Keycloak basic authentication with Spring Security 6

janakavishwajith · January 30, 2024, 9:45am

Hello Friends,
I am trying to my legacy spring boot 2.7.x application to spring boot 3.
There we had a basic authentication entry point implementation written with the help of keycloak-spring-security-adapter.
I know it is deprecated now, but I couldn’t find any good example of implementing basic authentication with the help of keycloak.
Expecting help here…!!!

embesozzi · January 30, 2024, 4:00pm

Try to migrate to using standard OpenID Connect with Spring Security for authentication purposes and OAuth 2.0 acting as Resource Server related to APIs for authorization.

Here, you have an example with multiples OIDC providers:

github.com

twogenidentity/microsoft-verifiable-credentials-workshop/blob/main/vc-issuer-app-spring/src/main/resources/application.yaml

server:
  port: ${server_port:8081}
  servlet:
    context-path: "/issuer"
  use-forward-headers: true

vc:
  authority: ${vc_authority:did:web:xxx.sa.ngrok.io}
  client-name: 'Verifiable Credential Employee'
  credential-manifest: ${vc_credential_manifest:https://verifiedid.did.msidentity.com/v1.0/tenants/xxx/verifiableCredentials/contracts/276e7ec3-3ec6-e25f-b2ee-d56a6205d638/manifest}
  credential-type: 'VerifiedCredentialEmployee'
  issuance-uri: https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/createIssuanceRequest
  issuance-callback-url: ${vc_issuance_callback_url:https://xxx.sa.ngrok.io/api/vc/issuance/callback}
  issuance-request: '{ "includeQRCode": false, "callback": { "url": "${vc.issuance-callback-url}", "state": "%s", "headers": { "api-key": "%s" } }, "authority": "${vc.authority}", "registration": { "clientName": "${vc.client-name}" }, "type": "${vc.credential-type}", "manifest": "${vc.credential-manifest}" }'

spring:
  thymeleaf:
    cache: false
  security:
    oauth2:

This file has been truncated. show original

Alternatively, you can check out an API (RS) example:

janakavishwajith · January 31, 2024, 9:21am

Thanks for the reply…
Will this be helpful to authenticate and authorise requests coming to the resource server with “Authorization: Basic xxxxxxx” header?
Does Springsecurity integration of the resource server act as the client for the Keycloak?

embesozzi · February 1, 2024, 3:29pm

I believe you’re mixing up the ideas.

An API acting as a Resource Server follows the OAuth 2.0 standard [1]. In this case, the API will receive an access token (JWT or opaque) in the Authorization header with the format Bearer {access-token-value} [2]. Period. There is no other way.
Spring Security supports OAuth 2.0 [3], therefore, it’s super straightforward.

I always try to recommend to the customer two things: follow modern standards and don’t reinvent the wheel.

[1] RFC 6749 - The OAuth 2.0 Authorization Framework
[2] RFC 6749 - The OAuth 2.0 Authorization Framework
[3] OAuth 2.0 Resource Server JWT :: Spring Security

janakavishwajith · February 5, 2024, 1:30pm

Hi @embesozzi ,
Thanks for pointing this out.
But in this case, I need to stick to the older way.
So I implemented an AuthenticationManager, where it creates the login post request to keycloak API and set the token into the context for authorization.

Topic		Replies	Views
Spring Boot 3 support for Basic Auth Securing applications authentication	1	1794	April 10, 2023
Spring Boot + Spring Security + Basic Authentication	1	1988	April 3, 2020
Can any one Tried integrating keycloak 8.0.1 version with Spring Boot 2.2.4 version I am facing diffuculties	1	403	February 3, 2020
Keycloak authentication with spring without using password authentication	0	287	March 10, 2021
Keycloak Impersonation Example	0	398	July 26, 2020

Keycloak basic authentication with Spring Security 6

Related Topics