Develop Reference

How to programmatically configure keycloak with spring cloud gateway api?

I am building one spring cloud gateway and in that I am implementing Keycloak Security everything works fine but need to do programmatically instead of writing in yml file there can be multiple Realms.
Below are the dependencies which I am using:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-client</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-gateway</artifactId>
</dependency>
And my application Api gateway start application code is as below:
#SpringBootApplication
#ComponentScan(basePackages = {"com", "com.b","com.auth","com.security"})
public class APIGatewayApplication {
public static void main(String[] args) {
SpringApplication.run(APIGatewayApplication.class, args);
}
#Bean
public KeycloakConfigResolver keycloakConfigResolver() {
return new PathBasedKeycloakConfigResolver();
}
}
Security Config http code is as below:
#Configuration
public class SecurityConfig {
#Bean
public SecurityWebFilterChain springSecurityFilterChain (ServerHttpSecurity http) {
http
.authorizeExchange()
.anyExchange()
.authenticated()
.and()
.oauth2Login(); // to redirect to oauth2 login page.
return http.build();
}
}
and in my application.yml file I am adding below configuration:
spring:
security:
oauth2:
client:
provider:
my-keycloak-provider:
issuer-uri: http://localhost:8280/auth/realms/Default
registration:
keycloak-spring-gateway-client:
provider: my-keycloak-provider
client-id: Default
client-secret: 8ZRUH62Pfhfde6uqasD8dfgdhvqWt03K6
authorization-grant-type: authorization_code
redirect-uri: '{baseUrl}/app'
main:
web-application-type: reactive
application:
name: app
cloud:
gateway:
default-filters:
- TokenRelay
So we can in configuration file I am manually adding configs for one Realms but there can be multiple realms in that how to do it programmatically dynamic? .

Problem in integrating spring boot application with Keycloak

I want to integrate Keycloak with spring boot application. The problem is that at the end, I got 403 forbidden error when calling the protected endpoints.
Following is my decoded JWT token, which is issued by Keycloak. I have a client, which is named clientApp1, and a realm role, which is named clientApp1User and mapped to the created user. Following is my decoded JWT token:
{
alg: "RS256",
typ: "JWT",
kid: "ZWDbgcSI8nD2Yq4LA6hxYcsTbnf6y6Zj8PKyUobE_qE"
}.
{
exp: 1666444432,
iat: 1666444132,
jti: "e6883855-ef20-4fac-95dd-8f13bd0ae552",
iss: "http://localhost:12500/auth/realms/sampleRealm",
aud: "account",
sub: "80e1e45f-49fb-4a5a-9a60-b0057d291c53",
typ: "Bearer",
azp: "clientApp1",
session_state: "c22af762-7be9-4150-94d5-8bd35065ac57",
acr: "1",
allowed-origins: [
"http://localhost:11501"
],
realm_access: {
roles: [
"clientApp1User",
"offline_access",
"uma_authorization",
"default-roles-samplerealm"
]
},
resource_access: {
account: {
roles: [
"manage-account",
"manage-account-links",
"view-profile"
]
}
},
scope: "email profile",
sid: "c22af762-7be9-4150-94d5-8bd35065ac57",
email_verified: false,
name: "user1FirstName User1LastName",
preferred_username: "user1",
given_name: "user1FirstName",
family_name: "User1LastName"
}.
[signature]
Moreover, here is my pom.xml file:
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.7.5</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>com.example</groupId>
<artifactId>ResourceServerSample</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>ResourceServerSample</name>
<description>ResourceServerSample</description>
<properties>
<java.version>17</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
Since, I want to use Security annotations to secure my end points I have set the security configuration as following:
#Configuration
#EnableWebSecurity
#EnableGlobalMethodSecurity(
prePostEnabled = true,
securedEnabled = true,
jsr250Enabled = true)
public class SecurityConfig {
#Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.cors()
.and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and().authorizeRequests()
.anyRequest().permitAll()
.and().oauth2ResourceServer().jwt();
http.csrf().disable();
return http.build();
}
Finally, in order to protect my endpoints I have used annotations like following:
#RestController
public class TestControllers {
// Public endpoint
#GetMapping("/welcome")
public ResponseEntity<String> welcome() {
return ResponseEntity.status(HttpStatus.OK).body("Welcome to the unprotected endpoint");
}
// #RolesAllowed("clientApp1User")
// #Secured("clientApp1User")
#PreAuthorize("hasAuthority('clientApp1User')")
#GetMapping("/clientApp1User")
public ResponseEntity<String> clientApp1User() {
return ResponseEntity.status(HttpStatus.OK).body("clientApp1User protected endpoint sends its regards");
}
#PreAuthorize("hasAuthority('SCOPE_email')")
#GetMapping("/testScope")
public ResponseEntity<String> testScope() {
return ResponseEntity.status(HttpStatus.OK).body("testScope protected endpoint sends its regards");
}
}
The problem that I face is that the endpoint, which is protected with #RolesAllowed("clientApp1User") or #Secured("clientApp1User") or #PreAuthorize("hasAuthority('clientApp1User')") returns 403 forbidden, when it's called with a valid access token.
On the other hand endpoints with annotations like #PreAuthorize("hasAuthority('SCOPE_email')") or #PreAuthorize("hasAuthority('SCOPE_profile')") return 200 Ok.
I believe spring boot can not accurately parse the JWT token and only excepts values in scope claim with the prefix <SCOPE_> and as an authority.
Can any one help me to fix the problem and use the RolesAllowed/Secured/PreAuthorize annotations to secure the endpoint with declared roles in realm_access and resource_access claims?

Roles are private claims: it is neither in OAuth2 nor OpenID specs and each authorization-server provider uses its own.
You have to provide your own Converter<Jwt, AbstractAuthenticatonToken> #Bean to map authorities from realm_access.roles (and maybe resource_access.clientApp1.roles if you enable client level roles in Keycloak) to everride Spring-boot default which turns Jwt into JwtAuthenticationToken (which can be fine) with authorities mapped from scope claim, adding SCOPE_ prefix (which is not what you want).
Complete samples here: https://github.com/ch4mpy/spring-addons/tree/master/samples/tutorials which cover various servlets scenarios with #controller tests.
For reactive apps or secured #Service & #Repository tests, see in https://github.com/ch4mpy/spring-addons/tree/master/samples (but it contain less explanations than tutorials, so start with tutorials and move up to samples for your exact use-case)
Sample
With the help of spring-boot 3 starters from the repo linked above, configuration for Keycloak can be as simple as (just adapt properties for any other OIDC provider):
<dependency>
<groupId>com.c4-soft.springaddons</groupId>
<!-- depending on your use-case, you might replace !-->
<!-- "webmvc" with "webflux" (for reactive apps) and !-->
<!-- "jwt" with "introspecting" (for access-token introsepection instead of JWT decoding) -->
<artifactId>spring-addons-webmvc-jwt-resource-server</artifactId>
<version>6.0.4</version>
</dependency>
#Configuration
#EnableMethodSecurity()
public class SecurityConfig {
}
#This illustrates configuration for accepting identities from both
# a Keycloak instance with authorities mapped from realm_access.roles and resource_access.account.roles
# an Auth0 domain with authorities mapped from roles and permissions
com.c4-soft.springaddons.security.issuers[0].location=https://localhost:8443/realms/master
com.c4-soft.springaddons.security.issuers[0].authorities.claims=realm_access.roles,resource_access.account.roles
com.c4-soft.springaddons.security.issuers[1].location=https://dev-ch4mpy.eu.auth0.com/
com.c4-soft.springaddons.security.issuers[1].authorities.claims=roles,permissions
com.c4-soft.springaddons.security.cors[0].path=/**
com.c4-soft.springaddons.security.cors[0].allowed-origins=https://localhost,https://localhost:8100,https://localhost:4200
com.c4-soft.springaddons.security.permit-all=/actuator/health/readiness,/actuator/health/liveness,/welcome
Bonus
As already spoiled, in tutorials and samples, you'll see how to mock OAuth2 identities (with authorities) during unit and integration tests.
#WebMvcTest(controllers = SampleController.class)
#AutoConfigureAddonsWebSecurity // this is required only if you use one of the starters above
#Import({ SecurityConfig.class })
class SampleControllerTest {
#Test
void whenAnonymousThenGetWelcomeIsOk() throws Exception {
mockMvc.perform(get("/sample")).andExpect(status().isOk());
}
#Test
void whenAnonymousThenGetClientApp1UserUnauthorized() throws Exception {
mockMvc.perform(get("/clientApp1User")).andExpect(status().isUnauthorized());
}
#Test
#WithMockJwtAuth("clientApp1User")
void whenClientApp1UserThenGetClientApp1UserOk() throws Exception {
mockMvc.perform(get("/clientApp1User")).andExpect(status().isOk());
}
}

You can have a look at this example on github.
The problem right now is that you need to add your roles to the Security Context of Spring Boot.
public static class CustomJwtConfigure implements Converter<Jwt, JwtAuthenticationToken> {
#Override
public JwtAuthenticationToken convert(Jwt jwt) {
var tokenAttributes = jwt.getClaims();
var jsonObject = (JSONObject) tokenAttributes.get(REALM);
var roles = (JSONArray) jsonObject.get(ROLES);
List<GrantedAuthority> grantedAuthorities = new ArrayList<>();
roles.forEach(role -> grantedAuthorities.add(new SimpleGrantedAuthority("ROLE_" + role)));
return new JwtAuthenticationToken(jwt, grantedAuthorities);
}
}
Link to github account

Getting "An error occurred while attempting to decode the Jwt: Couldn't retrieve remote JWK set: " error when trying to decode the jwt token

this is my Security configuration file for resource server
#Configuration
#EnableWebSecurity
public class SecureSecurityConfiguration extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.sessionManagement()
.sessionCreationPolicy(STATELESS)
.and()
.authorizeRequests()
.anyRequest()
.permitAll()
.antMatchers("api/**")
.authenticated()
.and()
.oauth2ResourceServer()
.jwt();
}
}
and those are dependencies for spring boot application (resource server app.)
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-core</artifactId>
<version>5.5.3</version>
</dependency>
<dependency>
<groupId>org.springframework.security.oauth.boot</groupId>
<artifactId>spring-security-oauth2-autoconfigure</artifactId>
<version>2.1.6.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
</dependency>
here is the jwk-set-url in the config yml file, to which my application is connecting at start up
spring:
security:
oauth2:
resourceserver:
jwt:
jwk-set-uri: http://localhost:8083/.well-known/openid-configuration/jwks
And via postman now when I'm getting the token from auth server via postman and trying to request to my server, I'm getting this kind of error
Bearer error="invalid_token", error_description="An error occurred while attempting to decode the Jwt: Couldn't retrieve remote JWK set: org.springframework.web.client.HttpClientErrorException$NotFound: 404 null", error_uri="https://tools.ietf.org/html/rfc6750#section-3.1"
who has faced such kind of issue?

Change the "Hostname Verification" to "none" in SSL properties tab.

Azure AD OAuth integration in Sprint Boot gives 401 Unauthorized

I have a spring boot application in which I have integrated Azure AD authentication. The authorization url does not redirect to home page but keeps giving 401 unauthorized.
Below is application.properties:
ssoServiceUrl=https://login.microsoftonline.com/xxxxx
spring.security.oauth2.client.registration.azure.client-authentication-method=post
security.oauth2.client.client-id=xxxxxxx
security.oauth2.client.client-secret=xxxxxxx
security.oauth2.client.scope=openid https://graph.microsoft.com/user.read
security.oauth2.client.authentication-scheme=header
security.oauth2.client.client-authentication-scheme=form
security.oauth2.issuer=https://login.microsoftonline.com/xxxxxx/v2.0
security.oauth2.client.access-token-uri=${ssoServiceUrl}/oauth2/v2.0/token
security.oauth2.client.user-authorization-uri=${ssoServiceUrl}/oauth2/v2.0/authorize
security.oauth2.resource.user-info-uri=https://graph.microsoft.com/oidc/userinfo
below are the dependencies in pom.xml
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter</artifactId>
<version>2.2.6.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security.oauth.boot</groupId>
<artifactId>spring-security-oauth2-autoconfigure</artifactId>
<version>2.2.6.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
App configure is as follows:
public void configure(HttpSecurity http) {
try {
http.antMatcher("/**")
.authorizeRequests()
.antMatchers("/error**")
.permitAll()
.anyRequest()
.authenticated()
.and()
.logout()
.deleteCookies()
.invalidateHttpSession(true)
.clearAuthentication(true)
.logoutSuccessUrl("https://login.microsoftonline.com/common/oauth2/logout?post_logout_redirect_uri=http%3A%2F%2Flocalhost%3A8080");
}
I followed this post and added spring.security.oauth2.client.registration.azure.client-authentication-method=post but that does not work. Also, changed the spring boot starter dependency versions but that also does not help.
Also followed this and changed azure endpoints from v2 to v1 but that also does not work. This is working fine on localhost. I am not able to collect any logs as this is happening after deployment to ECS service and errors out without touching application code.

Could you please try our latest version of azure-spring-boot-starter-active-directory? Which work for spring-boot 2.4.5.

Error trying to authenticate a web application with Oauth2 and Strava using Spring Boot

I’m trying to use Strava to authenticate customers that want to use my web application using Spring Boot, and I’m stuck in this error:
.s.o.c.w.OAuth2LoginAuthenticationFilter : Authentication request
failed:
org.springframework.security.oauth2.core.OAuth2AuthenticationException:
[invalid_token_response] An error occurred while attempting to
retrieve the OAuth 2.0 Access Token Response: Could not extract
response: no suitable HttpMessageConverter found for response type
[class
org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse]
and content type [text/html]
I would appreciate any help to move forward and solve this error. I simplified the reproduction of the error to just 2 classes:
DemoSecurity.java extending WebSecurityConfigurerAdapter
DemoApplication.java as the entry to the application with #SpringBootApplication,
and you will need to register an app with Strava (https://www.strava.com/settings/api) to get your client_secret and client_id. In strava, the callback needs to be added as localhost to run this test.
Finally, to reproduce the error, you only need to run the application in your IDE and go to http://localhost:8080/login in your browser.
Thank you very much
This is my application.yml:
spring:
security:
oauth2:
client:
registration:
strava:
provider: strava-provider
client-id: XXXXX
client-secret: XXXXXXXXXXXXXXXXX
client-authentication-method: POST
authorization-grant-type: authorization_code
redirect-uri: http://localhost:8080/login/oauth2/code/
scope:
- read
provider:
strava-provider:
tokenUri: https://www.strava.com/api/v3/oauth/token/
authorizationUri: https://www.strava.com/api/v3/oauth/authorize?response_type=code
This is my pom.xml:
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.3.1.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>com.example</groupId>
<artifactId>demo</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>demo</name>
<description>Demo project for Spring Boot</description>
<properties>
<java.version>1.8</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-client</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
<exclusions>
<exclusion>
<groupId>org.junit.vintage</groupId>
<artifactId>junit-vintage-engine</artifactId>
</exclusion>
</exclusions>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
This is my DemoApplication.java:
package com.example.demo;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.autoconfigure.security.oauth2.client.servlet.OAuth2ClientAutoConfiguration;
import org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration;
#SpringBootApplication
public class DemoApplication {
public static void main(String[] args) {
SpringApplication.run(DemoApplication.class, args);
}
}
This is my DemoSecurity.java:
package com.example.demo;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
#EnableWebSecurity
#Configuration
public class DemoSecurity extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/login**","/", "/error", "/webjars/**").permitAll()
.anyRequest()
.authenticated().and()
.oauth2Login()
;
}
}

Looking at your application.yml, I can see your missing the user-info-uri and user-name-attribute:
Since it's oauth2 and not oidc, Spring needs to know were it can find the user and what field is the unique id of the user.
I had a quick look at stravas api documentation, I think it might be this.
user-info-uri: https://www.strava.com/api/v3/athlete
user-name-attribute: id
But you might need to check out their docs or contact their support team to confirm, basically your just looking for an api call that will return the users details, and confirm which field is the unique identifier or username of the user.

After testing what Wojciech Lesniak answered (thank you), nothing made sense, but I figured it out, at least, partially.
These are the logs of my project failing:
2020-07-10 06:19:19.946 DEBUG 56091 --- [nio-8080-exec-2] .s.o.c.w.OAuth2LoginAuthenticationFilter : Request is to process authentication
2020-07-10 06:19:19.948 DEBUG 56091 --- [nio-8080-exec-2] o.s.s.authentication.ProviderManager : Authentication attempt using org.springframework.security.oauth2.client.authentication.OAuth2LoginAuthenticationProvider
2020-07-10 06:19:20.734 DEBUG 56091 --- [nio-8080-exec-2] o.s.s.authentication.ProviderManager : Authentication attempt using org.springframework.security.oauth2.client.oidc.authentication.OidcAuthorizationCodeAuthenticationProvider
2020-07-10 06:19:20.735 DEBUG 56091 --- [nio-8080-exec-2] .s.a.DefaultAuthenticationEventPublisher : No event was found for the exception org.springframework.security.oauth2.core.OAuth2AuthenticationException
2020-07-10 06:19:20.741 DEBUG 56091 --- [nio-8080-exec-2] .s.o.c.w.OAuth2LoginAuthenticationFilter : Authentication request failed: org.springframework.security.oauth2.core.OAuth2AuthenticationException: [invalid_token_response] An error occurred while attempting to retrieve the OAuth 2.0 Access Token Response: Could not extract response: no suitable HttpMessageConverter found for response type [class org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse] and content type [text/html]
Ans these are the logs of the project working with the same source code:
2020-07-10 06:20:09.917 DEBUG 56106 --- [nio-8080-exec-2] .s.o.c.w.OAuth2LoginAuthenticationFilter : Request is to process authentication
2020-07-10 06:20:09.920 DEBUG 56106 --- [nio-8080-exec-2] o.s.s.authentication.ProviderManager : Authentication attempt using org.springframework.security.oauth2.client.authentication.OAuth2LoginAuthenticationProvider
2020-07-10 06:20:10.689 DEBUG 56106 --- [nio-8080-exec-2] s.CompositeSessionAuthenticationStrategy : Delegating to org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy#30f74e79
2020-07-10 06:20:10.690 DEBUG 56106 --- [nio-8080-exec-2] s.CompositeSessionAuthenticationStrategy : Delegating to org.springframework.security.web.csrf.CsrfAuthenticationStrategy#8a8639c
2020-07-10 06:20:10.690 DEBUG 56106 --- [nio-8080-exec-2] .s.o.c.w.OAuth2LoginAuthenticationFilter : Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken#efd72585: Principal: Name: [60310151], Granted Authorities: [[ROLE_USER, SCOPE_read]], User Attributes: [{id=60310151, username=null, resource_state=2, firstname=Marcos, lastname=Garcia, city=Chicago, state=Illinois, country=United States, sex=null, premium=false, summit=false, created_at=2020-06-03T11:18:54Z, updated_at=2020-07-07T16:10:35Z, badge_type_id=0, profile_medium=avatar/athlete/medium.png, profile=avatar/athlete/large.png, friend=null, follower=null}]; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#0: RemoteIpAddress: 127.0.0.1; SessionId: 858ADB4064C6112BD3EE7909CA036E06; Granted Authorities: ROLE_USER, SCOPE_read
the only possibility was the configuration, reviewing line by line, it was something as silly as not including "/" at the end of the url:
tokenUri: https://www.strava.com/api/v3/oauth/token