Securing Spring Boot service with keycloak - JWT token

spring-boot jwt keycloak bearer-token keycloak-services
nejckorasa picture nejckorasa · Aug 8, 2017 · Viewed 8.1k times · Source

So, I'm using keycloak to secure my services. Client app gets access token from keycloak server and uses it to secure access to Spring boot app. I've configured my Spring Boot application with keycloak properties using bearer-only access type:

keycloak.realm = master
keycloak.realmKey = ...
keycloak.auth-server-url = http://localhost:8080/auth
keycloak.ssl-required = external
keycloak.resource = boot-app
keycloak.bearer-only = true
keycloak.cors = true

Spring boot keycloak starter:

<dependency>
    <groupId>org.keycloak</groupId>
    <artifactId>keycloak-spring-boot-starter</artifactId>
</dependency>

And configuring KeycloakWebSecurityConfigurerAdapter:

@Configuration
@ComponentScan(basePackageClasses = KeycloakSecurityComponents.class)
public class KeycloakSecurityConfig extends KeycloakWebSecurityConfigurerAdapter
{
  /**
   * Registers the KeycloakAuthenticationProvider with the authentication manager.
   */
  @Autowired
  public void configureGlobal(final AuthenticationManagerBuilder auth) throws Exception
  {
    final KeycloakAuthenticationProvider keycloakAuthenticationProvider = keycloakAuthenticationProvider();
    keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper());
    auth.authenticationProvider(keycloakAuthenticationProvider);
  }

  @Bean
  public KeycloakConfigResolver keycloakConfigResolver()
  {
    return new KeycloakSpringBootConfigResolver();
  }

  /**
   * Defines the session authentication strategy.
   */
  @Bean
  @Override
  protected SessionAuthenticationStrategy sessionAuthenticationStrategy()
  {
    return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl());
  }

  @Override
  protected void configure(final HttpSecurity http) throws Exception
  {
    super.configure(http);
    http
        .authorizeRequests()
        .antMatchers(
            "/v2/api-docs",
            "/configuration/ui",
            "/swagger-resources",
            "/configuration/security",
            "/swagger-ui.html",
            "/webjars/**",
            "/swagger-resources/configuration/ui",
            "/swagge‌​r-ui.html",
            "/swagger-resources/configuration/security").permitAll()
        .antMatchers("/*").hasRole("user")
        .anyRequest().authenticated();
  }
}

Now, everything works fine. My question is: Bearer token is JWT token, all you need to decode it (and verify access) is public key, which is 

keycloak.realmKey

Why would you need other settings, specificaly:

keycloak.auth-server-url

Isn't public key everything you need?

Thanks in advance

Answer

S&#233;bastien Blanc picture Sébastien Blanc · Aug 8, 2017

Indeed for a bearer-only you could wonder why the KC URL is needed but since a few KC versions the realmKey is not mandatory anymore since we are use key rotation. It means that your app will retrieve dynamically the public key from the KC server using the auth-server-url property.

Related questions

How to design a good JWT authentication filter

I am new to JWT. There isn't much information available in the web, since I came here as a last resort. I already developed a spring boot application using spring security using spring session. Now instead of spring session we …

Read More
Spring-boot JWT logout

I use this code https://github.com/gdongus/spring-boot-oauth-jwt-example and everything works perfect, but I don't know how to implement logout functionality. Can somebody give me advice? Thank you.

Read More
Should I explicitly send the Refresh Token to get a new Access Token - JWT

In my application, I return an access token and a refresh token when a user logs in successfully. The expiration times for access and refresh token have been set to 10 and 40 minutes respectively. (I should do some more research on …

Read More