- I have configured a
Spring Boot project with Spring Security and Keycloak
- I am getting the token from Keycloak server
- When I am calling an endpoint in the app I am getting 403 with the token
- Code as bellow:
@Configuration
@EnableWebFluxSecurity
@EnableReactiveMethodSecurity
class SecurityConfig {
@Bean
fun reactiveJwtDecoder() = NimbusReactiveJwtDecoder {
val claimsSet = it.jwtClaimsSet
println(Gson().toJson(claimsSet))
Mono.just(claimsSet)
}
@Bean
fun configure(
http: ServerHttpSecurity,
authenticationConverter: KeycloakReactiveJwtAuthenticationConverter
): SecurityWebFilterChain = http.apply {
headers().frameOptions().disable()
.and().csrf().disable()
.authorizeExchange()
.pathMatchers("/v/*").permitAll()
.anyExchange().authenticated()
.and()
.oauth2ResourceServer()
.jwt()
.jwtAuthenticationConverter(authenticationConverter)
}.build()
@Bean
fun clientRegistration(): ReactiveClientRegistrationRepository =
InMemoryReactiveClientRegistrationRepository(
ClientRegistrations.fromOidcIssuerLocation("http://localhost:8080/auth/realms/demo")
.clientId("demo")
.clientSecret("2de854c0-57a7-42f1-8a07-01773301646f")
.build()
)
}
@Component
class KeycloakReactiveJwtAuthenticationConverter : Converter<Jwt, Mono<AbstractAuthenticationToken>> {
override fun convert(jwt: Jwt): Mono<AbstractAuthenticationToken>? {
return Mono.just(AuthenticationToken(jwt))
}
}
fun convert(jwt: Jwt): Collection<GrantedAuthority>? {
@Suppress("UNCHECKED_CAST")
val realmAccess = jwt.claims["realm_access"] as? Map<String, List<String>> ?: emptyMap()
val roles = realmAccess.getOrDefault("roles", listOf()).map { "ROLE_$it" }
return AuthorityUtils.createAuthorityList(*roles.toTypedArray())
}
data class AuthenticationToken(
val jwt: Jwt
) : AbstractAuthenticationToken(convert(jwt)) {
override fun getCredentials(): Any = ClientInfo(
clientId = jwt.getClaimAsString("client_id")
)
override fun getPrincipal(): Any = ClientInfo(
clientId = jwt.getClaimAsString("client_id")
)
}
data class ClientInfo(
val clientId: String
)
Json that being passed
{"claims":{"sub":"ba95843a-4ba8-4247-b2b9-4db993de7371","resource_access":{"demo":{"roles":["uma_protection"]},"account":{"roles":["manage-account","manage-account-links","view-profile"]}},"clientId":"demo","email_verified":false,"clientHost":"127.0.0.1","iss":"http://localhost:8080/auth/realms/demo","typ":"Bearer","preferred_username":"service-account-demo","clientAddress":"127.0.0.1","client_id":"demo","aud":["account"],"acr":"1","realm_access":{"roles":["offline_access","uma_authorization","USER"]},"azp":"demo","scope":"profile email","exp":"Jan 27, 2021, 5:15:29 PM","iat":"Jan 27, 2021, 5:10:29 PM","jti":"51831211-7831-4bdd-9e31-d0ba2aa7f733"}}
2021-01-27 23:41:47.896 DEBUG 14484 --- [oundedElastic-1] o.s.w.s.s.DefaultWebSessionManager : Created new WebSession.
2021-01-27 23:41:47.899 DEBUG 14484 --- [oundedElastic-1] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/logout', method=POST}
2021-01-27 23:41:47.900 DEBUG 14484 --- [oundedElastic-1] athPatternParserServerWebExchangeMatcher : Request 'GET /demo' doesn't match 'POST /logout'
2021-01-27 23:41:47.900 DEBUG 14484 --- [oundedElastic-1] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : No matches found
2021-01-27 23:41:47.901 DEBUG 14484 --- [oundedElastic-1] a.DelegatingReactiveAuthorizationManager : Checking authorization on '/demo' using org.springframework.security.authorization.AuthenticatedReactiveAuthorizationManager@6d47f864
2021-01-27 23:41:47.903 DEBUG 14484 --- [oundedElastic-1] o.s.s.w.s.a.AuthorizationWebFilter : Authorization failed: Access Denied
2021-01-27 23:41:47.911 DEBUG 14484 --- [oundedElastic-1] o.s.w.s.adapter.HttpWebHandlerAdapter : [53903720-1] Completed 403 FORBIDDEN
What is wrong here?
question from:
https://stackoverflow.com/questions/65918052/how-to-fix-403-when-using-keycloak-jwt-token-with-spring-security 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
