So I've been trying to create a stateless resource server using oauth2.
I created empty spring boot app with only two dependencies org.springframework.boot:spring-boot-starter-web and org.springframework.boot:spring-boot-starter-oauth2-resource-server. Then I created docker-compose file with keycloak so that I would have some out of the box solution for authentication. After theat I configured my realm and added one property to application.yml:
spring:
security:
oauth2:
resourceserver:
jwt:
issuer-uri: http://localhost:40000/auth/realms/myrealm
After that I configured Postman to get token from keycloak before accessing my application. And all works like a charm, but tere is one tiny problem that bugs me. So when I call my application for the first time it returs 401 when I won't send the token and that is so cool, then I send request with token and it respondes with code 200 and that is also very cool. The problem is that when I send 3rd request without token I still get 200. Now I think the issue is JSESSIONID, since when I remove it I get 401 again. How can I make my application truly stateless? I would like my app to require token with every request. Also why this stateless behaviour is not default with oauth2?
