We have a spring boot project used to use only one server. We recently switching to use two servers for the same spring boot application. Now the users are frequently asked to login. We found out if a user logged in one server and a new request is sent to another server, this would happen.
I am sure this is very common issue with solutions. Could anyone point me to the right direction how to fix the login issue? Thanks a lot!
Related
I am working with migrating OAuth2 SSO provider for my Spring boot application from SSOProvider1 to SSOProvider2.
My application has been working fine with SSOProvider1. The relevant properties are as follows:
spring.security.oauth2.client.registration.ssprovider1.client-id=abcd
spring.security.oauth2.client.registration.ssprovider1.client-secret=1234
spring.security.oauth2.client.registration.ssprovider1.scope=api
spring.security.oauth2.client.registration.ssprovider1.client-authentication-method=basic
spring.security.oauth2.client.registration.ssprovider1.authorization-grant-type=authorization_code
spring.security.oauth2.client.provider.ssprovider1.token-uri=https://ssoprovidr1.base.com/token
spring.security.oauth2.client.provider.ssprovider1.authorization-uri=https://ssoprovidr1.base.com/authorize
spring.security.oauth2.client.provider.ssprovider1.user-info-uri=https://ssoprovidr1.base.com/userinfo
spring.security.oauth2.client.provider.ssprovider1.user-name-attribute=name
Now, as part of migration, for SSOProvider2, I have changed only following values:
spring.security.oauth2.client.registration.ssprovider2.client-id=efgh
spring.security.oauth2.client.registration.ssprovider1.client-secret=5678
spring.security.oauth2.client.registration.ssprovider2.scope=read
spring.security.oauth2.client.registration.ssprovider2.client-authentication-method=basic
spring.security.oauth2.client.registration.ssprovider2.authorization-grant-type=authorization_code
spring.security.oauth2.client.provider.ssprovider2.token-uri=https://ssoprovidr2.base.com/token
spring.security.oauth2.client.provider.ssprovider2.authorization-uri=https://ssoprovidr2.base.com/authorize
But, whenever I am starting my app and browsing the end-point, I am getting following error: Too many redirect and clearing the browser cookies also did not help.
I am not sure, why I am getting this error.
Could anyone please help here? Thanks.
I have built two keycloak clients (spring-client and a tomcat-client using keycloak OIDC spring boot adapter and OIDC tomcat adapter) and both are working in the same realm. I have two problems with these clients.
When I am going to sign in to those clients, I need to provide username and password for each client separately even though I am using the same browser (multiple tabs) and same username.
When i need to sign out only a single client (tomcat-client) log out and the other client (spring-boot-client) does not logout at all and keep the session until a timeout occurs.
Further when I am investigating I found that there are two separate sessions created for both clients. (see the image)
Since I am using same realm and same user I have no idea that how two sessions were created. There is another thing I noticed, tomcat-client & security-admin-console both clients are in the same session. When I logout from the keycloak admin console then tomcat client automatically logs out. The problem is only with the spring-boot client.
Also I have set each client's admin URL as the base URL of each application.
Can someone help me to sort this out.
Thank you
After lots of debugging finally I found the problem in my configuration.
In the spring boot adapter configuration file I have mentioned the Keycloak URL as http://127.0.0.1:8080/auth
In the other adapter configuration file I have mentioned it as http://localhost:8080/auth
the issue was fixed once same URL added for both adapter configurations.
We have one application which is running on the Spring boot, We don't like to add a new application in the environment to manage this application, to do so we like to add spring boot admin feature to the same application. I tried that and able to see the spring admin screen but the client is not getting loaded.
I don't know this is good idea or not.
Please provide your suggestion.
I can see it is working both spring boot admin sever and client both application in one.
But I dont know this is good idea or not. Please provide your inputs
The Spring Boot Admin is invented for monitoring multiple services. In my opinion you should separate them so everyone will has it's job to follow the single responsibility principle. With separation when your application will fail the Spring Boot Admin will catch logs and maybe some additional data, if they are together you won't know what might happen.
Can someone suggest how to configure a Spring Boot application to authenticate via KeyCloak, and then use Redis as the session store? I've spent a day googling and banging my head on this, and I just don't feel like I'm getting anywhere.
I know how to configure each one independently - i.e. I can make a boot app that auths via KeyCloak, and I can also make a boot app that keeps session in Redis, but I'm not getting them to work together. Is this possible? It seems like it should be. Or is this just not how its supposed to work?
I think my working POC would behave something like this:
start my app
access some resource that forces a login via KeyCloak - access to resource is granted
restart my app
access that same resource but now no login is needed (since session is persisted in Redis)
Thanks for any suggestions.
OK - turns out I'm just not paying attention. I was not using the access/bearer token correctly. There is no need to keep the Spring session around when the bearer token is properly provided in requests.
We're using the Camunda RestAPI to communicate with the camunda-engine in the backend, so far so good, but we haven't been able to enable the Camunda authentication service so that users/rolls can only instanciate/claim/complete/see (when requesting via http) the tasks and processes which are assigned to them or their groups.
We're also using the spring boot implementation of the configuration, we have tried several things, but non has work so far as anyone can do anything and it's not even asking for credentials, so I was thinking I may be doing something wrong considering how complicated it has been.
So the question is, what are the standard steps we need to take to make these services work?
Thanks in advance.
Camunda is running bundled with a Tomcat server which allows LDAP, so one way might be to let your Tomcat do the permission management. In other words, you might limit the user access via the hosting web server.