0

Update: disabling client auth and authorization will not show the 401 message anymore but secured endpoints will return 403.

I'm trying to integrate keycloak core-version: 20.0.2 running from a docker container. I've started out following https://www.baeldung.com/spring-boot-keycloak but after multiple suggestions from different threads I cannot get the integration to work.

application properties:

keycloak.auth-server-url=localhost:1337
keycloak.realm=SARServices
keycloak.resource=sar-login
keycloak.public-client=false
keycloak.principal-attribute=preferred_username
keycloak.credentials.secret=NvkAdEPqbN39ubjqtrjn7dKElgLlUNLj

spring.security.oauth2.client.registration.keycloak.client-id=sar-login
spring.security.oauth2.client.registration.keycloak.authorization-grant-type=authorization_code
spring.security.oauth2.client.registration.keycloak.scope=openid
spring.security.oauth2.client.provider.keycloak.issuer-uri=https://localhost:1337/realms/SARServices
spring.security.oauth2.client.provider.keycloak.user-name-attribute=preferred_username

WebConfig:

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(jsr250Enabled = true)
class SecurityConfig(
    private val keycloakLogoutHandler: KeycloakLogoutHandler
) {

    @Bean
    fun keycloakConfigResolver(): KeycloakConfigResolver? {
        return KeycloakSpringBootConfigResolver()
    }


    @Bean
    protected fun sessionAuthenticationStrategy(): SessionAuthenticationStrategy {
        return RegisterSessionAuthenticationStrategy(SessionRegistryImpl())
    }

    @Bean
    @Throws(Exception::class)
    fun filterChain(http: HttpSecurity): SecurityFilterChain {
        http.csrf().disable()
            .authorizeRequests()
            .antMatchers("/user/*")
            .hasRole("adventurer")
            .anyRequest()
            .permitAll()
        http.oauth2Login()
            .and()
            .logout()
            .addLogoutHandler(keycloakLogoutHandler)
            .logoutSuccessUrl("/")
        return http.build()
    }
}

keycloak server log:

2023-01-07 18:46:55 2023-01-07 17:46:55,045 WARN  [org.keycloak.events] (executor-thread-65) type=CODE_TO_TOKEN_ERROR, realmId=7eec0241-e69f-4d5c-8b7f-7a96926e8315, clientId=sar-login, userId=null, ipAddress=172.18.0.1, error=invalid_client_credentials, grant_type=authorization_code

docker compose:

version: '1'
services:
  postgresql:
    image: docker.io/bitnami/postgresql:latest
    environment:
      - ALLOW_EMPTY_PASSWORD=yes
      - POSTGRESQL_USERNAME=bn_keycloak
      - POSTGRESQL_DATABASE=bitnami_keycloak
    volumes:
      - 'postgresql_data:/bitnami/postgresql'
      - './certs:/etc/codelance/cert'

  keycloak:
    image: quay.io/keycloak/keycloak:latest
    command: start --hostname-port=1337
    ports:
      - "1337:8443"
    environment:
      - KC_HOSTNAME=localhost
      - KC_HTTPS_CERTIFICATE_FILE=/etc/codelance/cert/keycloakcert.pem
      - KC_HTTPS_CERTIFICATE_KEY_FILE=/etc/codelance/cert/keycloak.pem
      - KEYCLOAK_ADMIN=admin
      - KEYCLOAK_ADMIN_PASSWORD=password
    depends_on:
      - postgresql
    volumes:
      - './certs:/etc/codelance/cert'
volumes:
  postgresql_data:
    driver: local

Web response login after signing in: enter image description here

client config: enter image description hereenter image description here

Viktor Baert
  • 686
  • 8
  • 22
  • Make keycloak.public-client=False instead of keycloak.public-client=True – dreamcrash Jan 07 '23 at 18:09
  • assigned to false, the 401 error persists – Viktor Baert Jan 07 '23 at 18:14
  • Change keycloak.auth-server-url=https://localhost:1337 and if that does not work use host.docker.internal instead of localhost in the keycloak.auth-server-url and spring.security.oauth2.client.provider.keycloak.issuer-uri – dreamcrash Jan 07 '23 at 18:30
  • Neither work, note that only Keycloak is running in a docker container. I do see error events in the container (see original question). – Viktor Baert Jan 07 '23 at 18:45
  • Did you try first to deploy in KC on the host machine and then if it works move to the container? btw when you run the container did you publish the ports -p ? – dreamcrash Jan 07 '23 at 18:52
  • About the ports I believe so: see added docker compose to thread question above. I've never ran Keycloak natively on my machine always in a container. – Viktor Baert Jan 07 '23 at 19:06
  • @dreamcrash can confirm same issue happens with standalone version – Viktor Baert Jan 07 '23 at 20:55
  • Did you manage to solve this one? – dreamcrash Jan 10 '23 at 06:30
  • 1
    @dreamcrash Yes and no, I followed along ch4mp his answer and it was clear that I was mixing concepts. I'm now using a resource-server in the correct way. – Viktor Baert Jan 12 '23 at 14:07

1 Answers1

0

First, Keycloak adapters for Spring are deprecated. Don't use it.

Are you sure you want a client and not a resource-server? In other words, are your controller methods returning template names or JSON payloads?

My answer to this other question contains the solution for both client and resource-server: Use Keycloak Spring Adapter with Spring Boot 3

ch4mp
  • 6,622
  • 6
  • 29
  • 49