[keycloak-dev] Spring Security 5.1 - Resource Server support

Josh Cummings josh.cummings at gmail.com
Tue May 15 12:04:17 EDT 2018 

Thomas, Sebi -

Thanks for the feedback.

I took your sample, Thomas, and was able to get it to work with our new
resource server code (which is not yet integrated with
@EnableResourceServer), though I will still check and see what might be the
problem with the existing support. I've got a partially-working sample
here, if you'd like to take a look:
https://github.com/jzheaux/spring-security-oauth2-resource-server/blob/master/samples/boot/oauth2/resource-server/keycloak-with-client

- Role extraction: Right now, you are already following the recommended
approach listed here in the documentation:
https://docs.spring.io/spring-security/site/docs/5.0.5.RELEASE/reference/htmlsingle/#oauth2login-advanced-map-authorities-oauth2userservice
It
sounds like you might be looking for something more targeted at extracting
authorities from an OidcUserRequest? I've just added a ticket with some of
my thoughts: https://github.com/spring-projects/spring-security/issues/5349

Since I think that the use case might be a little different on the resource
server side, I added a separate ticket for that:
https://github.com/jzheaux/spring-security-oauth2-resource-server/issues/37

(If it's not too confusing, you can add tickets specifically related to
Resource Server to that dedicated repo)

- Propagating logout to Keycloak: Thanks, added:
https://github.com/spring-projects/spring-security/issues/5350

- Explicit configuration and Handling of access: You can track progress on
these two here:
https://github.com/spring-projects/spring-security/issues/4413
https://github.com/spring-projects/spring-security/issues/4371

Regarding multi-tenancy, we don't have specific plans, though I did look
through your TenantAwareJwtDecoder and will continue thinking about this.
I've added a ticket to get the discussion started:
https://github.com/spring-projects/spring-security/issues/5351

Josh

On Fri, May 11, 2018 at 7:02 AM, Thomas Darimont <
thomas.darimont at googlemail.com> wrote:

> Hi Josh, Hi Sebi,
>
> having proper support for OAuth2 @EnableResourceServer in Spring Security
> 5 would be very useful.
> It would also be great if an application could use SSO and Enable
> ResourceServer at the same time.
>
> I tried this with Spring Boot 2 and Spring Security 5 but I couldn't get
> it to work.
>
> I build a demo application that uses SSO based on the OpenID Connect from
> the latest
> Spring Security 5 in a Spring Boot 2 app without the need for a Keycloak-adapter
> library
> with very little custom code for making the integration work.
> Perhaps the example can help you to identify some gaps in the current
> Spring Security OAuth2 / OIDC APIs.
> The sources can be found here: https://github.com/thomasdarimont
> /spring-boot-2-keycloak-oauth-example
>
> Here are some things that I either had to add or that are currently not
> possible without more infrastructure plumbing:
>
> - Extracting and mapping of Keycloak roles to Spring Security roles.
> Would be great to have a dedicated API for this - needed to do some
> plumbing here.
> See: https://github.com/thomasdarimont/spring-boot-2-keycloak-oauth
> -example/blob/master/src/main/java/demo/SpringBoot2App.java#L155
>
> - Propagating logout to Keycloak
> Could use the standardized OIDC "end_session_endpoint" from the
> .well-known/openid-configuration endpoint.
> See: https://github.com/thomasdarimont/spring-boot-2-keycloak-oauth
> -example/blob/master/src/main/java/demo/SpringBoot2App.java#L205
>
> - Explicit configuration for oauth/oidc provider endpoints.
> Would be great to just use the wellknon endpoint (http://localhost:8080/
> auth/realms/${realm}/.well-known/openid-configuration)
> This would ease configuration quite significantly.
> See: https://github.com/thomasdarimont/spring-boot-2-keycloak-oauth
> -example/blob/master/src/main/resources/application.yml#L23
>
> - Handling of access / refresh token for service calls (currently missing)
> Currently spring security (tested with 5.0.4.RELEASE) does only extracts
> the IDToken / AccessToken from the OidcUserRequest
> but not the refresh token. This would be necessary to retrieve new
> AccessTokens for prolonged service interactions.
>
> Another topic is multi-tenancy support. For the example app mentioned
> above I have a special branch called feature/multi-tenancy
> that demonstrates a PoC of a hostname based approach for supporting
> multiple realms / tenants.
> Some of this is keycloak specific but I think this could be generalized
> to a degree where the Keycloak specific parts could be reduced
> to just a few lines of code / configuration.
>
> - Configuration
> See: https://github.com/thomasdarimont/spring-boot-2-keycloak-oauth
> -example/blob/feature/mulit-tenancy/src/main/resources/application.yml#L29
> - Tenant selection
> See: https://github.com/thomasdarimont/spring-boot-2-keycloak-oauth
> -example/blob/feature/mulit-tenancy/src/main/java/demo/
> SpringBoot2App.java#L127
>
> Cheers,
> Thomas
>
> Am Di., 8. Mai 2018 um 23:54 Uhr schrieb Sebastien Blanc <
> sblanc at redhat.com>:
>
>> Hi Josh !
>>
>> Thanks for pinging us about this ! We really appreciate your offer to
>> collaborate. I will try ASAP playing with the new Spring Sec and share my
>> findings with you.
>>
>> Seb
>>
>>
>> Le mar. 8 mai 2018 à 13:28, Josh Cummings <josh.cummings at gmail.com> a
>> écrit :
>>
>> > Hi,
>> >
>> > I'm not sure if you already know, but the Spring Security Team is
>> > re-writing its support for OAuth2. We are planning on releasing initial
>> > Resource Server support in 5.1 this September.
>> >
>> > I'd love to collaborate with you guys, especially while you are in
>> beta, to
>> > see if what we are writing is complementary to your goals. Perhaps we
>> can
>> > help remove some of your boilerplate, etc., say from your Spring
>> Security
>> > adapter.
>> >
>> > https://github.com/jzheaux/spring-security-oauth2-resource-server
>> >
>> > This is sort of a sandbox repo for Spring Security's new Resource Server
>> > support.
>> >
>> > Would love your feedback. I'll be updating the repo with some integrated
>> > Keycloak samples in the next few days.
>> >
>> > Thanks,
>> > Josh
>> >
>> > --
>> > Josh Cummings
>> >
>> > Software Engineer | Teacher | Pi Fanatic |
>> > https://www.linkedin.com/in/jzheaux | http://tech.joshuacummings.com
>> > <http://blog.joshuacummings.com>
>> > _______________________________________________
>> > keycloak-dev mailing list
>> > keycloak-dev at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> >
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>


-- 
Josh Cummings

Software Engineer | Teacher | Pi Fanatic |
https://www.linkedin.com/in/jzheaux | http://tech.joshuacummings.com
<http://blog.joshuacummings.com> | @jzheaux <https://twitter.com/jzheaux>

More information about the keycloak-dev mailing list