Develop Reference

Keycloak doesnt validate token on user_info endpoint in docker settings

My application based on microservices were working fine working on just localhost untill trying to set it up on docker-compose.
I've got issue on API Gateway side. I've figured that authorization-uri has to be on localhost since it goes from outside of docker network.
token-uri and user-info-uri are going from gateway to keycloak and need to call keycloak by its dns name. clientId and userId null in the error.
19:09:20,616 WARN [org.keycloak.events] (default task-2) type=USER_INFO_REQUEST_ERROR, realmId=cinema, clientId=null, userId=null, ipAddress=172.21.0.9, error=invalid_token, auth_method=validate_access_token
spring:
application:
name: Gateway
config:
import: optional:configserver:http://${ConfigService:configserver}:8888
cloud:
gateway:
discovery:
locator:
enabled: true
default-filters:
- TokenRelay
security:
oauth2:
client:
provider:
keycloak-spring-gateway-client:
token-uri: http://${KEYCLOAK:localhost}:8080/auth/realms/${app.config.keycloak.realm}/protocol/openid-connect/token
authorization-uri: http://localhost:28080/auth/realms/${app.config.keycloak.realm}/protocol/openid-connect/auth
user-name-attribute: preferred_username
user-info-uri: http://${KEYCLOAK:localhost}:8080/auth/realms/${app.config.keycloak.realm}/protocol/openid-connect/userinfo
jwk-set-uri: http://${KEYCLOAK:localhost}:8080/auth/realms/${app.config.keycloak.realm}/protocol/openid-connect/certs
user-info-authentication-method: header
registration:
keycloak-spring-gateway-client:
provider: keycloak-spring-gateway-client
client-id: gateway
client-secret: ${GATEWAY_SECRET:PxY64IIOcSCUgZDWRdt2rHf8SL41xdX5}
authorization-grant-type: authorization_code
redirect-uri: http://localhost:8890/login/oauth2/code/keycloak
scope: openid
resourceserver:
jwt:
jwk-set-uri: ${app.config.keycloak.url}/realms/${app.config.keycloak.realm}/protocol/openid-connect/certs
I've tried to change user-id to user_Id, but doesnt change anything.
Any ideas what could be wrong? Any help would be appreciated.

Spring Security Okta Registration Redirect Uri

Have a spring boot mvc app protected by spring security oauth2 using authorization code flow . App is redirecting to proper redirect uri for login when deployed and running in local machine . But in our kubernetes deployment there is a api gateway in front of the app and app is accessed at following path
https:///<k8_namespace_name>/<app_name>
where
k8_namespace_name is the kubernetes namespace name and app_name is a identifier for the app in the namespace . Issue is that redirect uri for login is going to
https:///oauth2/authorization/okta
instead of
https:///<k8_namespace_name>/<app_name>/oauth2/authorization/okta
Below is the application.yaml config
management:
endpoints:
web:
base-path: /
spring:
security:
oauth2:
client:
registration:
okta:
client-id: xxxxx
scope:
# Include the required openid scope
- openid
- employee_number
- groups_whitelist
- first_name
- last_name
- store_number
provider:
okta:
authorization-uri: https://auth.com/v1/xxxx/authorize?skip_iwa=true
token-uri: https://auth.com/v1/xxxx/token
user-info-uri: https://auth.com/v1/xxxx/userinfo
jwk-set-uri: https://auth.com/v1/xxx/keys

You can use redirect-uri property to define where user will be redirected after successful login.
It should look like that:
spring:
security:
oauth2:
client:
registration:
okta:
redirect-uri: https:///<k8_namespace_name>/<app_name>/login/oauth2/code/{registrationId}
client-id: xxxxx
scope:
# Include the required openid scope
- openid
- employee_number
- groups_whitelist
- first_name
- last_name
- store_number
provider:
okta:
authorization-uri: https://auth.com/v1/xxxx/authorize?skip_iwa=true
token-uri: https://auth.com/v1/xxxx/token
user-info-uri: https://auth.com/v1/xxxx/userinfo
jwk-set-uri: https://auth.com/v1/xxx/keys
Please remember to add your redirect uri to Okta client configuration.

Keycloak with Spring Cloud Gateway: how to exclude endpoint resources?

I am following the steps on https://blog.jdriven.com/2019/11/spring-cloud-gateway-with-openid-connect-and-token-relay/ , using a gateway and a microservice. Everything works fine, but when I try to exclude a resource (like for example "somepage.html") in the microservice, it does not work, I always get redirected to the keycloak login.
I tried to in the config part of the service to add
http.authorizeRequests()
.antMatchers("/index*")
.permitAll();
but it did not work, I added this part to the config:
#Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/public/**");
}
but it did not help either...
This is the gateway config file:
server:
port: 8080
spring:
application:
name: travel-spring-cloud-gateway
security:
oauth2:
client:
provider:
keycloak:
issuer-uri: http://localhost:8090/auth/realms/spring-cloud-gateway-realm
user-name-attribute: preferred_username
registration:
keycloak:
client-id: spring-cloud-gateway-client
client-secret: 3a456790-c720-4208-9d4b-fb230ea03dc1
cloud:
gateway:
default-filters:
- TokenRelay
routes:
- id: front-service
uri: http://127.0.0.1:8086/front
predicates:
- Path=/front/**
How can I make the gateway (or the microservice) prevent a request from being redirected to the keycloak login?

Spring Security redirectUri for localhost is using https instead of http

I have used spring security to implement my oauth2 client. I have configured my callback as http://localhost:8080/login/oauth2/code/abc, so when I test my app in my local environment the callback is going to https://localhost:8080/login/oauth2/code/abc, as https is not valid for localhost my browser is throwing an error because of which I could not test my application loally
spring:
profiles: local
security:
oauth2:
client:
registration:
abc:
client-id: OTExZDE3MGQtZTkyMy00YWZjLWFhZDItMGVmZTI1ZDQ3MGJm
client-secret: MzNlZWFhNDQtOGE4Mi00NDVkLWFiMTUtZjAzNWE2YmU2YWIz
authorization-grant-type: authorization_code
redirectUri: http://localhost:3000/login/oauth2/code/abc
scope:
- openid
- internal
provider:
abc:
authorization-uri: https://api.abc.com/oauth/authorize
token-uri: https://api.abc.com/oauth/token
jwk-set-uri: https://api.abc.com/oauth/keys

How about this configuration?
security.oauth2.client.use-current-uri=false
The JavaDoc of AbstractRedirectResourceDetails.isUseCurrentUri() says as follows.
Flag to signal that the current URI (if set) in the request should be used in preference to the pre-established redirect URI.

How to force Spring boot OAuth2 autoconfig to use another yml file instead of application.yml file?

I developed a spring boot application which is using OAuth2 autoconfigure but I am not able to force it to read client configurations from a yml file other than application.yml
Thanks in advance

One simple solution is to use multiple profiles and one client file by profile:
The first properties files named application-my-client-1.yml :
spring:
security:
oauth2:
client:
registration:
my-client-1:
client-id: ${APP-CLIENT-ID}
client-secret: ${APP-CLIENT-SECRET}
client-name: my-client user
provider: my-client
scope: user
redirect-uri: http://localhost:8080/login/oauth2/code/my-client
Activated by setting the my-client-1 profile to on when running the spring boot app:
java -jar -Dspring.profiles.active=my-client-1 myApplication.jar
The second properties files named application-my-client-2.yml :
spring:
security:
oauth2:
client:
registration:
my-client-2:
client-id: ${APP-CLIENT-ID}
client-secret: ${APP-CLIENT-SECRET}
client-name: my-client-2 email
provider: my-client-2
scope: user:email
redirect-uri: http://localhost:8080/login/oauth2/code/my-client-2
Activated by setting the my-client-2 profile to on when running the spring boot app:
java -jar -Dspring.profiles.active=my-client-2 myApplication.jar
All properties can be activited by setting all profiles on:
java -jar -Dspring.profiles.active=my-client-1,my-client-2 myApplication.jar