[keycloak-dev] Spring Security 5.1 - Resource Server support
Sebastien Blanc
sblanc at redhat.com
Wed Jun 6 04:55:24 EDT 2018
Josh, Thomas,
I'm finally back from traveling and conferences and I'm trying to catch up
a bit. Josh thanks for pointing to all the relevant tickets, I will track
them.
Thomas, does anything needs to happen on the KC Adapter side ? It's just to
open tickets on our side so we can track it.
Sebi
On Tue, May 15, 2018 at 6:04 PM, Josh Cummings <josh.cummings at gmail.com>
wrote:
> Thomas, Sebi -
>
> Thanks for the feedback.
>
> I took your sample, Thomas, and was able to get it to work with our new
> resource server code (which is not yet integrated with
> @EnableResourceServer), though I will still check and see what might be the
> problem with the existing support. I've got a partially-working sample
> here, if you'd like to take a look: https://github.com/
> jzheaux/spring-security-oauth2-resource-server/blob/
> master/samples/boot/oauth2/resource-server/keycloak-with-client
>
> - Role extraction: Right now, you are already following the recommended
> approach listed here in the documentation: https://docs.
> spring.io/spring-security/site/docs/5.0.5.RELEASE/reference/htmlsingle/#
> oauth2login-advanced-map-authorities-oauth2userservice It sounds like you
> might be looking for something more targeted at extracting authorities from
> an OidcUserRequest? I've just added a ticket with some of my thoughts:
> https://github.com/spring-projects/spring-security/issues/5349
>
> Since I think that the use case might be a little different on the
> resource server side, I added a separate ticket for that:
> https://github.com/jzheaux/spring-security-oauth2-
> resource-server/issues/37
>
> (If it's not too confusing, you can add tickets specifically related to
> Resource Server to that dedicated repo)
>
> - Propagating logout to Keycloak: Thanks, added: https://github.com/
> spring-projects/spring-security/issues/5350
>
> - Explicit configuration and Handling of access: You can track progress on
> these two here:
> https://github.com/spring-projects/spring-security/issues/4413
> https://github.com/spring-projects/spring-security/issues/4371
>
> Regarding multi-tenancy, we don't have specific plans, though I did look
> through your TenantAwareJwtDecoder and will continue thinking about this.
> I've added a ticket to get the discussion started: https://github.com/
> spring-projects/spring-security/issues/5351
>
> Josh
>
> On Fri, May 11, 2018 at 7:02 AM, Thomas Darimont <
> thomas.darimont at googlemail.com> wrote:
>
>> Hi Josh, Hi Sebi,
>>
>> having proper support for OAuth2 @EnableResourceServer in Spring
>> Security 5 would be very useful.
>> It would also be great if an application could use SSO and Enable
>> ResourceServer at the same time.
>>
>> I tried this with Spring Boot 2 and Spring Security 5 but I couldn't get
>> it to work.
>>
>> I build a demo application that uses SSO based on the OpenID Connect
>> from the latest
>> Spring Security 5 in a Spring Boot 2 app without the need for a Keycloak-adapter
>> library
>> with very little custom code for making the integration work.
>> Perhaps the example can help you to identify some gaps in the current
>> Spring Security OAuth2 / OIDC APIs.
>> The sources can be found here: https://github.com/thomasdarimont
>> /spring-boot-2-keycloak-oauth-example
>>
>> Here are some things that I either had to add or that are currently not
>> possible without more infrastructure plumbing:
>>
>> - Extracting and mapping of Keycloak roles to Spring Security roles.
>> Would be great to have a dedicated API for this - needed to do some
>> plumbing here.
>> See: https://github.com/thomasdarimont/spring-boot-2-keycloak-oauth
>> -example/blob/master/src/main/java/demo/SpringBoot2App.java#L155
>>
>> - Propagating logout to Keycloak
>> Could use the standardized OIDC "end_session_endpoint" from the
>> .well-known/openid-configuration endpoint.
>> See: https://github.com/thomasdarimont/spring-boot-2-keycloak-oauth
>> -example/blob/master/src/main/java/demo/SpringBoot2App.java#L205
>>
>> - Explicit configuration for oauth/oidc provider endpoints.
>> Would be great to just use the wellknon endpoint (http://localhost:8080/
>> auth/realms/${realm}/.well-known/openid-configuration)
>> This would ease configuration quite significantly.
>> See: https://github.com/thomasdarimont/spring-boot-2-keycloak-oauth
>> -example/blob/master/src/main/resources/application.yml#L23
>>
>> - Handling of access / refresh token for service calls (currently missing)
>> Currently spring security (tested with 5.0.4.RELEASE) does only extracts
>> the IDToken / AccessToken from the OidcUserRequest
>> but not the refresh token. This would be necessary to retrieve new
>> AccessTokens for prolonged service interactions.
>>
>> Another topic is multi-tenancy support. For the example app mentioned
>> above I have a special branch called feature/multi-tenancy
>> that demonstrates a PoC of a hostname based approach for supporting
>> multiple realms / tenants.
>> Some of this is keycloak specific but I think this could be generalized
>> to a degree where the Keycloak specific parts could be reduced
>> to just a few lines of code / configuration.
>>
>> - Configuration
>> See: https://github.com/thomasdarimont/spring-boot-2-keycloak-oauth
>> -example/blob/feature/mulit-tenancy/src/main/resources/application.yml
>> #L29
>> - Tenant selection
>> See: https://github.com/thomasdarimont/spring-boot-2-keycloak-oauth
>> -example/blob/feature/mulit-tenancy/src/main/java/demo/Spr
>> ingBoot2App.java#L127
>>
>> Cheers,
>> Thomas
>>
>> Am Di., 8. Mai 2018 um 23:54 Uhr schrieb Sebastien Blanc <
>> sblanc at redhat.com>:
>>
>>> Hi Josh !
>>>
>>> Thanks for pinging us about this ! We really appreciate your offer to
>>> collaborate. I will try ASAP playing with the new Spring Sec and share my
>>> findings with you.
>>>
>>> Seb
>>>
>>>
>>> Le mar. 8 mai 2018 à 13:28, Josh Cummings <josh.cummings at gmail.com> a
>>> écrit :
>>>
>>> > Hi,
>>> >
>>> > I'm not sure if you already know, but the Spring Security Team is
>>> > re-writing its support for OAuth2. We are planning on releasing initial
>>> > Resource Server support in 5.1 this September.
>>> >
>>> > I'd love to collaborate with you guys, especially while you are in
>>> beta, to
>>> > see if what we are writing is complementary to your goals. Perhaps we
>>> can
>>> > help remove some of your boilerplate, etc., say from your Spring
>>> Security
>>> > adapter.
>>> >
>>> > https://github.com/jzheaux/spring-security-oauth2-resource-server
>>> >
>>> > This is sort of a sandbox repo for Spring Security's new Resource
>>> Server
>>> > support.
>>> >
>>> > Would love your feedback. I'll be updating the repo with some
>>> integrated
>>> > Keycloak samples in the next few days.
>>> >
>>> > Thanks,
>>> > Josh
>>> >
>>> > --
>>> > Josh Cummings
>>> >
>>> > Software Engineer | Teacher | Pi Fanatic |
>>> > https://www.linkedin.com/in/jzheaux | http://tech.joshuacummings.com
>>> > <http://blog.joshuacummings.com>
>>> > _______________________________________________
>>> > keycloak-dev mailing list
>>> > keycloak-dev at lists.jboss.org
>>> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>> >
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>>
>
>
> --
> Josh Cummings
>
> Software Engineer | Teacher | Pi Fanatic | https://www.linkedin.com/in/
> jzheaux | http://tech.joshuacummings.com <http://blog.joshuacummings.com> |
> @jzheaux <https://twitter.com/jzheaux>
>
More information about the keycloak-dev
mailing list