10:26 p.m.
Hi,
I'm not sure if you already know, but the Spring Security Team is
re-writing its support for OAuth2. We are planning on releasing initial
Resource Server support in 5.1 this September.
I'd love to collaborate with you guys, especially while you are in beta, to
see if what we are writing is complementary to your goals. Perhaps we can
help remove some of your boilerplate, etc., say from your Spring Security
adapter.
https://github.com/jzheaux/spring-security-oauth2-resource-server
This is sort of a sandbox repo for Spring Security's new Resource Server
support.
Would love your feedback. I'll be updating the repo with some integrated
Keycloak samples in the next few days.
Thanks,
Josh
--
Josh Cummings
Software Engineer | Teacher | Pi Fanatic |
https://www.linkedin.com/in/jzheaux | http://tech.joshuacummings.com
<http://blog.joshuacummings.com>
12:53 a.m.
Hi Josh !
Thanks for pinging us about this ! We really appreciate your offer to
collaborate. I will try ASAP playing with the new Spring Sec and share my
findings with you.
Seb
Le mar. 8 mai 2018 à 13:28, Josh Cummings <josh.cummings(a)gmail.com> a
écrit :
Hi,
I'm not sure if you already know, but the Spring Security Team is
re-writing its support for OAuth2. We are planning on releasing initial
Resource Server support in 5.1 this September.
I'd love to collaborate with you guys, especially while you are in beta, to
see if what we are writing is complementary to your goals. Perhaps we can
help remove some of your boilerplate, etc., say from your Spring Security
adapter.
https://github.com/jzheaux/spring-security-oauth2-resource-server
This is sort of a sandbox repo for Spring Security's new Resource Server
support.
Would love your feedback. I'll be updating the repo with some integrated
Keycloak samples in the next few days.
Thanks,
Josh
--
Josh Cummings
Software Engineer | Teacher | Pi Fanatic |
https://www.linkedin.com/in/jzheaux | http://tech.joshuacummings.com
<http://blog.joshuacummings.com>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
3:02 p.m.
Hi Josh, Hi Sebi,
having proper support for OAuth2 @EnableResourceServer in Spring Security 5
would be very useful.
It would also be great if an application could use SSO and Enable
ResourceServer at the same time.
I tried this with Spring Boot 2 and Spring Security 5 but I couldn't get it
to work.
I build a demo application that uses SSO based on the OpenID Connect from
the latest
Spring Security 5 in a Spring Boot 2 app without the need for a
Keycloak-adapter
library
with very little custom code for making the integration work.
Perhaps the example can help you to identify some gaps in the current
Spring Security OAuth2 / OIDC APIs.
The sources can be found here: https://github.com/thomasdarimont
/spring-boot-2-keycloak-oauth-example
Here are some things that I either had to add or that are currently not
possible without more infrastructure plumbing:
- Extracting and mapping of Keycloak roles to Spring Security roles.
Would be great to have a dedicated API for this - needed to do some
plumbing here.
See: https://github.com/thomasdarimont/spring-boot-2-keycloak-oauth
-example/blob/master/src/main/java/demo/SpringBoot2App.java#L155
- Propagating logout to Keycloak
Could use the standardized OIDC "end_session_endpoint" from the .well-known/
openid-configuration endpoint.
See: https://github.com/thomasdarimont/spring-boot-2-keycloak-oauth
-example/blob/master/src/main/java/demo/SpringBoot2App.java#L205
- Explicit configuration for oauth/oidc provider endpoints.
Would be great to just use the wellknon endpoint (http://localhost:8080/auth
/realms/${realm}/.well-known/openid-configuration)
This would ease configuration quite significantly.
See: https://github.com/thomasdarimont/spring-boot-2-keycloak-oauth
-example/blob/master/src/main/resources/application.yml#L23
- Handling of access / refresh token for service calls (currently missing)
Currently spring security (tested with 5.0.4.RELEASE) does only extracts
the IDToken / AccessToken from the OidcUserRequest
but not the refresh token. This would be necessary to retrieve new
AccessTokens for prolonged service interactions.
Another topic is multi-tenancy support. For the example app mentioned above
I have a special branch called feature/multi-tenancy
that demonstrates a PoC of a hostname based approach for supporting
multiple realms / tenants.
Some of this is keycloak specific but I think this could be generalized to
a degree where the Keycloak specific parts could be reduced
to just a few lines of code / configuration.
- Configuration
See: https://github.com/thomasdarimont/spring-boot-2-keycloak-oauth
-example/blob/feature/mulit-tenancy/src/main/resources/application.yml#L29
- Tenant selection
See: https://github.com/thomasdarimont/spring-boot-2-keycloak-oauth
-example/blob/feature/mulit-tenancy/src
/main/java/demo/SpringBoot2App.java#L127
Cheers,
Thomas
Am Di., 8. Mai 2018 um 23:54 Uhr schrieb Sebastien Blanc <sblanc(a)redhat.com
:
Hi Josh !
Thanks for pinging us about this ! We really appreciate your offer to
collaborate. I will try ASAP playing with the new Spring Sec and share my
findings with you.
Seb
Le mar. 8 mai 2018 à 13:28, Josh Cummings <josh.cummings(a)gmail.com> a
écrit :
> Hi,
>
> I'm not sure if you already know, but the Spring Security Team is
> re-writing its support for OAuth2. We are planning on releasing initial
> Resource Server support in 5.1 this September.
>
> I'd love to collaborate with you guys, especially while you are in beta,
to
> see if what we are writing is complementary to your goals. Perhaps we can
> help remove some of your boilerplate, etc., say from your Spring Security
> adapter.
>
> https://github.com/jzheaux/spring-security-oauth2-resource-server
>
> This is sort of a sandbox repo for Spring Security's new Resource Server
> support.
>
> Would love your feedback. I'll be updating the repo with some integrated
> Keycloak samples in the next few days.
>
> Thanks,
> Josh
>
> --
> Josh Cummings
>
> Software Engineer | Teacher | Pi Fanatic |
> https://www.linkedin.com/in/jzheaux | http://tech.joshuacummings.com
> <http://blog.joshuacummings.com>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
6:04 p.m.
Thomas, Sebi -
Thanks for the feedback.
I took your sample, Thomas, and was able to get it to work with our new
resource server code (which is not yet integrated with
@EnableResourceServer), though I will still check and see what might be the
problem with the existing support. I've got a partially-working sample
here, if you'd like to take a look:
https://github.com/jzheaux/spring-security-oauth2-resource-server/blob/ma...
- Role extraction: Right now, you are already following the recommended
approach listed here in the documentation:
https://docs.spring.io/spring-security/site/docs/5.0.5.RELEASE/reference/...
It
sounds like you might be looking for something more targeted at extracting
authorities from an OidcUserRequest? I've just added a ticket with some of
my thoughts: https://github.com/spring-projects/spring-security/issues/5349
Since I think that the use case might be a little different on the resource
server side, I added a separate ticket for that:
https://github.com/jzheaux/spring-security-oauth2-resource-server/issues/37
(If it's not too confusing, you can add tickets specifically related to
Resource Server to that dedicated repo)
- Propagating logout to Keycloak: Thanks, added:
https://github.com/spring-projects/spring-security/issues/5350
- Explicit configuration and Handling of access: You can track progress on
these two here:
https://github.com/spring-projects/spring-security/issues/4413
https://github.com/spring-projects/spring-security/issues/4371
Regarding multi-tenancy, we don't have specific plans, though I did look
through your TenantAwareJwtDecoder and will continue thinking about this.
I've added a ticket to get the discussion started:
https://github.com/spring-projects/spring-security/issues/5351
Josh
On Fri, May 11, 2018 at 7:02 AM, Thomas Darimont <
thomas.darimont(a)googlemail.com> wrote:
Hi Josh, Hi Sebi,
having proper support for OAuth2 @EnableResourceServer in Spring Security
5 would be very useful.
It would also be great if an application could use SSO and Enable
ResourceServer at the same time.
I tried this with Spring Boot 2 and Spring Security 5 but I couldn't get
it to work.
I build a demo application that uses SSO based on the OpenID Connect from
the latest
Spring Security 5 in a Spring Boot 2 app without the need for a Keycloak-adapter
library
with very little custom code for making the integration work.
Perhaps the example can help you to identify some gaps in the current
Spring Security OAuth2 / OIDC APIs.
The sources can be found here: https://github.com/thomasdarimont
/spring-boot-2-keycloak-oauth-example
Here are some things that I either had to add or that are currently not
possible without more infrastructure plumbing:
- Extracting and mapping of Keycloak roles to Spring Security roles.
Would be great to have a dedicated API for this - needed to do some
plumbing here.
See: https://github.com/thomasdarimont/spring-boot-2-keycloak-oauth
-example/blob/master/src/main/java/demo/SpringBoot2App.java#L155
- Propagating logout to Keycloak
Could use the standardized OIDC "end_session_endpoint" from the
.well-known/openid-configuration endpoint.
See: https://github.com/thomasdarimont/spring-boot-2-keycloak-oauth
-example/blob/master/src/main/java/demo/SpringBoot2App.java#L205
- Explicit configuration for oauth/oidc provider endpoints.
Would be great to just use the wellknon endpoint (http://localhost:8080/
auth/realms/${realm}/.well-known/openid-configuration)
This would ease configuration quite significantly.
See: https://github.com/thomasdarimont/spring-boot-2-keycloak-oauth
-example/blob/master/src/main/resources/application.yml#L23
- Handling of access / refresh token for service calls (currently missing)
Currently spring security (tested with 5.0.4.RELEASE) does only extracts
the IDToken / AccessToken from the OidcUserRequest
but not the refresh token. This would be necessary to retrieve new
AccessTokens for prolonged service interactions.
Another topic is multi-tenancy support. For the example app mentioned
above I have a special branch called feature/multi-tenancy
that demonstrates a PoC of a hostname based approach for supporting
multiple realms / tenants.
Some of this is keycloak specific but I think this could be generalized
to a degree where the Keycloak specific parts could be reduced
to just a few lines of code / configuration.
- Configuration
See: https://github.com/thomasdarimont/spring-boot-2-keycloak-oauth
-example/blob/feature/mulit-tenancy/src/main/resources/application.yml#L29
- Tenant selection
See: https://github.com/thomasdarimont/spring-boot-2-keycloak-oauth
-example/blob/feature/mulit-tenancy/src/main/java/demo/
SpringBoot2App.java#L127
Cheers,
Thomas
Am Di., 8. Mai 2018 um 23:54 Uhr schrieb Sebastien Blanc <
sblanc(a)redhat.com>:
> Hi Josh !
>
> Thanks for pinging us about this ! We really appreciate your offer to
> collaborate. I will try ASAP playing with the new Spring Sec and share my
> findings with you.
>
> Seb
>
>
> Le mar. 8 mai 2018 à 13:28, Josh Cummings <josh.cummings(a)gmail.com> a
> écrit :
>
> > Hi,
> >
> > I'm not sure if you already know, but the Spring Security Team is
> > re-writing its support for OAuth2. We are planning on releasing initial
> > Resource Server support in 5.1 this September.
> >
> > I'd love to collaborate with you guys, especially while you are in
> beta, to
> > see if what we are writing is complementary to your goals. Perhaps we
> can
> > help remove some of your boilerplate, etc., say from your Spring
> Security
> > adapter.
> >
> > https://github.com/jzheaux/spring-security-oauth2-resource-server
> >
> > This is sort of a sandbox repo for Spring Security's new Resource Server
> > support.
> >
> > Would love your feedback. I'll be updating the repo with some integrated
> > Keycloak samples in the next few days.
> >
> > Thanks,
> > Josh
> >
> > --
> > Josh Cummings
> >
> > Software Engineer | Teacher | Pi Fanatic |
> > https://www.linkedin.com/in/jzheaux | http://tech.joshuacummings.com
> > <http://blog.joshuacummings.com>
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
Josh Cummings
Software Engineer | Teacher | Pi Fanatic |
https://www.linkedin.com/in/jzheaux | http://tech.joshuacummings.com
<http://blog.joshuacummings.com> | @jzheaux <https://twitter.com/jzheaux>
10:55 a.m.
Josh, Thomas,
I'm finally back from traveling and conferences and I'm trying to catch up
a bit. Josh thanks for pointing to all the relevant tickets, I will track
them.
Thomas, does anything needs to happen on the KC Adapter side ? It's just to
open tickets on our side so we can track it.
Sebi
On Tue, May 15, 2018 at 6:04 PM, Josh Cummings <josh.cummings(a)gmail.com>
wrote:
Thomas, Sebi -
Thanks for the feedback.
I took your sample, Thomas, and was able to get it to work with our new
resource server code (which is not yet integrated with
@EnableResourceServer), though I will still check and see what might be the
problem with the existing support. I've got a partially-working sample
here, if you'd like to take a look: https://github.com/
jzheaux/spring-security-oauth2-resource-server/blob/
master/samples/boot/oauth2/resource-server/keycloak-with-client
- Role extraction: Right now, you are already following the recommended
approach listed here in the documentation: https://docs.
spring.io/spring-security/site/docs/5.0.5.RELEASE/reference/htmlsingle/#
oauth2login-advanced-map-authorities-oauth2userservice It sounds like you
might be looking for something more targeted at extracting authorities from
an OidcUserRequest? I've just added a ticket with some of my thoughts:
https://github.com/spring-projects/spring-security/issues/5349
Since I think that the use case might be a little different on the
resource server side, I added a separate ticket for that:
https://github.com/jzheaux/spring-security-oauth2-
resource-server/issues/37
(If it's not too confusing, you can add tickets specifically related to
Resource Server to that dedicated repo)
- Propagating logout to Keycloak: Thanks, added: https://github.com/
spring-projects/spring-security/issues/5350
- Explicit configuration and Handling of access: You can track progress on
these two here:
https://github.com/spring-projects/spring-security/issues/4413
https://github.com/spring-projects/spring-security/issues/4371
Regarding multi-tenancy, we don't have specific plans, though I did look
through your TenantAwareJwtDecoder and will continue thinking about this.
I've added a ticket to get the discussion started: https://github.com/
spring-projects/spring-security/issues/5351
Josh
On Fri, May 11, 2018 at 7:02 AM, Thomas Darimont <
thomas.darimont(a)googlemail.com> wrote:
> Hi Josh, Hi Sebi,
>
> having proper support for OAuth2 @EnableResourceServer in Spring
> Security 5 would be very useful.
> It would also be great if an application could use SSO and Enable
> ResourceServer at the same time.
>
> I tried this with Spring Boot 2 and Spring Security 5 but I couldn't get
> it to work.
>
> I build a demo application that uses SSO based on the OpenID Connect
> from the latest
> Spring Security 5 in a Spring Boot 2 app without the need for a Keycloak-adapter
> library
> with very little custom code for making the integration work.
> Perhaps the example can help you to identify some gaps in the current
> Spring Security OAuth2 / OIDC APIs.
> The sources can be found here: https://github.com/thomasdarimont
> /spring-boot-2-keycloak-oauth-example
>
> Here are some things that I either had to add or that are currently not
> possible without more infrastructure plumbing:
>
> - Extracting and mapping of Keycloak roles to Spring Security roles.
> Would be great to have a dedicated API for this - needed to do some
> plumbing here.
> See: https://github.com/thomasdarimont/spring-boot-2-keycloak-oauth
> -example/blob/master/src/main/java/demo/SpringBoot2App.java#L155
>
> - Propagating logout to Keycloak
> Could use the standardized OIDC "end_session_endpoint" from the
> .well-known/openid-configuration endpoint.
> See: https://github.com/thomasdarimont/spring-boot-2-keycloak-oauth
> -example/blob/master/src/main/java/demo/SpringBoot2App.java#L205
>
> - Explicit configuration for oauth/oidc provider endpoints.
> Would be great to just use the wellknon endpoint (http://localhost:8080/
> auth/realms/${realm}/.well-known/openid-configuration)
> This would ease configuration quite significantly.
> See: https://github.com/thomasdarimont/spring-boot-2-keycloak-oauth
> -example/blob/master/src/main/resources/application.yml#L23
>
> - Handling of access / refresh token for service calls (currently missing)
> Currently spring security (tested with 5.0.4.RELEASE) does only extracts
> the IDToken / AccessToken from the OidcUserRequest
> but not the refresh token. This would be necessary to retrieve new
> AccessTokens for prolonged service interactions.
>
> Another topic is multi-tenancy support. For the example app mentioned
> above I have a special branch called feature/multi-tenancy
> that demonstrates a PoC of a hostname based approach for supporting
> multiple realms / tenants.
> Some of this is keycloak specific but I think this could be generalized
> to a degree where the Keycloak specific parts could be reduced
> to just a few lines of code / configuration.
>
> - Configuration
> See: https://github.com/thomasdarimont/spring-boot-2-keycloak-oauth
> -example/blob/feature/mulit-tenancy/src/main/resources/application.yml
> #L29
> - Tenant selection
> See: https://github.com/thomasdarimont/spring-boot-2-keycloak-oauth
> -example/blob/feature/mulit-tenancy/src/main/java/demo/Spr
> ingBoot2App.java#L127
>
> Cheers,
> Thomas
>
> Am Di., 8. Mai 2018 um 23:54 Uhr schrieb Sebastien Blanc <
> sblanc(a)redhat.com>:
>
>> Hi Josh !
>>
>> Thanks for pinging us about this ! We really appreciate your offer to
>> collaborate. I will try ASAP playing with the new Spring Sec and share my
>> findings with you.
>>
>> Seb
>>
>>
>> Le mar. 8 mai 2018 à 13:28, Josh Cummings <josh.cummings(a)gmail.com> a
>> écrit :
>>
>> > Hi,
>> >
>> > I'm not sure if you already know, but the Spring Security Team is
>> > re-writing its support for OAuth2. We are planning on releasing initial
>> > Resource Server support in 5.1 this September.
>> >
>> > I'd love to collaborate with you guys, especially while you are in
>> beta, to
>> > see if what we are writing is complementary to your goals. Perhaps we
>> can
>> > help remove some of your boilerplate, etc., say from your Spring
>> Security
>> > adapter.
>> >
>> > https://github.com/jzheaux/spring-security-oauth2-resource-server
>> >
>> > This is sort of a sandbox repo for Spring Security's new Resource
>> Server
>> > support.
>> >
>> > Would love your feedback. I'll be updating the repo with some
>> integrated
>> > Keycloak samples in the next few days.
>> >
>> > Thanks,
>> > Josh
>> >
>> > --
>> > Josh Cummings
>> >
>> > Software Engineer | Teacher | Pi Fanatic |
>> > https://www.linkedin.com/in/jzheaux | http://tech.joshuacummings.com
>> > <http://blog.joshuacummings.com>
>> > _______________________________________________
>> > keycloak-dev mailing list
>> > keycloak-dev(a)lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> >
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
--
Josh Cummings
Software Engineer | Teacher | Pi Fanatic | https://www.linkedin.com/in/
jzheaux | http://tech.joshuacummings.com <http://blog.joshuacummings.com> |
@jzheaux <https://twitter.com/jzheaux>
2151
days inactive
2180
days old
4 comments
3 participants
participants (3)
-
Josh Cummings -
Sebastien Blanc -
Thomas Darimont