I'm using Spring Boot + Keycloak + Angular for my application and keycloak-spring-boot-starter uses for the backend. But this is working perfectly on my computer and when I deploy this
Without logging to the system system works perfectly
When login to the system using angular app and make a api request getting 401 from Spring boot backend
In postman without token it gives results
In postman with the token it gives 401
But on angular side (frontend) Authentification and Authorization work perfectly. Further, I have tried to run this application in the machine(angular and Spring boot run in my local machine similar environment to production) using deployed keycloak, it also works perfectly.
Since there is no related error in the console I'm really worried about how to figure out the issue. I'm kindly requesting you to help me regarding this.
Actually, it was my mistake I have set SSL to none in Keycloak configuration but Spring Boot app I have set to external. Therefore it works on my computer and when I deploy it, it didn't work.
Related
I have created a sample SOAP Web Service project (spring boot) and trying to integrate Okta as a resource server for authentication.
I am able to deploy the application to WebLogic, but when testing the service using SOAP UI, it gives the response even when there is no Token included in the header.
When I access WSDL from a browser using my wsdl url, http://myhost:port/appservice/app.wsdl I see the 401 error, so I think it is picking up the Security config changes. But it is not working for SOAP requests, I would get response even with out Okta token.
Is it because for SOAP requests, do I need to include any interceptors on top of Security Config java file. Or am I taking a wrong path for security with SOAP. Can someone let me know what am I missing or point me to right direction. Is token validation part of WS-Security? or the authentication manager in Okta resource server enough for this?
I followed this documentation to create it.
I have read most of the SO questions related to this and spring documentation, but could not connect the missing dots. Please help me with this. After spending lot of time, I felt like I was moving in circles.
UPDATE:
I have enabled spring security debug logs by doing below
#EnableWebSecurity(debug=true)
logging.level.org.springframework.security.web.FilterChainProxy=DEBUG
UPDATE2:
I haven't made any big changes to my configuration, but when I ran the project on embedded tomcat locally, it started working. To run on Tomcat, I changed packaging from war to jar, excluded Tomcat in my POM and in my Main class, I had to remove the SpringBootServletInitializer and WebApplicationInitializer. That's it. I tested SOAP UI with the Okta bearer token and it gave me response. With out the token it did not give me response.
Spring Security not working only in case of WebLogic12c. I don't know what I am missing to include for that to work in WebLogic. when deployed through Tomcat, request is passed through all the beans in Security Filter Chain {
WebAsyncManagerIntegrationFilter,
SecurityContextPersistenceFilter,
HeaderWriterFilter,
CsrfFilter,
LogoutFilter,
BearerTokenAuthenticationFilter,
RequestCacheAwareFilter,
SecurityContextHolderAwareRequestFilter,
AnonymousAuthenticationFilter,
SessionManagementFilter,
ExceptionTranslationFilter,
FilterSecurityInterceptor}
But on WebLogic, the request is passed only through first four beans in Security Filter Chain {WebAsyncManagerIntegrationFilter,
SecurityContextPersistenceFilter,
HeaderWriterFilter,
CsrfFilter}
I just wanted to update the alternate solution I found for this problem, for completeness.
Spring Security Filter chain was not working for Weblogic, where as same was working in Tomcat, even for Weblogic version 12.2.1.4.
I had followed this example, and implemented Okta filter as spring boot version was not working in Weblogic 12.2.1.4.
Thanks to #Toerktumlare, I have implemented logging with logback-spring.xml
I am working with migrating OAuth2 SSO provider for my Spring boot application from SSOProvider1 to SSOProvider2.
My application has been working fine with SSOProvider1. The relevant properties are as follows:
spring.security.oauth2.client.registration.ssprovider1.client-id=abcd
spring.security.oauth2.client.registration.ssprovider1.client-secret=1234
spring.security.oauth2.client.registration.ssprovider1.scope=api
spring.security.oauth2.client.registration.ssprovider1.client-authentication-method=basic
spring.security.oauth2.client.registration.ssprovider1.authorization-grant-type=authorization_code
spring.security.oauth2.client.provider.ssprovider1.token-uri=https://ssoprovidr1.base.com/token
spring.security.oauth2.client.provider.ssprovider1.authorization-uri=https://ssoprovidr1.base.com/authorize
spring.security.oauth2.client.provider.ssprovider1.user-info-uri=https://ssoprovidr1.base.com/userinfo
spring.security.oauth2.client.provider.ssprovider1.user-name-attribute=name
Now, as part of migration, for SSOProvider2, I have changed only following values:
spring.security.oauth2.client.registration.ssprovider2.client-id=efgh
spring.security.oauth2.client.registration.ssprovider1.client-secret=5678
spring.security.oauth2.client.registration.ssprovider2.scope=read
spring.security.oauth2.client.registration.ssprovider2.client-authentication-method=basic
spring.security.oauth2.client.registration.ssprovider2.authorization-grant-type=authorization_code
spring.security.oauth2.client.provider.ssprovider2.token-uri=https://ssoprovidr2.base.com/token
spring.security.oauth2.client.provider.ssprovider2.authorization-uri=https://ssoprovidr2.base.com/authorize
But, whenever I am starting my app and browsing the end-point, I am getting following error: Too many redirect and clearing the browser cookies also did not help.
I am not sure, why I am getting this error.
Could anyone please help here? Thanks.
Hi, I am trying to use single-sign on with keycloak and springboot 2 app
I got local keycloak setup realm and client.
I followed this example : spring-boot-keycloak-tutorial
This works fine, my issue is that I want to implement single sign on. Which means I don't want the user to login using keycloak login page.
If the users are logged in to the network (using Windows machine), and try to access the page, then they should be able to access the application without login because they are valid network users.
I don't seem to find an example on how to setup SSO and pass the credentials directly from windows to keycloak
You can configure your realm to use Kerberos user federation. This will enable SSO using the active directory.
See the official example page
You then need to make sure that your browser to support the SSO.
It turned out that the keycloak-spring-boot-adapter does not work for spring boot 2.0+
I changed my spring version to 1.5.3 instead of 2.0.5 and this solved the problem.
I am not sure if there is an alternative for spring boot 2.0
I'm not very familiar with network configuration. I have an API server developed on spring boot with CORS enabled. The server works fine on the external network. But when I try to call API from the internal network, it got blocked, is there a way to resolve this problem in spring boot without changing network's configuration?
We are currently developing a microservice application using Spring Boot 1.4 and Keycloak 2.5.0 (configured as openid-connect service) using the Keycloak Spring Adapter (not the Spring Boot adapter).
All of our microservices are put behind a load balancer and an additional reverse proxy as the application will be hosted on an existing domain behind a context root (so the root of our application is http://foo.bar/foobar/ and the rest services are http://foo.bar/foobar/rest/).
We are facing a couple of problems with Keycloak in this given scenario:
Keycloak forward to /sso/login if a sign-in is needed. This is in our case unwanted behaviour because http://foo.bar/sso/login will not exist. I have found a way to change the forward but there is no way to make Keycloak listen to the same url; we end up with a 404 in this case.
After signing in, Keycloak redirects back to the /sso/login url with the correct tokens, but if this is not the same server, the request fails and it redirects us to http://foo.bar/. Since every microservice exposes /sso/login, this can be in fact a completely different server.
If keycloak is hosted on the same domain, we end up in a redirect loop. We would also like to have Keycloak hosted on the same domain and on the context root http://foo.bar/foobar/auth/ .
We've already tried using the "token-store": "cookie" but this did not resolve the problem.
Is there a way to resolve these problems or is Keycloak maybe not the correct solution for our use-case ?
Update 05/05/2017:
Move my answer from here to an answer
We are now up and running with Keycloak so I'll briefly explain what we did. The front-end of our application runs Angular2 and we created a custom login page in the Angular application itself (so it's not a theme for Keycloak) which will directly query the Keycloak API for an OAuth2 Bearer token. The front-end will send this token on each request in the Authorization header (as per the OAuth standards).
On the service side we have configured keycloak as a bearer-only solution (bearer-only: true in the keycloak.json), this way the application just returns a 401 or a 403 instead of forwarding to the login page.
Using this configuration the user will never see anything from the /sso/login page and there is also no redirect issue anymore.
TLDR; the use-case I described was also not realistic, calling a REST URL and then forwarding to a login page is kind of bad stuff :)