Keycloak: Spring Boot project as bearer and reusing token from user - spring

I am building an application with an angular frontend and spring boot on the backend. I was able to configure the angular and spring part.
So, the frontend requests a token and sends it with every request to the java backend. This works just fine.
My java backend is now in the need to reuse the client token to request data from another service, which uses the same mechanism.
What is the right way to go forward? Requesting an own token for my service or using the existing token from the authenticated user?
I have not found a way to do this.

Works as pointed out by ravthiru
While calling your 3rd service you can use the same token , Add your third service as bearer-only Client.

Related

Spring boot - Token online verification

I'm developing an app.
Front/bff/api.
I'm using an open id provider that allows to check token remotely.
The bff intercepts the front requests and sends them to the API with the jwt token in the header.
The api should ask the open ip provider if the token is correct (but remotely, not using the offline mode with the public key ).
The api is a spring boot 3.0.1 project.
How to configure security in spring boot 3.0.1 to do that check?
Thank you in advance.
You do that with access-token introspection. In spring-security conf, that means using opaqueToken() instead of jwt() (the first configures a resource-server with introspection and the second with a JWT decoder).
Be aware that token introspection is far less efficient than using a JWT decoder as a request is sent to the authorization-server for each and every request to a resource-server. Tutorial there.

how do I design my authenticated requests and my frontend

i am currently working on a project where my backend uses Spring Boot, Spring security + keycloak and runs on localhost:8081.
My frontend (svelte) runs on http://127.0.0.1:5173/ and the url http://127.0.0.1:5173/products needs to access data from localhost:8081/products (which needs a login) but the login page from keycloak doesnt appear.
In other words, what i am trying to achieve:
I want that the url http://127.0.0.1:5173/products redirects to localhost:8081/products which redirects to keycloak login page and after a successfull login i want to return to http://127.0.0.1:5173/products where i will be able to see the data.
is there an elegant solution to this problem? Im really stuck on this problem and this is one of my first projects.
Thanks in advance!!
Some OAuth2 wording:
Keycloak is an authorization-server (OIDC complient)
Svelte app is a client
Spring REST API is a resource-server
Ensure that a "public" client is declared in Keycloak.
Configure your Svelte client with an existing OIDC lib (component) of your choice to:
use the "public" client deckared in Keycloak
authenticate users against Keycloak (socket is not the same as spring API)
add an authorization header with a JWT access-token retrieved from Keycloak (when issuing requests to your secured REST endpoints)
Configure Spring API as a secured resource-server with a JWT decoder.
You can refer to this article for configuring Keycloak and resource-server with JWT access-tokens.

OAuth in Spring security question to get userInfo

My application has frontend build with angular and backend build with spring boot, and I use openam by Forgerock as an authentication server. I got the access_token in frontend and pass this access_token to backend through Bearer authentication, But now I have to check if the token is valid in backend by calling /userInfo endpoint. My question is how to config in spring boot to call this endpoint everytime when get the request? Thanks
I may case I didn't had any explicit configuration for access token. You just have to call end points and the tokens will be stored in the header for authentication. Though you can set the timer for it.

CAMUNDA API REST Authentication

I am trying to connect from my javascript front to the REST API of my camunda orchestration which is deployed as part of a spring boot application.
the called url is :
GET http://localhost:8081/oms-orchestrator-ms/api/engine/engine/default/history/process-instance
i get an 401 error for non authenticated queries which is normal
First question : is it the right way to query the Engine Rest API for process definition/ instances and history?
In order to make it work , i add the JSESSIONID cookie as header to my requests,
how can i use the basic auth to query the orchestrator api instead of using the cookie?
Thanks for your Help
the /api path is part of the cockpits REST backend which is secured by the same rules as the cockpit webapp.
You can additionally deploy the rest api (camunda-bpm-spring-boot-starter-rest if you are using spring boot). This will add an almost identical REST api for the engine under the path /rest. This one is open by default and can be secured manually if required (and advised for prod environments).

Do I need Spring Security if I use JWT Authentication with Spring Boot?

I'm about to implement a token based authentication system with Spring Boot and Json web token. I have a frontend app built with Angular. My understanding is that once authenticated, all API calls from the angular app will send the token to the server to be verified before a response is sent back.
I'm wondering then how Spring Security would fit into the picture. It seems like it is no longer necessary if I just use the server to verify the token every time the frontend makes a call.
My question is whether or not Spring Security is required in this instance and if it is, what role will/can it play?
I would like to know from the outset before diving in. Thanks!

Resources