I hove my explanation is good enough ^^
I've got the following setup:
Keycloak server running at keycloak.url.com
spring application running at localhost:8081
postman accessing: localhost:8081/token
I'm trying to create a kind of "proxy-app" for keycloak with spring-boot because their api doesn't accept json as media-type. So I created a spring-app with all the necessary requests using reactive-web (I also tried using RestTemplate, but that din't change anything)
When using Postman directly accessing the keycloak api at keycloak.url.com/realm/{realmname}/.... everything works fine but when sending a request via my spring-app I get a refresh_token with a lifetime of 0 seconds
refresh_token_lifetime
I am using the same client_id, client_secret, etc... and tried debugging everything
Related
My setup is as follows:
Rest APIs (Spring boot)
Front-end application (Angular 8)
Auth Server (Keycloak)
Current scenario:
User enters the username and password in the angular login page.
Angular makes a POST request and gets the access token, refresh token etc. from keycloak server.
In all subsequent request to rest api server(which is bearer only), the access token is passed in
header as "Authorization: Bearer <ACCESS_TOKEN>"
Rest api looks at the role of the user and based on that either returns the desired data or throws a 403 Forbidden exception.
What I want:
To authenticate external users using an api-key and then add rate-limiting to it. For that, i am using Kong API Gateway. For internal or trusted users that login through the angular app, the existing access token flow should work.
Issue:
When using apikey in Kong, it does pass the Kong's authentication but the rest api server still expects an access token and hence get the 401 unauthorized error.
I found the solution for this. Basically you need to configure an anonymous consumer and enable multiple authentication methods using the Kong's key-auth plugin for api-key based security and openid-connect plugin for keycloak based security.
For those who don't have Kong Enterprise, since openid-connect plugin is not open source, you can configure just the key-auth plugin with anonymous access enabled and then handle the keycloak based authentication in your rest application.
I have an Angular App with a Spring Boot Backend. I use "azure-active-directory-spring-boot-starter" for the authentication via Azure AD. Everything works fine locally.
After the successful external (azure) login "https://local.../login/oauth2/code/azure?code=..." is called.
The request headers on this request contain authorization cookies from azure and the response header contains two "set-cookie"-entries: JSESSIONID, XSRF-TOKEN
After that request the user is logged in as expected.
With the production setup however it seems, that cookies are not set successfully.
The application runs on a Tomcat 9 behind a apache reverse proxy. The azure login itself is successful.
Also the request headers contain the two cookies, however "set-cookie" is not set. Any ideas how to solve this?
Our application is a Spring Boot application and we have gotten a requirement to implement OAuth2 authorization with the IdentityServer3 as the provider.
However, with everything set up properly, we keep getting the error The client application is not known or is not authorized. when redirected to the login screen of the SSO system.
Using postman, we are able to access the login screen when clicking 'Get New Access Token'
Using AdvanceRestClient, we get the same error as our Spring Boot application.
Checking the log of these 2 tools, i found that on postman, the request will POST to the Access Token URL first, while on both Spring Boot security and the AdvanceRESTClient, it will generate a GET URI to the authorize URL.
Example of POSTMAN:
POST https://login.xxx.com.my/LoginHost/core/connect/token
Example of AdvanceRESTClient first request:
GET https://login.xxxx.com.my/LoginHost/core/connect/authorize?response_type=code&client_id=xxx.web&redirect_uri=https%3A%2F%2Fauth.advancedrestclient.com%2Foauth-popup.html&scope=openid%20email%20profile&state=XXX
This is confusing. Which behaviour is correct? And why is there a difference there?
Hope anyone can help with this. Thanks.
* UPDATE 1 *
POSTMAN settings:
AdvanceRESTClient:
After looking at the console logs of both client, it seems that the issue is caused by the redirect-url. After changing the redirect url on AdvancedRestClient to match with postman settings then it works.
I'm trying to get the access token using Keycloak Rest API in my spring boot Application
here is my URL that i passed in Postman using post method,
http://localhost:8180/auth/realms/springboot/protocol/openid-connect/token ,
here test is my realm
and in body part as www-form-urlencoded content type, i have passed
username,password,client_id,grant_type as password,
I have done the part in admin console also setting up realm and other things,
the response i am getting in postman is 404 not found,
the expected output is the access token.
----
here is my configuration in my app
keycloak.auth-server-url=http://localhost:8180/auth
keycloak.realm=springboot
keycloak.resource=springboot
keycloak.public-client=true
keycloak.security-constraints[0].authRoles[0]=user
keycloak.security-constraints[0].securityCollections[0].patterns[0]=/save/*
----
here is the screenshot of response that im getting
I have an application with multiple services. One of them is the auth service that takes care of creating the jwt after checking that the client id (i.e. browser or app) is valid and provided username/password is also valid.
I have another service (gateway) that redirect to other services any requests from the users using the jwt token for authentication.
All this works and has been working for a few years. It is based on Spring Boot using Spring Security (starter v2.1.5). It is soon time to renew our certificate and at the same time move to our new domain. The new certificate has been applied to the Google Cloud Platform load balancer.
The call for health check using the Spring Actuator is responding with the proper "UP" (in json) response. When I try to make the call from same Postman request (with new domain name used) I get the following response with a 401 code:
{
"error": "unauthorized",
"error_description": "Full authentication is required to access this resource"
}
I do have the proper clientid and password/secrete encoded using base64 (hey it worked before and nothing else was changed).
I tried to debug setting #EnableWebSecurity(debug = true), but it generates zero logs from the request.
If I switch back the certificate to old one (and old domain), it works again without any other changes. This has been driving me a bit on the crazy side to say the least. Any help, suggestion, ideas would be appreciated.
It ended up being an error on my part. When I added a A class resources during the copy paste of Load Balancer IP, I put the same IP for both of my services (i.e. one of the copy didn't stick). Ending up in calling security on the gateway service when asking for the auth token.
Thanks for the comment #Boris-Treukhov