I'm setting up a service with Keycloak as Auth Server, and I want to use "Signed Jwt" as Client Authenticator, so far, I was able to connect the microservice using a keycloak adapter with the information provided by keycloak.json, let me go into more details first:
Keycloak (12.0.4), self hosted:
A "Demo Realm"
A client name "springboot-microservice-test"
The "Client Authenticator" it's "Signed Jwt"
JWKS it's exposed and reachable on the microservice.
Some Users with roles that can get access to "springboot-microservice-test", lets call them "user_test" with "user_test_password"
Keycloak Credentials setup
Spring boot Microservice:
keycloak-spring-boot-starter, version 12.0.4
Settings defined in application properties.
Keystore file on resources folder: test_key_store.jks
Spring boot application.properties
On a previous test, with "Client ID and Secret" as Client Authenticator, I had no issues retrieving a token from keycloak and getting access to the microservice, but I couldn't find any information on how to request the access token on "Signed Jwt"
Setup with client_id and client_secret
Anyone can help me?
Related
We have Google SAML SSO login (IDP) in our Spring boot application (SP) with Keycloak as IDP broker. The SP initated login (SpringApp -> keycloak -> GoogleSSO -> keycloak -> Spring) works fine. However, if I login to my google account and click my saml application tile from the google app menu, the SSO fails at ACS endpoint with the below error.
Below error is logged inside keycloak server logs.
ERROR [org.keycloak.services.resources.IdentityBrokerService] (default
task-424) invalidRequestMessage
WARN [org.keycloak.events] (default task-424)
type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=****-realm,
clientId=null, userId=null, ipAddress=x.x.x.x,
error=invalidRequestMessage
Keycloak Identity Provider Configuration
Created new SAML v2.0 Identity provider from Identity providers menu.
Redirect URI : https://{keycloak-root}/auth/realms/{realm-name}/broker/{alias}/endpoint
First Login Flow: first broker login
Service Provider Entity ID: https://{keycloak-root}/auth/realms/{realm-name}
Single Sign-On Service URL: {google idp sso url}
Keycloak Client Configuration:
Created a new keycloak client for sso.
Client Protocol: SAML
Signature Algorithm: RSA_SHA_256
Name ID Format: Username
Valid Redirect URIs: {spring-boot-app-url} after successful authentication from google and keycloak
IDP Initiated SSO URL Name: {app-name-string}
IDP Initiated SSO Relay State: {spring-boot-app-url}
Assertion Consumer Service POST Binding URL: {spring-boot-app-url}
Google SAML App Configuration:
Entity ID: https://{keycloak-root}/auth/realms/{realm-name}
ACS URL: https://{keycloak-root}/auth/realms/{realm-name}/broker/{alias}/endpoint
Please suggest if any configuration changes has to be made to make idp initiated login work.
UPDATE:
We compared the saml request of both SP and IDP login. In IDP login, on successful redirection from google to keycloak ACS url, we found the RelayState parameter is empty. But in SP login, same RelayState parameter has a string value present, which changes on every login.
We could set a default value for RelayState using the Start URL field inside Google SAML app. But the problem is keycloak generates this value dynamically that changes on every login request.
I have read some articles for Keycloak spring implementation (eg: easily-secure-your-spring-boot-applications-with-keycloak) but no one mention how to use with JWT.
I have created zuul api gateway and add Keycloak adapter as described in the previously linked article. That's ok, but I want to use JWT with keycloak.
Mentioned elsewhere set the client access type to bearer-only and the session strategy to NullAuthenticatedSessionStrategy. That's enough or need something else for JWT?
So my questions:
How do I configure client on Keycloak admin for JWT?
How do I configure Keycloak in backend config file for JWT?
How do I configure Keycloak adapter for JWT?
How do I pass user info to microservice? Create filter in gateway? But how I get user info from request?
Keycloak access token is a JWT. It is a JSON and each field in that JSON is called a claim. By default, logged in username is returned in a claim named “preferred_username” in access token. Spring Security OAuth2 Resource Server expects username in a claim named “user_name”. So, you need to create mapper to map logged in username to a new claim named user_name.
In order to provide access to client (micro-service), respective role needs to be assigned/mapped to user.
In your spring boot application, then you need to configure connection to keycloak server, providing, auth url, token url, scope, grant-type, client-id and client-secret.
Afterthat, your app be able to parse JWT token, you need to create some JwtAccessTokenCustomizer. This class should extend DefaultAccessTokenConverter and implement JwtAccessTokenConverterConfigurer classes. The main logic lays in public OAuth2Authentication extractAuthentication(Map<String, ?> tokenMap) method.
Then you need to configure OAuth2 Resource Server to provide access for other micro services. For that you define here - Oauth2RestTemplate Bean.
And in the end, secure your REST API, via the standard configuration Component.
So, you can see that, it is a large work, and couldn't be described with code, show some of your work, divide it to the chunk, and ask interesting your questions.
I have set up the keycloak server and created the spring rest application with keycloak rest adapters. The Authorizations rules are working fine.
I would like to know about the internal working of the keycloak spring boot rest adapter. How the logged in user's token is validated against policy and permission set in keycloak admin client.
You are correct, access token does not contain all these details.
In Keycloak when you are using server side adapters the client will be configured to use the standard flow and not the implicit flow of OIDC.
In standard flow when you login using keycloak IDP your front-end redirects to Keycloak IDP and asks for you credentials. If you have the right credentials login is successful and you are redirected back to your app. In this redirect your app gets a code which it then sends to the back-end rest call. This code is used by spring adapter in the spring boot app to make a call to Keycloak IDP server and it is this call in which the boot application will get the user context to take all the authorization decisions as a response from the Keycloak server.
Hope this makes sense.
I'm trying to implement a Zuul reverse proxy with #EnableOAuth2Sso so I can relay the access tokens obtained from the authentication server to my resource server.
The question is how do I configure the Zuul proxy to forward the username and password to the authentication server, since I am using the password grant flow to obtain the tokens.
If the question is still relevant...
I had a task to configure Authorization and Resource servers behind Zuul using password grant type.
This article and example on github helped me a lot, but mostly I've used debug to configure the environment.
Please check my example of configuration OAuth2 Password Grant Type behind Zuul.
To run the example, inside every service folder run mnv spring-boot:run
In browser go to http://localhost:8765, credentials user/user, admin/admin
http://localhost:8761/ - eureka
I have not used #EnableOAuth2Sso, but instead #EnableOAuth2Client and configure only ResourceOwnerPasswordAccessTokenProvider (more details here).
#EnableOAuth2Sso is configured all token providers, but I need only password provider.
Example uses JwtTokens.
Hi everyone i am not able to proceed with following settings. your small pointers are appreciated.
problem statement
i am trying to use custom authorization server provided by spring cloud security and OAuth2 with my web application so that it can propagate access token to micro services in back end.
i can able to see my authorization server can able to provide access token and when try to ingest access token for invoking endpoints for for back end micro service it work as per expectation
problem faced
when i provide following configuration in spring boot web client(which will call my back end micro service)
in application.properties
security.oauth2.client.clientId=myclient
security.oauth2.client.clientSecret=abcsecret
security.oauth2.client.access-token-uri=http://localhost:9000/services/oauth/token
security.oauth2.client.user-authorization-uri=http://localhost:9000/services/oauth/authorize
security.oauth2.client.clientAuthenticationScheme=form
security.oauth2.resource.user-info-uri=http://localhost:9000/services/user
security.oauth2.resource.prefer-token-info=true
and i provide
http://localhost:8080
in my browser. it asks for credentials. i provide credentials as present with authorization server.
once valid credentials provided authorization server asks for valid scopes.
but one important thing i observe when my web client routed to authorization server it has redirect_uri
http://localhost:8080/login
(not ok since initially i entered http://localhost:8080)
i am also getting HTTP 401 error