英文:
Spring Keycloak authentication - serves both web application and web service
问题
我们的技术栈包括以下服务,每个服务都在Docker容器中运行:
- 前端使用React
- 基于Spring Boot的后端服务 "resource-service"
- Keycloak
- 其他后端服务(消费者)
前端和消费者服务都使用REST API与后端通信。
我们使用Keycloak作为用户管理和身份验证服务。
我们希望将基于Spring的服务 "resource-service" 与Keycloak集成,以提供Web应用程序和服务流程:
-
Web应用程序 - 基于React的前端应用程序,应从 "resource-service" 获取重定向302,并将用户/浏览器发送到Keycloak站点以进行登录,然后返回获取所请求的资源。
-
服务器之间的通信 - 需要使用 "resource-service" API 的服务器在身份验证问题的情况下应该收到401错误,而不是重定向/登录页面。
有几种将Spring与Keycloak集成的选项:
- Keycloak Spring Boot适配器
- Keycloak Spring Security适配器
- Spring Security和OAuth2
我注意到Keycloak文档中有一个 "autodetect-bearer-only",似乎正好支持这种情况。但是 -
有很多集成选项,我不确定对于一个新的Spring Boot服务来说哪种是最好的。
此外,我没有找到在哪里配置该属性。
英文:
Our stack includes the following services, each service runs in a docker container:
- Front-end in React
- Backend service based on Spring boot "resource-service"
- Keycloak
- Other backend service (consumer)
Both the front-end and the consumer services communicate with the backend using REST API.
We use Keycloak as our user management and authentication service.
We would like to integrate our Spring based service "resource-service" with Keycloak by serving both web application and a service flows:
-
Web application - React based front-send that should get a redirect 302 from the "resource-service" and send the user / browser to login in the Keycloak site and then return to get the requested resource.
-
Server 2 Server coomunication - A server that need to use the "resource-service" API's should get 401 in case of authentication issues and not a redirection / login page.
There are few options to integrate Spring with Keycloak:
- Keycloak Spring Boot Adapter
- Keycloak Spring Security Adapter
- Spring Security and OAuth2
I noticed that there is a "autodetect-bearer-only" in Keycloak documentation, that seems to support exactly that case. But -
There are a lot of integration options and I'm not sure what is the best way to go, for a new Spring boot service.
In addition, I didn't find where to configure that property.
答案1
得分: 1
我已经使用了第一种和第二种方法,在我看来,如果你正在使用Spring Boot,请使用相应的适配器;如果你仍然在使用普通的Spring MVC,请使用Spring Security适配器。我从未看到过需要第三种方法的必要性,因为基本上你必须自己做所有的事情,为什么有人不使用前两种方法呢?
至于使用Spring Boot适配器,唯一需要配置的是以下内容:
keycloak:
bearer-only: true
auth-server-url: your-url
realm: your-realm
resource: your-resource
然后你就完成了。bearer-only 是为了在客户端没有携带令牌并且没有重定向到登录页面时返回 401,正如你所希望的那样。至少这对我们来说是有效的
之后,你可以使用配置来保护端点,但使用 httpSecurity 或 @EnableGlobalMethodSecurity 会更加灵活,我们正在使用类似于 @Secured({"ROLE_whatever_role"}) 的方式。
如果你正在使用最新版本的Spring Boot与Spring Cloud结合使用,你可能会遇到这个问题。
英文:
I've used approaches one and two and in my opinion, if you are using Spring Boot, use the corresponding adapter, use the Spring Security adapter if you're still using plain Spring MVC. I've never seen the necessity for the third approach as you basically have to do everything on your own, why would anyone not use the first two methods?
As for using the Spring Bood adapter, the only configuration necessary is the following:
keycloak:
bearer-only: true
auth-server-url: your-url
realm: your-realm
resource: your-resource
And you're done. The bearer-only is so that you return 401 if a client arrives without a bearer token and isn't redirected to a login page, as you wanted. At least that's what's working for us
After that, you can either use the configuration for securing endpoints but it's a bit more flexible to either use httpSecurity or @EnableGlobalMethodSecurity which we're doing with e. g. @Secured({"ROLE_whatever_role"}).
If you're using the newest Spring Boot version combined with Spring Cloud, you might run into this issue.
答案2
得分: 0
我配置我的资源服务器,当Authorization
头部丢失或无效时,始终返回401(而不是302),无论客户端如何。
客户端在需要时处理身份验证、令牌刷新等:一些经过认证的OpenID客户端库甚至提供了确保用户在向受保护的资源发出请求之前拥有有效访问令牌的功能。我在Angular中最喜欢的是angular-auth-oidc-client,但我不知道哪个React库具有相同的功能。
Spring的Keycloak适配器现已不推荐使用。您可以参考这些教程了解各种资源服务器安全配置选项。它涵盖了从最简单的RBAC到构建DSL(领域特定语言)的用例,比如:@PreAuthorize("is(#username) or isNice() or onBehalfOf(#username).can('greet')")
英文:
I configure my resource-servers to always return 401 when Authorization
header is missing or invalid (and never 302), whatever the client.
The client handles authentication when it is required, token refreshing, etc.: Some of certified OpenID client libs even propose features to ensure user has a valid access-token before issuing requests to protected resources. My favorite for Angular is angular-auth-oidc-client, but I don't know which React lib has same features.
Keycloak adapters for Spring are now deprecated. You can refer to this tutorials for various resource-server security configuration options. It covers uses cases from most simple RBAC to building DSL like: @PreAuthorize("is(#username) or isNice() or onBehalfOf(#username).can('greet')")
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论