I've successfully been able to secure a Spring Boot REST service using the keycloak Spring Boot adaptors and a Keycloak identity provider. However we now wish to attempt the same thing thing without using Keycloak adaptors but using Oauth2 directly. This is so that we can potentially connect to any identity provider in the future. I've tried various approaches but so far have had no success.
Has anybody been able to secure a Spring Boot REST service using the KeyCloak identity provider with Oauth2 rather than the Keycloak Spring Boot adapters?
Related
i want to run webflux based web app using non blocking netty server and authentication using keycloak.
seems like keycloak does not support netty server. is there a way to override default behavior of keycloak and use netty instead of tomcat?
this is required becuase my webflux application does not work properly on other web servers.
i want to use keycloak for basic authentication but when i configure keycloak in my application and try to run it it does not come up on netty dependecies, only when i add tomcat to my webflux pom.xml then keycloak server comes up.
and idea how ot run keycloak on netty server?
I am using jBPM standalone to create workflows. By default, login is performed using the users.properties file.
I have an Identity server (created in Dot Net IdentityServer4 implementing OpenId) running and I registered a client (Ex: JBPM_CLIENT) and have the details (Scope, SecretKeys, etc..)
I am trying to redirect the authentication of jBPM through that Identity gateway.
While reading the documentation I thought KeyCloak can be used for this requirement.
But, when I see the KeyCloak GUI and configuration, it looks like KeyCloak something like IdentityServer4 and is useful to create an Identity Server instance.
My doubt is whether I can use KeyCloak as a client to connect to IdentityServer4?
Please suggest me a route.
Keycloak can act as an identity broker and it supports OIDC (OpenID Connect) identity providers. Using that capability, first configure your IdentityServer4 as the OIDC provider on Keycloak. Keycloak's documentation covers these details.
Once that's set, you can configure jBPM to use Keycloak client adapter for Wildfly and then create a suitable Keycloak client under the same realm where you had configured the OIDC identity provider. Details related to that are covered in this blog (outdated though).
I have a monolithic Spring Boot application generated by jhipster and microservice gateway also by jhipster. Both are secured with keycloak OpenID. I need both monolithic and microservice gateway work with same keycloak token.
Both apps are configured to use SSO in SecurityConfiguration and both use the same client on keycloak (named "web_app" in default jhipster-provided keycloak config) and I can authenticate with same credentials on both apps. But when I login in monolith it signs me out of gateway (miscroservice app) and visa versa.
How can I configure SSO (e.g. authentication in any of my applications and using same keycloak session on all of them) in my jhipster generated Spring Boot app?
Thank you :)
we am trying to use open ID connect (OIDC) for authentication and authorization (AnA) for our micro-service architecture based on spring-cloud framework
As a part of requirement we want to achieve following:
Integrate (OIDC) with SSO Federation as a Identity provider which we are using federation to authenticate users (staff id)
How to customize access_token which in turn will be provided by a micro service (Authorization service)
I am looking at MITREid Connect as its based on spring framework and spring security
https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
As a resutl of that, all requests to our services have to go through (OIDC) for (AnA)
I also check on https://cloud.spring.io/spring-cloud-security/ as I understand the Zuul server will get an access_token to relay to proxied services. But our scenarios are different as we want to expose other micro-services to external parties as well so that we want to have secure our services.
Any advices is highly appreciated.
Friends,
Recently I have created one web-services application using spring-boot and now its having few unsecured entry points. (This is a pure rest based application having only rest entry points doesn't have any UI components).
Now I would like to add CAS client with this application for securing the rest entry points.
My CAS server is ready and its up and running. And I have configured CAS Rest protocol as well in my cas server to access TGT/ST through rest call and I'm in the planning of using only the rest call rather than using login pages.
So, when an user tries to access my rest application, I'm going to call CAS rest entry points internally (by using restTemplate) to validate user credentials and generating TGT and ST.
Available CAS entry points are (from jasig reference docs),
POST /cas/v1/tickets HTTP/1.0
username=battags&password=password&additionalParam1=paramvalue
POST /cas/v1/tickets/{TGT id} HTTP/1.0
service={form encoded parameter for the service url}
DELETE /cas/v1/tickets/TGT-fdsjfsdfjkalfewrihfdhfaie HTTP/1.0
I think, I'm little clear on this part. Please correct me if I'm wrong.
And now my query here is, what should I do to add a ST ticket validator in my spring boot application? Do I need to add any filters using spring-security? Or do I need to call any other rest api for validating the ST? Please guide me to proceed further.
You can use existing Spring boot cas starter:
cas security spring boot starter
cas client autoconfig support
That will configure for you and magically your spring boot app with CAS authentication (and thus your application will be able to read ST or PT without effort).
I'm author of cas security spring boot starter, so I won't influence your choice but main difference from that project and cas client autoconfig support developed by Unicon is about Spring security integration.
Indeed cas security spring boot starter is fully compliant with spring security, thus you will be able to use any feature you know from spring security. Whereas cas client autoconfig support will instantiate and configure Apereo (Jasig) filters that is not designed to work out of box with Spring security.
You don't need a service ticket unless you want to call another service from your web service. Validating the received credentials via the CAS REST API is enough.
If you are looking for a security library to protect your web service via the CAS REST API, you should give a try to: https://github.com/pac4j/spring-webmvc-pac4j and especially this configuration: https://github.com/pac4j/spring-webmvc-pac4j-demo/blob/master/src/main/webapp/WEB-INF/demo-servlet.xml#L74