I've been at this for about a week now.
I have a use case where I recieve an auth token through the body instead of the header, and because of that Keycloak and Spring don't automatically set the user. (The reason being, with websockets, I can only send the auth token through the body with the initial connection)
I've tried intercepting the call before keycloak and copying the token from the body to the header, but that did not work.
So now I would like to manually authenticate through keycloak (or just manually set the principal user). I have access to the JWT Access Token, but from here I'm not sure how to authenticate with keycloak.
Anyone have any input?
Since there are two Keycloak pieces that could be in play here, I'll start with a clarification:
Keycloak - This is the authorization server that a client will use to obtain a JWT
Keycloak Adapter - This is the thing that configures a Resource Server to integrate Keycloak with Spring Security
I have a use case where I recieve an auth token through the body instead of the header, and because of that Keycloak and Spring don't automatically set the user.
Spring Security 5.1 ships with built-in support for JWT-based access tokens, so you may not need to use the Keycloak Adapter for what you are wanting to do.
When using Spring Security's built-in support, you can configure the DefaultBearerTokenResolver to look in the body:
#Bean
public BearerTokenResolver bearerTokenResolver() {
DefaultBearerTokenResolver resolver =
new DefaultBearerTokenResolver();
resolver.setAllowFormEncodedBodyParameter(true);
return resolver;
}
Related
I'm developing an app.
Front/bff/api.
I'm using an open id provider that allows to check token remotely.
The bff intercepts the front requests and sends them to the API with the jwt token in the header.
The api should ask the open ip provider if the token is correct (but remotely, not using the offline mode with the public key ).
The api is a spring boot 3.0.1 project.
How to configure security in spring boot 3.0.1 to do that check?
Thank you in advance.
You do that with access-token introspection. In spring-security conf, that means using opaqueToken() instead of jwt() (the first configures a resource-server with introspection and the second with a JWT decoder).
Be aware that token introspection is far less efficient than using a JWT decoder as a request is sent to the authorization-server for each and every request to a resource-server. Tutorial there.
i am currently working on a project where my backend uses Spring Boot, Spring security + keycloak and runs on localhost:8081.
My frontend (svelte) runs on http://127.0.0.1:5173/ and the url http://127.0.0.1:5173/products needs to access data from localhost:8081/products (which needs a login) but the login page from keycloak doesnt appear.
In other words, what i am trying to achieve:
I want that the url http://127.0.0.1:5173/products redirects to localhost:8081/products which redirects to keycloak login page and after a successfull login i want to return to http://127.0.0.1:5173/products where i will be able to see the data.
is there an elegant solution to this problem? Im really stuck on this problem and this is one of my first projects.
Thanks in advance!!
Some OAuth2 wording:
Keycloak is an authorization-server (OIDC complient)
Svelte app is a client
Spring REST API is a resource-server
Ensure that a "public" client is declared in Keycloak.
Configure your Svelte client with an existing OIDC lib (component) of your choice to:
use the "public" client deckared in Keycloak
authenticate users against Keycloak (socket is not the same as spring API)
add an authorization header with a JWT access-token retrieved from Keycloak (when issuing requests to your secured REST endpoints)
Configure Spring API as a secured resource-server with a JWT decoder.
You can refer to this article for configuring Keycloak and resource-server with JWT access-tokens.
I have read some articles for Keycloak spring implementation (eg: easily-secure-your-spring-boot-applications-with-keycloak) but no one mention how to use with JWT.
I have created zuul api gateway and add Keycloak adapter as described in the previously linked article. That's ok, but I want to use JWT with keycloak.
Mentioned elsewhere set the client access type to bearer-only and the session strategy to NullAuthenticatedSessionStrategy. That's enough or need something else for JWT?
So my questions:
How do I configure client on Keycloak admin for JWT?
How do I configure Keycloak in backend config file for JWT?
How do I configure Keycloak adapter for JWT?
How do I pass user info to microservice? Create filter in gateway? But how I get user info from request?
Keycloak access token is a JWT. It is a JSON and each field in that JSON is called a claim. By default, logged in username is returned in a claim named “preferred_username” in access token. Spring Security OAuth2 Resource Server expects username in a claim named “user_name”. So, you need to create mapper to map logged in username to a new claim named user_name.
In order to provide access to client (micro-service), respective role needs to be assigned/mapped to user.
In your spring boot application, then you need to configure connection to keycloak server, providing, auth url, token url, scope, grant-type, client-id and client-secret.
Afterthat, your app be able to parse JWT token, you need to create some JwtAccessTokenCustomizer. This class should extend DefaultAccessTokenConverter and implement JwtAccessTokenConverterConfigurer classes. The main logic lays in public OAuth2Authentication extractAuthentication(Map<String, ?> tokenMap) method.
Then you need to configure OAuth2 Resource Server to provide access for other micro services. For that you define here - Oauth2RestTemplate Bean.
And in the end, secure your REST API, via the standard configuration Component.
So, you can see that, it is a large work, and couldn't be described with code, show some of your work, divide it to the chunk, and ask interesting your questions.
Spring Security is commonly used for authentication and authorization of web applications and web services. While spring can validate users based on credentials_id (user id) and credentails_secret (password) passed through web forms.
What I am looking at is
1) can spring work when these userid and password are passed through http headers.
2) on subsequent requests can spring validate user based on a session id (some thing like jsessionid) passed through http headers?
You can add spring-security module in your project.
passing username and password via http-headers for every request is stateless basic-authentication. Check this example
You can do a stateful authentication: authenticate once, maintain the session.
Check this sample
So, you should write a custom AuthenticationFilter extending referred UsernamePasswordAuthenticationFilter.
Checkout:
Spring Security using HTTP headers
I'm trying to figure out how to have my Spring OAuth2Client use the resource own password scheme when authenticating to my Authorization server using Spring OAuth2. I don't get what the documentation states:
If you desparately need password grants to work from a Java client, then use the same mechanism to configure your OAuth2RestTemplate and add the credentials to the AccessTokenRequest (which is a Map and is ephemeral) not the ResourceOwnerPasswordResourceDetails (which is shared between all access tokens).
How do I do this? Since I'm building both the authorization server and the client my client is a trusted source and I do not need to go through the auth code flow.
I saw this answer: Spring Security Oauth2 - Adding credentials to the AccessTokenRequest
But, I'm not exactly clear how to achieve this so that I don't have to go through the redirect. Can you do this through a basic auth header?
Update:
I think I got it working
I create a ResourceOwnerPasswordResourceDetails and create a new ResourceOwnerPasswordAccessTokenProvider
Then get a token using the credentials and set the token in the injected oauth rest template.
OAuth2AccessToken token = accessTokenProvider.obtainAccessToken(details, request);
restTemplate.getOAuth2ClientContext().setAccessToken(token);
Is this correct?