[keycloak-user] Public and Bearer-only role propagation

Stelios Kyprou stelios.kyprou at hellasdirect.gr
Mon Jul 8 05:01:30 EDT 2019 

Hello guys,

I am trying to work with the following setup, with the goal of eventually
propagating Keycloak roles from the public client (front-end) to Spring
Security Roles of a bearer-only client (back-end):

Client Name Client Type Client Role Full Scope Allowed
portals-frontend public TEST_ROLE FALSE
portals-backend bearer-only
VERSIONS:
*Spring Boot:*
org.keycloak:keycloak-spring-boot-2-starter:4.0.0.Final
org.springframework.boot:spring-boot-starter-security:2.1.4.RELEASE
*Angular:*
angular: 7
"keycloak-angular": "6.1.0"
*Keycloak Server:*
4.0.0.Final

My Angular app is using *portals-frontend *client
My Spring-Boot-2 app is using *portals-backend *client

When running this setup, the back-end verifies the token, but it does not
map the *portals-frontend* client Roles into *spring security
principal.deatils.roles*. The only way I managed to do this is two ways;

   1. Set *Full Scope allowed* to *true. (*I don't like this since we can't
   restrict the roles in each client token*)*
   2. Use the same KC client in the back-end as the one used in the
   front-end app. (This means that new front-end apps that will need different
   rights, therefore a new client, will not be able to use the same back-end
   service)

*QUESTION:*
Is there a 3rd way, where I keep my configuration as is, and manage to map
KC Roles into spring security's *principal.details.roles *list in the
back-end and include the front-end client roles?

Thanks in advance!

P.S:
*Additional context:*
The Spring-Boot-2 configurations is:
keycloak:
  realm: internal-portals
  bearer-only: true
  auth-server-url: <VALID URL>
  ssl-required: external
  resource: portals-backend
  confidential-port: 0
  principal-attribute: preferred_username
  use-resource-role-mappings: true

With the following security config:

@KeycloakConfiguration
class SecurityConfig(private val securityProperties: SecurityProperties) :
KeycloakWebSecurityConfigurerAdapter() {
    @Bean
    fun keycloakConfigResolver(): KeycloakConfigResolver {
        return KeycloakSpringBootConfigResolver()
    }

    @Autowired
    @Throws(Exception::class)
    fun configureGlobal(auth: AuthenticationManagerBuilder) {
        val keycloakAuthenticationProvider =
keycloakAuthenticationProvider()

keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(SimpleAuthorityMapper())

        auth.authenticationProvider(keycloakAuthenticationProvider)
    }

    @Bean
    override fun sessionAuthenticationStrategy():
SessionAuthenticationStrategy {
        return NullAuthenticatedSessionStrategy()
    }
...
}

More information about the keycloak-user mailing list