I have successfully implemented a SpringBoot web application integrated with Keycloak 9.0.2 using the “https://www.keycloak.org/docs/9.0/securing_apps/index.html#_spring_security_adapter” instructions.
Surprisingly, this works perfectly well for GET requests only.
When my web pages try to make a POST request to the server, I am getting a server failure for missing CSRF filter token.
I was able to bypass this error by overriding the behavior of org.keycloak.adapters.springsecurity.filter.KeycloakCsrfRequestMatcher adding “POST” to “allowedMethods” but I feel this is neither elegant nor compliant.
My argument is that since my browser has already been authenticated, any request to my server should be treated as authenticated.
Is there a proper way for handling POST requests from authenticated web pages?