Re: [keycloak-dev] Spring Security 5.1 - Resource Server support

Hi Josh, Hi Sebi, having proper support for OAuth2 @EnableResourceServer in Spring Security 5 would be very useful. It would also be great if an application could use SSO and Enable ResourceServer at the same time. I tried this with Spring Boot 2 and Spring Security 5 but I couldn't get it to work. I build a demo application that uses SSO based on the OpenID Connect from the latest Spring Security 5 in a Spring Boot 2 app without the need for a Keycloak-adapter library with very little custom code for making the integration work. Perhaps the example can help you to identify some gaps in the current Spring Security OAuth2 / OIDC APIs. The sources can be found here: https://github.com/thomasdarimont /spring-boot-2-keycloak-oauth-example Here are some things that I either had to add or that are currently not possible without more infrastructure plumbing: - Extracting and mapping of Keycloak roles to Spring Security roles. Would be great to have a dedicated API for this - needed to do some plumbing here. See: https://github.com/thomasdarimont/spring-boot-2-keycloak-oauth -example/blob/master/src/main/java/demo/SpringBoot2App.java#L155 - Propagating logout to Keycloak Could use the standardized OIDC "end_session_endpoint" from the .well-known/openid-configuration endpoint. See: https://github.com/thomasdarimont/spring-boot-2-keycloak-oauth -example/blob/master/src/main/java/demo/SpringBoot2App.java#L205 - Explicit configuration for oauth/oidc provider endpoints. Would be great to just use the wellknon endpoint (http://localhost:8080/ auth/realms/${realm}/.well-known/openid-configuration) This would ease configuration quite significantly. See: https://github.com/thomasdarimont/spring-boot-2-keycloak-oauth -example/blob/master/src/main/resources/application.yml#L23 - Handling of access / refresh token for service calls (currently missing) Currently spring security (tested with 5.0.4.RELEASE) does only extracts the IDToken / AccessToken from the OidcUserRequest but not the refresh token. This would be necessary to retrieve new AccessTokens for prolonged service interactions. Another topic is multi-tenancy support. For the example app mentioned above I have a special branch called feature/multi-tenancy that demonstrates a PoC of a hostname based approach for supporting multiple realms / tenants. Some of this is keycloak specific but I think this could be generalized to a degree where the Keycloak specific parts could be reduced to just a few lines of code / configuration. - Configuration See: https://github.com/thomasdarimont/spring-boot-2-keycloak-oauth -example/blob/feature/mulit-tenancy/src/main/resources/application.yml#L29 - Tenant selection See: https://github.com/thomasdarimont/spring-boot-2-keycloak-oauth -example/blob/feature/mulit-tenancy/src/main/java/demo/ SpringBoot2App.java#L127 Cheers, Thomas Am Di., 8. Mai 2018 um 23:54 Uhr schrieb Sebastien Blanc < sblanc(a)redhat.com&gt;: > Hi Josh ! > > Thanks for pinging us about this ! We really appreciate your offer to > collaborate. I will try ASAP playing with the new Spring Sec and share my > findings with you. > > Seb > > > Le mar. 8 mai 2018 à 13:28, Josh Cummings <josh.cummings(a)gmail.com&gt; a > écrit : > > > Hi, > > > > I'm not sure if you already know, but the Spring Security Team is > > re-writing its support for OAuth2. We are planning on releasing initial > > Resource Server support in 5.1 this September. > > > > I'd love to collaborate with you guys, especially while you are in > beta, to > > see if what we are writing is complementary to your goals. Perhaps we > can > > help remove some of your boilerplate, etc., say from your Spring > Security > > adapter. > > > > https://github.com/jzheaux/spring-security-oauth2-resource-server > > > > This is sort of a sandbox repo for Spring Security's new Resource Server > > support. > > > > Would love your feedback. I'll be updating the repo with some integrated > > Keycloak samples in the next few days. > > > > Thanks, > > Josh > > > > -- > > Josh Cummings > > > > Software Engineer | Teacher | Pi Fanatic | > > https://www.linkedin.com/in/jzheaux | http://tech.joshuacummings.com > > <http://blog.joshuacummings.com> > > _______________________________________________ > > keycloak-dev mailing list > > keycloak-dev(a)lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-dev > > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev