4

i struggle a little with various tutorials pointing in every direction whitout working at all for me.

The idea is quite simple: Having a Angular Frontend with a secured Spring Boot Backend put together using Keycloak as a identity provider.

Frontend:

For the frontend I found that one: https://www.npmjs.com/package/keycloak-angular which works for the frontend quite well. I go to the page, get a redirection to the keycloak login page and get pack with a JWT Token in my pockets.

In Keycloak I configured a client with protocol 'openid-connect' and access type 'public'

Backend:

For the Backend I try to use Spring Boot as a Resource Server added those depenencies to my build gradle:

implementation("org.springframework.security:spring-security-oauth2-jose")
implementation("org.springframework.security.oauth:spring-security-oauth2:2.3.4.RELEASE")
implementation("org.springframework.security:spring-security-oauth2-resource-server")

had a security config like that:

private val AUTH_WHITELIST: Array<String> = arrayOf(
        // -- swagger ui
        "/v2/api-docs", "/swagger-resources",
        "/swagger-resources/**", "/configuration/ui",
        "/configuration/security",
        "/swagger-ui.html",
        "/webjars/**"
)


@Throws(Exception::class)
override fun configure(http: HttpSecurity) {
    http.cors()
            .and().authorizeRequests()
            .antMatchers(*AUTH_WHITELIST).permitAll()
            .anyRequest().authenticated()
            .and().logout().logoutUrl("/logout").permitAll()
            .and().csrf().disable()
            .oauth2ResourceServer().jwt().jwkSetUri(this.authProperties.jwt.jwkSetUri);
    // .and().csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
}

and added the following properties to application.yml

  security:
    oauth2:
      resourceserver:
        jwt:
          jwk-set-uri: http://localhost:8081/auth/realms/{{realm}}/protocol/openid-connect/certs
          issuer-uri: http://localhost:8081/auth/realms/{{realm}}

In Keycloak i also created a Client with protocol 'openid-connect' and access type 'bearer-only'

For try out the backend i use swagger and create therefore another client in keycloak protocol 'openid-connect' and access type 'public' and followed this instructions: Keycloak integration in Swagger which also works very well.

Frontend + Backend:

Now i try to bring the stuff together. I create a service in the frontend calling the REST API. I see the CORS working (OPTION Call first returning 200) Then the GET returns 401 even with set Authorization Header:

Authorization       bearer eyJhbGciOiJSUzI1NiIsInR…hz0zWAU3hFQR87stc8alj9asJqZPw

After setup the security logging to debug it says something like

2019-01-03 14:30:58.183 DEBUG 17884 --- [nio-8080-exec-3] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@355bb1b2: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'

Now i have no idea, what to do. Maybe anyone could help. Thx

IEE1394
  • 1,181
  • 13
  • 33
  • made some progress by using the keycloak-spring-security-adapter and the keycloak-spring-boot-starter Version 4.8.1 and some inspiration from here: https://blog.codecentric.de/2017/09/keycloak-und-spring-security-teil-2-integration-von-keycloak-in-spring-security/ .. now getting a 403 :-) – IEE1394 Jan 03 '19 at 17:19
  • Exactly my scenario did you manage to get it working? – ochs.tobi Jun 26 '20 at 06:22
  • Yeah.. You have also much less pain if you use micronaut – IEE1394 Jun 26 '20 at 07:02

0 Answers0