Hello Keycloak Community,
I am trying to integrate keycloak with several spring boot microservices + spring security.
I watched Thomas Darimont’s excellent spring/keycloak presentation on YouTube and downloaded his github code as a guide…The initial login and authorization works fine, but I am not able to get the service to service authorization working…here are the details:
I am using java 11 & kubernetes running on minikube. I deployed keycloak using the latest Helm chart from codecentric/keycloak. I’m using the following dependencies:
spring-boot-starter-security
keycloak-spring-boot-starter
keycloak-spring-security-adapter
versioned at spring cloud Hoxton.SR6 and keycloak-adapter-bom 11.0.0.
I can access the first microservice ok, getting redirected to keycloak, logging in and then getting redirected back to the first microservice when the user has a role with permissisons for the URL. This microservice is set up as a public client.
So far so good.
Then I attempt to access a second microservice from the first microservice using spring cloud openfeign.
I created a feign.RequestInterceptor as detailed here: https://github.com/thomasdarimont/keycloak-docker-demo/blob/master/keycloak-demos/spring-boot-frontend/src/main/java/demo/todo/TodoClientConfig.java.
In the backend service with the feign implementations, I set up keycloak in the yaml as follows:
keycloak:
realm: myRealm
auth-server-url: url
resource: mymicroservice
credentials:
secret: …
bearer-only: true
ssl-required: external
principal-attribute: subject
use-resource-role-mappings: true
The backend service is also configured with config file that extends KeycloakWebSecurityConfigurerAdapter, almost identical to the configuration that the first microservice has, except that it uses a NullAuthenticatedSessionStrategy.
When I configure the backed to just authenticate all users the services work and return data.
However, once I configure the endpoints with role permissions like the the following (same roles as the first microservice had to authorize its URLs):
@Override
protected void configure(HttpSecurity http) throws Exception
{
super.configure(http);
http.authorizeRequests()
.antMatchers("/**").hasAnyRole("Developers")
.anyRequest()
.permitAll();
}
I see the following feign exceptions:
2020-09-22 20:24:00.967 ERROR 1 — [nio-8080-exec-3] o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Request processing failed; nested exception is feign.FeignException$Forbidden: [403] during [GET] to [http://greeting-service/en-US] [GreetingService#getGreeting(String)]: [{“timestamp”:“2020-09-22T20:24:00.896+00:00”,“status”:403,“error”:“Forbidden”,“message”:"",“path”:"/en-US"}]] with root cause
feign.FeignException$Forbidden: [403] during [GET] to [http://greeting-service/en-US] [GreetingService#getGreeting(String)]: [{“timestamp”:“2020-09-22T20:24:00.896+00:00”,“status”:403,“error”:“Forbidden”,“message”:"",“path”:"/en-US"}]