Our stack includes the following services, each service runs in a docker container:
Front-end in React
Backend service based on Spring boot "resource-service"
Keycloak
Other backend service (consumer)
Both the front-end and the consumer services communicate with the backend using REST API.
We use Keycloak as our user management and authentication service.
We would like to integrate our Spring based service "resource-service" with Keycloak by serving both web application and a service flows:
Web application - React based front-send that should get a redirect 302 from the "resource-service" and send the user / browser to login in the Keycloak site and then return to get the requested resource.
Server 2 Server coomunication - A server that need to use the "resource-service" API's should get 401 in case of authentication issues and not a redirection / login page.
There are few options to integrate Spring with Keycloak:
Keycloak Spring Boot Adapter
Keycloak Spring Security Adapter
Spring Security and OAuth2
I noticed that there is a "autodetect-bearer-only" in Keycloak documentation, that seems to support exactly that case. But -
There are a lot of integration options and I'm not sure what is the best way to go, for a new Spring boot service.
In addition, I didn't find where to configure that property.
I've used approaches one and two and in my opinion, if you are using Spring Boot, use the corresponding adapter, use the Spring Security adapter if you're still using plain Spring MVC. I've never seen the necessity for the third approach as you basically have to do everything on your own, why would anyone not use the first two methods?
As for using the Spring Bood adapter, the only configuration necessary is the following:
keycloak:
bearer-only: true
auth-server-url: your-url
realm: your-realm
resource: your-resource
And you're done. The bearer-only is so that you return 401 if a client arrives without a bearer token and isn't redirected to a login page, as you wanted. At least that's what's working for us :-)
After that, you can either use the configuration for securing endpoints but it's a bit more flexible to either use httpSecurity or #EnableGlobalMethodSecurity which we're doing with e. g. #Secured({"ROLE_whatever_role"}).
If you're using the newest Spring Boot version combined with Spring Cloud, you might run into this issue.
I configure my resource-servers to always return 401 when Authorization header is missing or invalid (and never 302), whatever the client.
The client handles authentication when it is required, token refreshing, etc.: Some of certified OpenID client libs even propose features to ensure user has a valid access-token before issuing requests to protected resources. My favorite for Angular is angular-auth-oidc-client, but I don't know which React lib has same features.
Keycloak adapters for Spring are now deprecated. You can refer to this tutorials for various resource-server security configuration options. It covers uses cases from most simple RBAC to building DSL like: #PreAuthorize("is(#username) or isNice() or onBehalfOf(#username).can('greet')")
I want to secure different Spring boot rest APIs using OAuth2 authorization server.
What is the best solution to achieve this?
I have an app (A) exposing REST services secured with oauth2. (spring security oauth2/spring-web)
I want to create a second app (B) (spring-boot or normal spring), from where I can login then call the REST services from A.
How can I configure security in app B so I can use both social login (facebook, twitter, google) and call REST services from app A? Is there an example using spring security/oauth/social integration?
I've found some examples but none sais how to integrate them
Have you tries the Spring oAuth2 tutorial with FB and Google login? This also includes a local login. All code is available in git from the link in the right column of the tutorial.
I have a running Spring based Apache CXF web service. I want to use Spring Security Oauth2 to secure the existing service. I have done this for SpringREST service but i am not able to find any help for securing CXF with Spring security Oauth2. Can some one please help me.
In Spring Security OAuth, can it consume/work with JWT tokens that were generated from a user authenticating with Keycloak? Keycloak's open-id far as that goes, but it all seems to be really similar. I'm still trying to understand the dividing line and also what's similar or same with this.
Basically I'd like to authenticate separately in a REST client then use the token in the Authorization header for REST calls to some web services. There seems to be some JWT stuff in in the Spring Security OAuth, so I'm wondering I can actually use that instead of the Keycloak Spring stuff? Are there any examples of this out there? (I'd love to use the Spring security checks on different methods in my controller)
You can use the Keycloak Spring adapter and still rely on Spring Security annotations for controller security. The main purpose of the Keycloak Spring adapter is simplify the integration with Keycloak for interactive login and also to correctly map JWT access token claims into the Spring Security authentication context.
Reading through the Spring Security OAuth2 documentation, I get the impression that it's not quite ready out of the box to handle OpenID Connect JWT access tokens. However, it's customizable so it could most likely be made to work.
My advice for now is to stick with the Keycloak Spring adapter if you're using Keycloak as your OIDC server. It will save you time and it's well tested with Keycloak.