I have implemented sample spring boot rest API(protected) and authenticated it with locally installed keycloak server. It works perfectly fine.
Later i tried to do the same using keycloak docker, able to get access token using postman, however getting 403 forbidden error(Tested from postman) while trying to access protected service.
Instead of using access token, even i tried using RPT token, but still the same error. I'm unable to access any of the protected service.
What steps do i need to take to access protected services using keycloak Docker ?
application.properties
keycloak.realm=Demo
keycloak.auth-server-url=http://XXX.XX.X.XX:8080/auth -- Keycloak Docker
keycloak.ssl-required=none
keycloak.resource=Demo_Client
keycloak.bearer-only=true
keycloak.credentials.secret=44dae7ee-d81d-4070-a307-2315764afa39
keycloak.use-resource-role-mappings=false
keycloak.cors=true
keycloak.securityConstraints[0].authRoles[0]=admin
keycloak.securityConstraints[0].authRoles[1]=manager
keycloak.securityConstraints[0].securityCollections[0].patterns[0] =/demoRestApi
keycloak.policy-enforcer-config.paths[0].path=/demoRestApi
keycloak.policy-enforcer-config.paths[0].methods[0].method=GET
keycloak.policy-enforcer-config.paths[0].methods[0].scopes[0]=view
keycloak.policy-enforcer-config.paths[0].methods[1].method=DELETE
keycloak.policy-enforcer-config.paths[0].methods[1].scopes[0]=delete
Related
I have a Spring cloud API gateway talking to keycloak server for JWT authentication. If I run my application from eclipse and keycloak as single docker container, it works fine. However when I run my spring boot application as docker container(using docker compose or kubernetes) its unable to authorize with keycloak throws following error.
org.springframework.security.oauth2.jwt.JwtDecoderInitializationException: Failed to lazily resolve the supplied JwtDecoder instance
at org.springframework.security.oauth2.jwt.SupplierReactiveJwtDecoder.wrapException(SupplierReactiveJwtDecoder.java:48) ~[spring-security-oauth2-jose-5.7.6.jar!/:5.7.6]
Suppressed: reactor.core.publisher.FluxOnAssembly$OnAssemblyException:
.
.
Caused by: java.lang.IllegalArgumentException: Unable to resolve the Configuration with the provided Issuer of "http://keycloak-server:8080/realms/master"
at org.springframework.security.oauth2.jwt.JwtDecoderProviderConfigurationUtils.getConfiguration(JwtDecoderProviderConfigurationUtils.java:161) ~[spring-security-oauth2-jose-5.7.6.jar!/:5.7.6]
at org.springframework.security.oauth2.jwt.JwtDecoderProviderConfigurationUtils.getConfigurationForIssuerLocation(JwtDecoderProviderConfigurationUtils.java:79) ~[spring-security-oauth2-jose-5.7.6.jar!/:5.7.6]
Are there any additional configurations required for this situation?
If the keycloak and springboot applications are deployed in different namespace, you would need to include the namespace in the keycloak url configured in your springboot application (https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#namespaces-of-services).
Also you might need to check if the kubernetes service for keycloak is configured correctly.
To solve this modified few things
Created new realm instead of using default master realm
Instead of using keycloak kubernetes service name in issuer url, used host.docker.internal ip
While generating JWT from postman used same host.docker.internal ip in the token generation url
I'm using Spring Boot + Keycloak + Angular for my application and keycloak-spring-boot-starter uses for the backend. But this is working perfectly on my computer and when I deploy this
Without logging to the system system works perfectly
When login to the system using angular app and make a api request getting 401 from Spring boot backend
In postman without token it gives results
In postman with the token it gives 401
But on angular side (frontend) Authentification and Authorization work perfectly. Further, I have tried to run this application in the machine(angular and Spring boot run in my local machine similar environment to production) using deployed keycloak, it also works perfectly.
Since there is no related error in the console I'm really worried about how to figure out the issue. I'm kindly requesting you to help me regarding this.
Actually, it was my mistake I have set SSL to none in Keycloak configuration but Spring Boot app I have set to external. Therefore it works on my computer and when I deploy it, it didn't work.
I have a keycloak server and a spring boot app running on Kubernetes cluster and I'm facing 2 scenarios the first one is working and the other one I'm getting 401 Unauthorized.
First scenario:
Enter a test container with kubectl exec command inside my k8s cluster and ask for a token with a curl POST request :
http://keycloak-service-name:8080/auth/realms/lisa/protocol/openid-connect/token
I get a token
I send a request from postman using that token to the secured endpoint of my app and
It's working, access is granted
Second scenario:
Ask for a token by sending a POST request to: http://keycloak-external-ip:port/auth/realms/lisa/protocol/openid-connect/token with the necessary parameters from postman
I receive an access token
I send a request from postman to the secured endpoint using that token of my app I get 401 unauthorized
The Keycloak is exposed using NodePort service.
The app is exposed using istio ingress gateway.
Keycloak server version:9.0.0.
keycloak version in spring boot app: 10.0.2
Fixed this by changing the keycloak.auth-server-url value in the application.properties file.
The keycloak deployment has 2 services, one of type clusterIP, the second is of type nodePort
before
keycloak.auth-server-url=http://keycloak-clusterIP-service-name:8080/auth
after
keycloak.auth-server-url=http://node-ip-adress:nodePort/auth
I am using Spring cloud with OAuth2. I have 4 applications as mentioned below:
1) Eureka server : Service Registery.
2) zuul as Api Gateway
3) Auth server - which is returning the access_token to client after successful authentication.
4) Resource server - wants to validate token before giving access to resource.
I used the below configuration in application.properties:
security.oauth2.resource.tokenInfoUri=http://localhost:9600/oauth/check_token
security.oauth2.client.client-id=resourceServer-client
security.oauth2.client.client-secret=secret
I dont want to give hard coded ipaddress / hostname for "tokenInfoUri" in application.properties.
I want to access the auth server by its service name as there can be multiple instances of Auth server.
How can i do that ?
I checked the code how tokenInfoUri works in spring boot using oauth2 and found that
ResourceServerTokenServicesConfiguration -> RemoteTokenServicesConfiguration -> remoteTokenServices()
method where tokenInfoUri us retrieved from ResourceServerProperties.java as #ConfigurationProperties.
I dont want to use JWT token for token verification. I want to verify using remote call from Resource Server to AuthServer.
Hi everyone i am not able to proceed with following settings. your small pointers are appreciated.
problem statement
i am trying to use custom authorization server provided by spring cloud security and OAuth2 with my web application so that it can propagate access token to micro services in back end.
i can able to see my authorization server can able to provide access token and when try to ingest access token for invoking endpoints for for back end micro service it work as per expectation
problem faced
when i provide following configuration in spring boot web client(which will call my back end micro service)
in application.properties
security.oauth2.client.clientId=myclient
security.oauth2.client.clientSecret=abcsecret
security.oauth2.client.access-token-uri=http://localhost:9000/services/oauth/token
security.oauth2.client.user-authorization-uri=http://localhost:9000/services/oauth/authorize
security.oauth2.client.clientAuthenticationScheme=form
security.oauth2.resource.user-info-uri=http://localhost:9000/services/user
security.oauth2.resource.prefer-token-info=true
and i provide
http://localhost:8080
in my browser. it asks for credentials. i provide credentials as present with authorization server.
once valid credentials provided authorization server asks for valid scopes.
but one important thing i observe when my web client routed to authorization server it has redirect_uri
http://localhost:8080/login
(not ok since initially i entered http://localhost:8080)
i am also getting HTTP 401 error