Josh, Thomas,
I'm finally back from traveling and conferences and I'm trying to catch up
a bit. Josh thanks for pointing to all the relevant tickets, I will track
them.
Thomas, does anything needs to happen on the KC Adapter side ? It's just to
open tickets on our side so we can track it.
Sebi
On Tue, May 15, 2018 at 6:04 PM, Josh Cummings <josh.cummings(a)gmail.com>
wrote:
Thomas, Sebi -
Thanks for the feedback.
I took your sample, Thomas, and was able to get it to work with our new
resource server code (which is not yet integrated with
@EnableResourceServer), though I will still check and see what might be the
problem with the existing support. I've got a partially-working sample
here, if you'd like to take a look:
https://github.com/
jzheaux/spring-security-oauth2-resource-server/blob/
master/samples/boot/oauth2/resource-server/keycloak-with-client
- Role extraction: Right now, you are already following the recommended
approach listed here in the documentation:
https://docs.
spring.io/spring-security/site/docs/5.0.5.RELEASE/reference/htmlsingle/#
oauth2login-advanced-map-authorities-oauth2userservice It sounds like you
might be looking for something more targeted at extracting authorities from
an OidcUserRequest? I've just added a ticket with some of my thoughts:
https://github.com/spring-projects/spring-security/issues/5349
Since I think that the use case might be a little different on the
resource server side, I added a separate ticket for that:
https://github.com/jzheaux/spring-security-oauth2-
resource-server/issues/37
(If it's not too confusing, you can add tickets specifically related to
Resource Server to that dedicated repo)
- Propagating logout to Keycloak: Thanks, added:
https://github.com/
spring-projects/spring-security/issues/5350
- Explicit configuration and Handling of access: You can track progress on
these two here:
https://github.com/spring-projects/spring-security/issues/4413
https://github.com/spring-projects/spring-security/issues/4371
Regarding multi-tenancy, we don't have specific plans, though I did look
through your TenantAwareJwtDecoder and will continue thinking about this.
I've added a ticket to get the discussion started:
https://github.com/
spring-projects/spring-security/issues/5351
Josh
On Fri, May 11, 2018 at 7:02 AM, Thomas Darimont <
thomas.darimont(a)googlemail.com> wrote:
> Hi Josh, Hi Sebi,
>
> having proper support for OAuth2 @EnableResourceServer in Spring
> Security 5 would be very useful.
> It would also be great if an application could use SSO and Enable
> ResourceServer at the same time.
>
> I tried this with Spring Boot 2 and Spring Security 5 but I couldn't get
> it to work.
>
> I build a demo application that uses SSO based on the OpenID Connect
> from the latest
> Spring Security 5 in a Spring Boot 2 app without the need for a Keycloak-adapter
> library
> with very little custom code for making the integration work.
> Perhaps the example can help you to identify some gaps in the current
> Spring Security OAuth2 / OIDC APIs.
> The sources can be found here:
https://github.com/thomasdarimont
> /spring-boot-2-keycloak-oauth-example
>
> Here are some things that I either had to add or that are currently not
> possible without more infrastructure plumbing:
>
> - Extracting and mapping of Keycloak roles to Spring Security roles.
> Would be great to have a dedicated API for this - needed to do some
> plumbing here.
> See:
https://github.com/thomasdarimont/spring-boot-2-keycloak-oauth
> -example/blob/master/src/main/java/demo/SpringBoot2App.java#L155
>
> - Propagating logout to Keycloak
> Could use the standardized OIDC "end_session_endpoint" from the
> .well-known/openid-configuration endpoint.
> See:
https://github.com/thomasdarimont/spring-boot-2-keycloak-oauth
> -example/blob/master/src/main/java/demo/SpringBoot2App.java#L205
>
> - Explicit configuration for oauth/oidc provider endpoints.
> Would be great to just use the wellknon endpoint (
http://localhost:8080/
> auth/realms/${realm}/.well-known/openid-configuration)
> This would ease configuration quite significantly.
> See:
https://github.com/thomasdarimont/spring-boot-2-keycloak-oauth
> -example/blob/master/src/main/resources/application.yml#L23
>
> - Handling of access / refresh token for service calls (currently missing)
> Currently spring security (tested with 5.0.4.RELEASE) does only extracts
> the IDToken / AccessToken from the OidcUserRequest
> but not the refresh token. This would be necessary to retrieve new
> AccessTokens for prolonged service interactions.
>
> Another topic is multi-tenancy support. For the example app mentioned
> above I have a special branch called feature/multi-tenancy
> that demonstrates a PoC of a hostname based approach for supporting
> multiple realms / tenants.
> Some of this is keycloak specific but I think this could be generalized
> to a degree where the Keycloak specific parts could be reduced
> to just a few lines of code / configuration.
>
> - Configuration
> See:
https://github.com/thomasdarimont/spring-boot-2-keycloak-oauth
> -example/blob/feature/mulit-tenancy/src/main/resources/application.yml
> #L29
> - Tenant selection
> See:
https://github.com/thomasdarimont/spring-boot-2-keycloak-oauth
> -example/blob/feature/mulit-tenancy/src/main/java/demo/Spr
> ingBoot2App.java#L127
>
> Cheers,
> Thomas
>
> Am Di., 8. Mai 2018 um 23:54 Uhr schrieb Sebastien Blanc <
> sblanc(a)redhat.com>:
>
>> Hi Josh !
>>
>> Thanks for pinging us about this ! We really appreciate your offer to
>> collaborate. I will try ASAP playing with the new Spring Sec and share my
>> findings with you.
>>
>> Seb
>>
>>
>> Le mar. 8 mai 2018 à 13:28, Josh Cummings <josh.cummings(a)gmail.com> a
>> écrit :
>>
>> > Hi,
>> >
>> > I'm not sure if you already know, but the Spring Security Team is
>> > re-writing its support for OAuth2. We are planning on releasing initial
>> > Resource Server support in 5.1 this September.
>> >
>> > I'd love to collaborate with you guys, especially while you are in
>> beta, to
>> > see if what we are writing is complementary to your goals. Perhaps we
>> can
>> > help remove some of your boilerplate, etc., say from your Spring
>> Security
>> > adapter.
>> >
>> >
https://github.com/jzheaux/spring-security-oauth2-resource-server
>> >
>> > This is sort of a sandbox repo for Spring Security's new Resource
>> Server
>> > support.
>> >
>> > Would love your feedback. I'll be updating the repo with some
>> integrated
>> > Keycloak samples in the next few days.
>> >
>> > Thanks,
>> > Josh
>> >
>> > --
>> > Josh Cummings
>> >
>> > Software Engineer | Teacher | Pi Fanatic |
>> >
https://www.linkedin.com/in/jzheaux |
http://tech.joshuacummings.com
>> > <
http://blog.joshuacummings.com>
>> > _______________________________________________
>> > keycloak-dev mailing list
>> > keycloak-dev(a)lists.jboss.org
>> >
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> >
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
--
Josh Cummings
Software Engineer | Teacher | Pi Fanatic |
https://www.linkedin.com/in/
jzheaux |
http://tech.joshuacummings.com <
http://blog.joshuacummings.com> |
@jzheaux <
https://twitter.com/jzheaux>