Zuul. It directly scrapes from Kubernetes API)
I've setup necessary RBAC and Ingress/Egress for the application to access Kubernetes API and the relevant services in the cluster.
The application is initially fetching all the information regarding the services but it's failing with below error when trying to communicate with individual pods in the namespace
reactor.netty.http.client.PrematureCloseException: Connection prematurely closed
When I try to curl the particular pods from the pod with Spring Boot Admin app:
When I try with FQDN of the service it returns fine with the response
curl {service}.{namespace}.svc.cluster.local/actuator/info
When I do the same with the PodIp ( the one which Spring Boot Admin is struggling to connect to ):
curl 10.x.x.x:8080/actuator/info
I get this error
curl: (56) Recv failure: Connection reset by peer
Is there any particular netpol for pods to be accessed directly rather through the service's cluster IP? Because Spring Boot Admin tries to monitor all the individual pods in the services.
Or is there a workaround/approach where it isn't required by the Spring Boot Admin app to send requests to all the individual pods?
here i am trying to get a list with users from keycloak.
it works withe docker compose, but not in openshift?!
my application.property
keycloak.enabled=true
keycloak.realm=somname
keycloak.ssl-required=none
keycloak.resource=someapp
keycloak.public-client=true
keycloak.auth-server-url=${KEYCLOAK_AUTH-SERVER-URL:https://localhost/auth}
keycloak.disable-trust-manager=true
app.connectors.KeyCloakAdminConnector.serverUri=${KEYCLOAK_ADMIN-URL:http://idm.local:8081/auth}
app.connectors.KeyCloakAdminConnector.realm=${keycloak.realm}
app.connectors.KeyCloakAdminConnector.username=admin
app.connectors.KeyCloakAdminConnector.password=pass
app.connectors.KeyCloakAdminConnector.clientId=${keycloak.resource}
As a solution i changed the:
keycloak-admin-url: 'my-keycloak-route/auth'
in application.property to
keycloak-admin-url: 'http://myservice-keycloak-http:8080/auth'
so i change the connection between the Spring boot App and Keycloack from Rout-Object to a Service-Object.
its works because Service is not https. so i dont need to provide a certificate to JVM keytrust in the Spring boot App
I have implemented sample spring boot rest API(protected) and authenticated it with locally installed keycloak server. It works perfectly fine.
Later i tried to do the same using keycloak docker, able to get access token using postman, however getting 403 forbidden error(Tested from postman) while trying to access protected service.
Instead of using access token, even i tried using RPT token, but still the same error. I'm unable to access any of the protected service.
What steps do i need to take to access protected services using keycloak Docker ?
application.properties
keycloak.realm=Demo
keycloak.auth-server-url=http://XXX.XX.X.XX:8080/auth -- Keycloak Docker
keycloak.ssl-required=none
keycloak.resource=Demo_Client
keycloak.bearer-only=true
keycloak.credentials.secret=44dae7ee-d81d-4070-a307-2315764afa39
keycloak.use-resource-role-mappings=false
keycloak.cors=true
keycloak.securityConstraints[0].authRoles[0]=admin
keycloak.securityConstraints[0].authRoles[1]=manager
keycloak.securityConstraints[0].securityCollections[0].patterns[0] =/demoRestApi
keycloak.policy-enforcer-config.paths[0].path=/demoRestApi
keycloak.policy-enforcer-config.paths[0].methods[0].method=GET
keycloak.policy-enforcer-config.paths[0].methods[0].scopes[0]=view
keycloak.policy-enforcer-config.paths[0].methods[1].method=DELETE
keycloak.policy-enforcer-config.paths[0].methods[1].scopes[0]=delete