4:01 a.m.
Hello guys,
I am trying to work with the following setup, with the goal of eventually
propagating Keycloak roles from the public client (front-end) to Spring
Security Roles of a bearer-only client (back-end):
Client Name Client Type Client Role Full Scope Allowed
portals-frontend public TEST_ROLE FALSE
portals-backend bearer-only
VERSIONS:
*Spring Boot:*
org.keycloak:keycloak-spring-boot-2-starter:4.0.0.Final
org.springframework.boot:spring-boot-starter-security:2.1.4.RELEASE
*Angular:*
angular: 7
"keycloak-angular": "6.1.0"
*Keycloak Server:*
4.0.0.Final
My Angular app is using *portals-frontend *client
My Spring-Boot-2 app is using *portals-backend *client
When running this setup, the back-end verifies the token, but it does not
map the *portals-frontend* client Roles into *spring security
principal.deatils.roles*. The only way I managed to do this is two ways;
1. Set *Full Scope allowed* to *true. (*I don't like this since we can't
restrict the roles in each client token*)*
2. Use the same KC client in the back-end as the one used in the
front-end app. (This means that new front-end apps that will need different
rights, therefore a new client, will not be able to use the same back-end
service)
*QUESTION:*
Is there a 3rd way, where I keep my configuration as is, and manage to map
KC Roles into spring security's *principal.details.roles *list in the
back-end and include the front-end client roles?
Thanks in advance!
P.S:
*Additional context:*
The Spring-Boot-2 configurations is:
keycloak:
realm: internal-portals
bearer-only: true
auth-server-url: <VALID URL>
ssl-required: external
resource: portals-backend
confidential-port: 0
principal-attribute: preferred_username
use-resource-role-mappings: true
With the following security config:
@KeycloakConfiguration
class SecurityConfig(private val securityProperties: SecurityProperties) :
KeycloakWebSecurityConfigurerAdapter() {
@Bean
fun keycloakConfigResolver(): KeycloakConfigResolver {
return KeycloakSpringBootConfigResolver()
}
@Autowired
@Throws(Exception::class)
fun configureGlobal(auth: AuthenticationManagerBuilder) {
val keycloakAuthenticationProvider =
keycloakAuthenticationProvider()
keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(SimpleAuthorityMapper())
auth.authenticationProvider(keycloakAuthenticationProvider)
}
@Bean
override fun sessionAuthenticationStrategy():
SessionAuthenticationStrategy {
return NullAuthenticatedSessionStrategy()
}
...
}