I'm tring SSO Login with Spring Boot and OAuth2.
I have an oauth2 client running on http://localhost:8001/demo and an oauth2 authorization server running on http://localhost:9001/uaa
In result, after approval page it direct to the approval page again and again.I'm getting back "org.springframework.security.authentication.BadCredentialsException: Could not obtain access token" from the client.
I have no idea what's going on. I did this with Spring Boot1.5 everything seems to be find
Code
Related
I'm using spring boot oauth2 client for oauth2 purpose. Right now my application is automatically refreshing the access token after the token is expired as I'm using OAuth2AuthorizedClientManager. I wanted to know if there is a way to refresh the access token manually and store the updated token to spring boot credential store so all the APIs can use that.
I have already checked this post which is similar but not duplicate. Refresh OAuth2 access token manually
Appreciate any help.
i am currently working on a project where my backend uses Spring Boot, Spring security + keycloak and runs on localhost:8081.
My frontend (svelte) runs on http://127.0.0.1:5173/ and the url http://127.0.0.1:5173/products needs to access data from localhost:8081/products (which needs a login) but the login page from keycloak doesnt appear.
In other words, what i am trying to achieve:
I want that the url http://127.0.0.1:5173/products redirects to localhost:8081/products which redirects to keycloak login page and after a successfull login i want to return to http://127.0.0.1:5173/products where i will be able to see the data.
is there an elegant solution to this problem? Im really stuck on this problem and this is one of my first projects.
Thanks in advance!!
Some OAuth2 wording:
Keycloak is an authorization-server (OIDC complient)
Svelte app is a client
Spring REST API is a resource-server
Ensure that a "public" client is declared in Keycloak.
Configure your Svelte client with an existing OIDC lib (component) of your choice to:
use the "public" client deckared in Keycloak
authenticate users against Keycloak (socket is not the same as spring API)
add an authorization header with a JWT access-token retrieved from Keycloak (when issuing requests to your secured REST endpoints)
Configure Spring API as a secured resource-server with a JWT decoder.
You can refer to this article for configuring Keycloak and resource-server with JWT access-tokens.
We are trying to implement spring boot oauth2 authentication and then role based authorization for the front-end application routing.
following is an example what we are trying to achieve. after authentication is done we want to get the groups from jwt or from an api by using the access token and if the groups are there user will be be able to login otherwise will get 403. We have done this for on prem security but trying with oatuh2 but not luck so far.
.antMatchers(getProtectedURIs()).hasAnyAuthority(userConfig.getUserGroups())
I have set up the keycloak server and created the spring rest application with keycloak rest adapters. The Authorizations rules are working fine.
I would like to know about the internal working of the keycloak spring boot rest adapter. How the logged in user's token is validated against policy and permission set in keycloak admin client.
You are correct, access token does not contain all these details.
In Keycloak when you are using server side adapters the client will be configured to use the standard flow and not the implicit flow of OIDC.
In standard flow when you login using keycloak IDP your front-end redirects to Keycloak IDP and asks for you credentials. If you have the right credentials login is successful and you are redirected back to your app. In this redirect your app gets a code which it then sends to the back-end rest call. This code is used by spring adapter in the spring boot app to make a call to Keycloak IDP server and it is this call in which the boot application will get the user context to take all the authorization decisions as a response from the Keycloak server.
Hope this makes sense.
on spring boot 1.4, using #EnableOAuth2Sso for sso client and a kong third party authorization server, i'm able to receive the authorization code but unable to retrieve the access token.
the authorization code is part of the redirect url after which is there any configuration or a process for retrieving the access token?
Once you get the Authz code, you need to make a server side call(so that access token flow doesn't go through end user browser) to Authz Server for access_token, Look at this section of OAuth 2.0 Spec.