How to Setup Keycloak + Spring Boot + Oauth2 within Microservice Architecture - java

I've setup Keycloak and a public/front-end spring boot app successfully. Everything is working as expected. The front-end Spring Boot App is configured in Keycloak as a client (app-ui) in the realm, user's are able to login through keycloak, tokens pass successfully everything's great. Spring Security is securing endpoints and roles are being respected for endpoints.
Now, I'm trying to add a downstream Spring Boot App (Web Service) in the mix and I want it to be aware of the logged in user to be able to secure calls to it. The front-end Spring Boot App is using Feign Client to call the REST endpoints on the back-end Spring Boot App, but the back-end is not doing any authentication/authorization.
I have a couple questions I'm having trouble figuring out:
How do I setup the front-end Spring Boot App to pass the authenticated user details to the back-end Spring Boot App (RequestInterceptor / RestTemplate / Feign config / Http Headers)?
How do I configure the back-end Spring Boot App to use the authenticated user details it receives from the upstream Spring Boot App and what dependencies do I need to add to the back-end Spring Boot App to facilitate that (org.keycloak:keycloak-spring-boot-starter and org.springframework.boot:spring-boot-starter-security)?
Is there anything I need to configure in Keycloak for the back-end Spring Boot App? Should it be registered in Keycloak as a confidential/non-public client (e.g. app-api)?
Is there anything specific to configure in the back-end Spring Boot App? Does it talk to Keycloak to verify the authenticated user details it receives from the upstream callers?
I'd love to see a demo or tutorial that takes the one's I've seen about How to integrate Keycloak and Spring Boot one step farther to also secure any other downstream services. If I can figure this out, I'll post one.
I'm assuming this can be done with standard OAuth2 configuration on the back-end Spring Boot App, but I wasn't sure how it's recommended to achieve this architecture.
Here's the architecture I'm trying to setup:

How do I setup the front-end Spring Boot App to pass the authenticated user details to the back-end Spring Boot App (RequestInterceptor / RestTemplate / Feign config / Http Headers)?
You need to pass bearer-token in your http request header.
How do I configure the back-end Spring Boot App to use the authenticated user details it receives from the upstream Spring Boot App and what dependencies do I need to add to the back-end Spring Boot App to facilitate that (org.keycloak:keycloak-spring-boot-starter and org.springframework.boot:spring-boot-starter-security)?
You need to add a new client in realm for example "back-end-client" and set its "Access Type" to 'bearer only'. You will need 'keycloak-spring-boot-starter' and 'spring-boot-starter-security' dependencies, also in your add 'keycloak-adapter-bom' .
In your application.properties you should have below mentioned properties
keycloak.realm =
keycloak.auth-server-url = your keycloak url
keycloak.ssl-required =external
keycloak.bearer-only=true
keycloak.resource =your client name
keycloak.credentials.secret= your secret key
keycloak.security-Constraints[0].authRoles[0] = user
keycloak.security-Constraints[0].securityCollections[0].patterns[0] = /*
keycloak.cors=true
Is there anything I need to configure in Keycloak for the back-end Spring Boot App? Should it be registered in Keycloak as a confidential/non-public client (e.g. app-api)?
You need to create a new client and it should be registered as "bearer only"
you can refer this link : https://www.keycloak.org/docs/latest/securing_apps/#_spring_boot_adapter

Related

How to manage resource services?use pring security oauth2 authorization server as server

According to the current official documents, how to manage the resource service when using spring security oauth2 authorization server as the authentication server? Previously, in spring cloud security, there were two sides: server and client. At present, this part has been removed. What dependency does the removed resource service need? Use spring boot security?

spring boot web app for authentication/autorization using AWS Cognito Java API

AWS Cognito primarly meant for Serverless user authentication from Mobile or Web application (Javascript).
The primary concern is that, we need to do client implementation for each of the client like Android, IOS and Javascript.
Instead of that can we have spring boot server which will expose a login/signup/action rest endpoint for all the above clients where the spring boot will authenticate/signup with Congnito on behalf of the clients and send the access_token response back to the client. This way, Conginto integration will be done only in one place which is the Spring boot application.
Can we go ahead with this approach? Does AWS SDK supports Java for cognito access from Server?
Here's an article which shows an example of implementing a Spring boot application that is able to authenticate the user against Amazon Cognito using OAuth 2.0 authorization code grant and JSON Web Tokens.
This github repo contains the example code in Kotlin
Probably, this is in some ways, similar to your usecase.

Spring boot admin oauth2 keycloak

I have a spring boot application secured with keycloak. I have a client in keycloak specific for this application.
Now I want to deploy spring boot admin and also implement keycloak on it. My question is how can I let the spring-boot-admin talk to my app?

OAuth2 Client And Resource Server in same application

I'm creating an Authentication Server and which some of my existing applications can use to authenticate. I'm using the OAuth2 with Spring Boot by following this sample project and tutorial https://github.com/dynamind/spring-boot-security-oauth2-minimal.
But in my case my existing applications are built using Spring MVC and angular. So there is no separate Resource Server. Resources are also located in same application(Resources are my Secured Request Mappings in same application).I just want to separate the authentication process from my client applications and use a common Authorization Server. (Currently they use the Google Authentication + Spring Security to secure the application).
So I tried to use #EnableResourceServer and #EnableOAuth2Client in same application but I could not get the expected results.
What is the best way to achieve this task?? Is there any other method that I can follow to authenticate my applications from Oauth2 Server?
You need to configure your web security for form based login and Resource Server Security form REST Endpoints
See my answer to the similar question here

Spring Boot + Spring Security Restful Login

How would I go about securing a spring boot web service with spring security using java configurations and not xml? I need this to be a pseudo-RESTful service that returns a 401 response code on failed authentication and does not involve a custom login page. On a successful authentication, JSESSIONID should be returned and subsequently sent with every request.
Can someone provide a coded example of how to do this as I am completely lost? The Spring guides (for whatever reason) do not cover anything like this for spring boot secured with spring security.
THANK YOU!
Have you read through Dave Syer's blog posts on securing spring boot web apps? He's got a great 5-part post on this subject:
SSO with OAuth2: Angular JS and Spring Security Part V
http://spring.io/blog/2015/02/03/sso-with-oauth2-angular-js-and-spring-security-part-v

Categories