9:15 p.m.
Hi ,
I work on POC to use Keycloak to secure a set of microservices( java written
SpringBooth&gradle projects).
I use Keycloak-2.1.0.Final release installed on 3 different VMs(master running on VM1,
slave1 on VM2, slave2 on VM2). On a 4th VM I have installed a shared (MySql) db to replace
the embedded H2 db.
I have configured a Keycloak Domain Mode cluster using keycloak documentation "Server
Installation and Configuration Guide".
1. I have logged on the master keycloak server and configured my new Realm that has my
microservice processes as clients.I have added roles,users,groups, etc., The realm
configuration of the master keycloak instance got replicated on the slave instances ( I
can see the cluster running when loging-on WildFly Management Interface).
2. I have added to all microservice java projects the keycloak securing code:
2.1 Created a keycloak.json file who's content was generated my the MASTER keycloak
server(Client's "Installation" utility)
2.2 Added to the project's Application class a system property, to target the
keycloak.json file generated by the MASTER keycloak instance:
System.setProperty("keycloak.configurationFile",
"classpath:keycloak.json");
2.3 Created a new config's package class : public class SecurityConfig extends
KeycloakWebSecurityConfigurerAdapter
2.4 Added to the build.gradle file keycloak spring security adapter compilation :
compile group: 'org.keycloak',
name:'keycloak-spring-security-adapter',version:'2.1.0.Final
Note. I have compared the content of the json format code generated by the Client
"Installation" utility of the slave instances against master instance and, THE
ONLY DIFFERENCE is the "auth-server-url" line (having the specific node URL
address)
3. Now, I want to do the test of accessing particular resources of my microservice
applications(additional info: I did not implemented any load-balancer in front of the
keycloak cluster):
I have created a simple java program that uses a Basic Authorization procedure to get an
access token, and then use this token to sent request messages to my microservice
application and get the expected response messages.
- When I use the MASTER's instance authorization endpoint to get an access token, I
get the expected response message( because, I presume, my microservice application
attached keycloak.json file has HARDCODED content generated by the MASTER's instance
& containing MASTERS's authorization endpoint).
- When I use either-one SLAVE keycloak instance authorization&token generation
endpoint to generate an access token, my request fails with a 401 error: "Unable to
authenticate bearer token"
I believe or feel, I use a wrong approach to solve my problem. My microservice
applications (at this time) DO NOT KNOW anything, whether I use a domain mode cluster or,
a simple standalone keycloak instanceattached keycloak.json file has ONLY one keycloak
instance ( MASTER's ) "auth-server-url" info ).
Here, I need your help to enlighten me. Is there another approach to handle my problem? It
should, otherwise why writing about Domain Mode in Keycloak Release documentation.
Unfortunately, I have not found (yet ) detailed info on how to configure a Keycloak Domain
Cluster and how to do test simulations with it. I would appreciate any help on this issue.
Thanks,
Ioan