[keycloak-dev] Spring Security 5.1 - Resource Server support

Thomas Darimont thomas.darimont at googlemail.com
Fri May 11 09:02:24 EDT 2018 

Hi Josh, Hi Sebi,

having proper support for OAuth2 @EnableResourceServer in Spring Security 5
would be very useful.
It would also be great if an application could use SSO and Enable
ResourceServer at the same time.

I tried this with Spring Boot 2 and Spring Security 5 but I couldn't get it
to work.

I build a demo application that uses SSO based on the OpenID Connect from
the latest
Spring Security 5 in a Spring Boot 2 app without the need for a
Keycloak-adapter
library
with very little custom code for making the integration work.
Perhaps the example can help you to identify some gaps in the current
Spring Security OAuth2 / OIDC APIs.
The sources can be found here: https://github.com/thomasdarimont
/spring-boot-2-keycloak-oauth-example

Here are some things that I either had to add or that are currently not
possible without more infrastructure plumbing:

- Extracting and mapping of Keycloak roles to Spring Security roles.
Would be great to have a dedicated API for this - needed to do some
plumbing here.
See: https://github.com/thomasdarimont/spring-boot-2-keycloak-oauth
-example/blob/master/src/main/java/demo/SpringBoot2App.java#L155

- Propagating logout to Keycloak
Could use the standardized OIDC "end_session_endpoint" from the .well-known/
openid-configuration endpoint.
See: https://github.com/thomasdarimont/spring-boot-2-keycloak-oauth
-example/blob/master/src/main/java/demo/SpringBoot2App.java#L205

- Explicit configuration for oauth/oidc provider endpoints.
Would be great to just use the wellknon endpoint (http://localhost:8080/auth
/realms/${realm}/.well-known/openid-configuration)
This would ease configuration quite significantly.
See: https://github.com/thomasdarimont/spring-boot-2-keycloak-oauth
-example/blob/master/src/main/resources/application.yml#L23

- Handling of access / refresh token for service calls (currently missing)
Currently spring security (tested with 5.0.4.RELEASE) does only extracts
the IDToken / AccessToken from the OidcUserRequest
but not the refresh token. This would be necessary to retrieve new
AccessTokens for prolonged service interactions.

Another topic is multi-tenancy support. For the example app mentioned above
I have a special branch called feature/multi-tenancy
that demonstrates a PoC of a hostname based approach for supporting
multiple realms / tenants.
Some of this is keycloak specific but I think this could be generalized to
a degree where the Keycloak specific parts could be reduced
to just a few lines of code / configuration.

- Configuration
See: https://github.com/thomasdarimont/spring-boot-2-keycloak-oauth
-example/blob/feature/mulit-tenancy/src/main/resources/application.yml#L29
- Tenant selection
See: https://github.com/thomasdarimont/spring-boot-2-keycloak-oauth
-example/blob/feature/mulit-tenancy/src
/main/java/demo/SpringBoot2App.java#L127

Cheers,
Thomas

Am Di., 8. Mai 2018 um 23:54 Uhr schrieb Sebastien Blanc <sblanc at redhat.com
>:

> Hi Josh !
>
> Thanks for pinging us about this ! We really appreciate your offer to
> collaborate. I will try ASAP playing with the new Spring Sec and share my
> findings with you.
>
> Seb
>
>
> Le mar. 8 mai 2018 à 13:28, Josh Cummings <josh.cummings at gmail.com> a
> écrit :
>
> > Hi,
> >
> > I'm not sure if you already know, but the Spring Security Team is
> > re-writing its support for OAuth2. We are planning on releasing initial
> > Resource Server support in 5.1 this September.
> >
> > I'd love to collaborate with you guys, especially while you are in beta,
> to
> > see if what we are writing is complementary to your goals. Perhaps we can
> > help remove some of your boilerplate, etc., say from your Spring Security
> > adapter.
> >
> > https://github.com/jzheaux/spring-security-oauth2-resource-server
> >
> > This is sort of a sandbox repo for Spring Security's new Resource Server
> > support.
> >
> > Would love your feedback. I'll be updating the repo with some integrated
> > Keycloak samples in the next few days.
> >
> > Thanks,
> > Josh
> >
> > --
> > Josh Cummings
> >
> > Software Engineer | Teacher | Pi Fanatic |
> > https://www.linkedin.com/in/jzheaux | http://tech.joshuacummings.com
> > <http://blog.joshuacummings.com>
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list