Greetings,
I am implementing a strategy to reuse our company´s authentication /
authorization strategy with Keycloak. I´ve read the documentation and
started a use case based on the links below:
http://www.keycloak.org/docs/3.3/server_development/topics/providers.html...
http://www.keycloak.org/docs/3.0/server_development/topics/user-storage/s...
So far I have a class that implements UserStorageProviderFactory and
instantiates my own Provider (implementing UserStorageProvider,
UserLookupProvider and CredentialInputValidator). For the last one
I´ve overridden the method "isValid..", where I am validating
UserModel by calling our solution, using credentials captured in
Keycloak login screen, which works fine.
Now, at this same place I am also setting this user´s roles (those
roles were never included in Keycloak Realm, I am pulling from my
provider), and the way I was able to push those into UserModel was
calling grantRole method of my UserModel, and providing a UserAdapter
for that (AbstractUserAdapter throws a ReadOnlyException). I am able
to include my roles by using getRoleMappingsInternal (I use my own
Set<RoleModel>), so that in my SpringBoot configuration I am able to
use the setting bellow:
.antMatchers("/monitoring/**").hasRole("MONITOR_PORTAL")
The issue starts only when my access token lifespan expires (I´ve test
it with different settings). It does a call to keycloak, retrieves the
authenticated User, redirects back to my app, but the role I included
right after I logged in is lost.
I couldn´t find anywhere in the server how to adjust this behavior, or
at least some point to intercept the event of token refresh. So I
couple questions here:
1) Am I in the right path? Maybe I am overcomplicating something that
should be simpler.
2) How is UserModel rebuilt after refreshing the token?
3) Is there another SPI interface indicated for my case?
Appreciate your attention, thanks in advance!
Follow my SpringBoot settings:
application.yml
=============
keycloak:
realm: SpringBootCA4
auth-server-url:
http://10.30.211.101:8081/auth
ssl-required: external
resource: dashboard
credentials:
secret: 2xxxxxxf
autodetect-bearer-only: true
confidential-port: 0
principal-attribute: preferred_username
build.gradle
===========
compile("org.springframework.boot:spring-boot-starter-web")
testCompile("org.springframework.boot:spring-boot-starter-test")
compile group: 'javax.servlet', name: 'javax.servlet-api', version:
'4.0.0'
compile group: 'org.json', name: 'json', version: '20171018'
compile group: 'org.apache.poi', name: 'poi-ooxml', version:
'3.17'
compile group: 'commons-io', name: 'commons-io', version:
'2.6'
compile group: 'mysql', name: 'mysql-connector-java', version:
'6.0.6'
compile group: 'org.springframework.boot', name:
'spring-boot-starter-security', version: '1.5.10.RELEASE'
compile group: 'org.keycloak', name: 'keycloak-tomcat8-adapter',
version: '3.4.3.Final'
compile group: 'org.keycloak', name:
'keycloak-spring-boot-adapter', version: '3.4.3.Final'