Re: [keycloak-dev] Spring Security 5.1 - Resource Server support

Hi Josh, Hi Sebi, having proper support for OAuth2 @EnableResourceServer in Spring Security 5 would be very useful. It would also be great if an application could use SSO and Enable ResourceServer at the same time. I tried this with Spring Boot 2 and Spring Security 5 but I couldn't get it to work. I build a demo application that uses SSO based on the OpenID Connect from the latest Spring Security 5 in a Spring Boot 2 app without the need for a Keycloak-adapter library with very little custom code for making the integration work. Perhaps the example can help you to identify some gaps in the current Spring Security OAuth2 / OIDC APIs. The sources can be found here: https://github.com/thomasdarimont /spring-boot-2-keycloak-oauth-example Here are some things that I either had to add or that are currently not possible without more infrastructure plumbing: - Extracting and mapping of Keycloak roles to Spring Security roles. Would be great to have a dedicated API for this - needed to do some plumbing here. See: https://github.com/thomasdarimont/spring-boot-2-keycloak-oauth -example/blob/master/src/main/java/demo/SpringBoot2App.java#L155 - Propagating logout to Keycloak Could use the standardized OIDC "end_session_endpoint" from the .well-known/ openid-configuration endpoint. See: https://github.com/thomasdarimont/spring-boot-2-keycloak-oauth -example/blob/master/src/main/java/demo/SpringBoot2App.java#L205 - Explicit configuration for oauth/oidc provider endpoints. Would be great to just use the wellknon endpoint (http://localhost:8080/auth /realms/${realm}/.well-known/openid-configuration) This would ease configuration quite significantly. See: https://github.com/thomasdarimont/spring-boot-2-keycloak-oauth -example/blob/master/src/main/resources/application.yml#L23 - Handling of access / refresh token for service calls (currently missing) Currently spring security (tested with 5.0.4.RELEASE) does only extracts the IDToken / AccessToken from the OidcUserRequest but not the refresh token. This would be necessary to retrieve new AccessTokens for prolonged service interactions. Another topic is multi-tenancy support. For the example app mentioned above I have a special branch called feature/multi-tenancy that demonstrates a PoC of a hostname based approach for supporting multiple realms / tenants. Some of this is keycloak specific but I think this could be generalized to a degree where the Keycloak specific parts could be reduced to just a few lines of code / configuration. - Configuration See: https://github.com/thomasdarimont/spring-boot-2-keycloak-oauth -example/blob/feature/mulit-tenancy/src/main/resources/application.yml#L29 - Tenant selection See: https://github.com/thomasdarimont/spring-boot-2-keycloak-oauth -example/blob/feature/mulit-tenancy/src /main/java/demo/SpringBoot2App.java#L127 Cheers, Thomas Am Di., 8. Mai 2018 um 23:54 Uhr schrieb Sebastien Blanc <sblanc(a)redhat.com