If I put the oauth server on a not routable ip in /etc/hosts, the spring boot application fails to start. Annoying is even if it has the proper ip but is behind a proxy it also does not start after it waited x seconds, because at this stage of the application only ip and routing seems to be checked. I do not even know why this needs to be checked at start, what business is it of the springboot app if something routes or not.
memoryClientRegistrationRepository]: Factory method 'clientRegistrationRepository' threw exception with message: Unable to resolve Configuration with the provided Issuer of
oauth2:
resourceserver:
jwt:
issuer-uri-bak: ${JWT_URI}
jwt-custom-uri: ${JWT_URI}
connect-timeout: 5000
read-timeout: 5000
client:
registration:
keycloak:
client-id: ${OIDC_CLIENTID}
client-secret: ${OIDC_CLIENTSECRET}
authorization-grant-type: authorization_code
scope: ${OIDC_SCOPE:openid}
provider: keycloak
redirect-uri: "{baseUrl}/login/oauth2/code/{registrationId}"
provider:
keycloak:
issuer-uri: ${OIDC_ISSUERURI}
authorization-uri: ${OIDC_AUTHURI}
token-uri: ${OIDC_TOKENURI}
user-info-uri: ${OIDC_USERURI}
jwk-set-uri: ${OIDC_JWKCRTURI}
- When I disable the netfilter for direct access to oauth service. I see requests being logged on the proxy, so at least some of my proxy config works and the proxy works.
- When I disable direct access to the oauth service. tcpdump only shows a dns lookup. I do not see a request. For now I assume there is just some resolve or routing check.
- when I comment out issuer-uri: ${OIDC_ISSUERURI} my auth fails with "No event was found for the exception .springframework.security.oauth2.core.OAuth2AuthenticationException Redirecting to /error" even though all these custom urls are correctly setup. And I need to comment it out, because otherwise the app fails to start when the proxy is required.
If I put the oauth server on a not routable ip in /etc/hosts, the spring boot application fails to start. Annoying is even if it has the proper ip but is behind a proxy it also does not start after it waited x seconds, because at this stage of the application only ip and routing seems to be checked. I do not even know why this needs to be checked at start, what business is it of the springboot app if something routes or not.
memoryClientRegistrationRepository]: Factory method 'clientRegistrationRepository' threw exception with message: Unable to resolve Configuration with the provided Issuer of
oauth2:
resourceserver:
jwt:
issuer-uri-bak: ${JWT_URI}
jwt-custom-uri: ${JWT_URI}
connect-timeout: 5000
read-timeout: 5000
client:
registration:
keycloak:
client-id: ${OIDC_CLIENTID}
client-secret: ${OIDC_CLIENTSECRET}
authorization-grant-type: authorization_code
scope: ${OIDC_SCOPE:openid}
provider: keycloak
redirect-uri: "{baseUrl}/login/oauth2/code/{registrationId}"
provider:
keycloak:
issuer-uri: ${OIDC_ISSUERURI}
authorization-uri: ${OIDC_AUTHURI}
token-uri: ${OIDC_TOKENURI}
user-info-uri: ${OIDC_USERURI}
jwk-set-uri: ${OIDC_JWKCRTURI}
- When I disable the netfilter for direct access to oauth service. I see requests being logged on the proxy, so at least some of my proxy config works and the proxy works.
- When I disable direct access to the oauth service. tcpdump only shows a dns lookup. I do not see a request. For now I assume there is just some resolve or routing check.
- when I comment out issuer-uri: ${OIDC_ISSUERURI} my auth fails with "No event was found for the exception .springframework.security.oauth2.core.OAuth2AuthenticationException Redirecting to /error" even though all these custom urls are correctly setup. And I need to comment it out, because otherwise the app fails to start when the proxy is required.
1 Answer
Reset to default 2what business is it of the springboot app if something routes or not
When configuring issuer-uri, you activate OIDC. This means that the OpenID "Relying Party" (your Spring app) fetches the OpenID configuration from the "OpenID Provider" (your authorization server). This configuration stands at ${issuer-uri}/.well-known/openid-configuration and provides the URI of other endpoints that RPs might need (where to get key sets to validate tokens, get tokens, authorize users, etc.). In the case of a Spring RP, the OpenID configuration is fetched at startup.
Also, according to OIDC spec, the issuer identifier (issuer-uri in Spring Boot conf) must be found as exact value in:
- the OpenID configuration
- tokens
issclaim - Spring Boot conf
So, when setting an issuer-uri, you'd better check:
- that the OP is reachable when RPs start (otherwise they can't fetch OpenID configuration)
- how to configure Keycloak to use it's public URI (through your reverse proxy) for the conf it exposes and the tokens it issues, and you should use that exact same URI in Spring Boot conf.
Otherwise, the JWT validator won't check the iss claim, and your system won't comply with OIDC requirements. You'll have to:
- leave
issuer-uriempty in Spring's conf - provide other properties (which ones depend on the RP being an OAuth2 client or resource server, so open Spring Security doc).
Edit
At 1st read I thought that you were typing about a reverse proxy in front of your the authorization server, not of an HTTP proxy filtering requests from the Spring apps to the authorization server. My bad.
Configuring HTTP proxy settings for all the clients internally used by Spring Security is rather complicated. The proxy properties are to set sometimes on RestTemplate instances, and somtimes on the HTTP clients used by a RestClient. And to ease things, some Spring Security objects do not expose the RestTemplate / RestClient they use, so we have to replace pretty high level objects...
In the case of the OpenID configuration at startup, things happen, if no ClientRegistrationRepository is provided by the application, in ClientRegistrations::fromIssuerLocation which builds its own RestTemplate when initializing an InMemoryClientRegistrationRepository. As it does not allow to override or configure this RestTemplate, you'll have to expose a ClientRegistrationRepository bean yourself (which is cumbersome), using a RestClient with a properly configured HTTP client to fetch the OpenID conf from the other side of the proxy. This starter I wrote can help for that (configure RestClient with properties, including HTTP proxy).
But you'll have other clients to override, starting with the one used to talk to the token endpoint. With my starter, this is how to override the client used for the client-credentials flow:
com:
c4-soft:
springaddons:
rest:
client:
token-client:
# expose the builder as a bean instead of an already built RestClient
# to replace the default message converters and set a default status handler
expose-builder: true
# if HTTP_PROXY and NO_PROXY environment varable are correctly set,
# the properties below might not be needed
http:
proxy:
connect-timeout-millis: 500
host: proxy2.corporate.pf
non-proxy-hosts-pattern: .+\.corporate\.pf
username: change-me
password: secret
@Configuration
public class SimplifiedConfiguration {
// the tokenClientBuilder is pre-configured with the proxy settings from above
@Bean
RestClient tokenClient(RestClient.Builder tokenClientBuilder) {
return tokenClientBuilder.messageConverters((messageConverters) -> {
messageConverters.clear();
messageConverters.add(new FormHttpMessageConverter());
messageConverters.add(new OAuth2AccessTokenResponseHttpMessageConverter());
}).defaultStatusHandler(new OAuth2ErrorResponseErrorHandler()).build();
}
@Bean
OAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> clientCredentialsTokenResponseClient(
RestClient tokenClient) {
final var client = new RestClientClientCredentialsTokenResponseClient();
client.setRestClient(tokenClient);
return client;
}
}
If using oauth2Login, you'll have to do something similar to the 2nd bean for a minimum of authorization code and refresh token flows (the same tokenClient can be used). Good luck...
PS
spring.security.oauth2.resourceserver properties are not used by spring-boot-starter-oauth2-client and it is a mistake to configure a security filter chain with both oauth2Login and oauth2ResourceServer. The 1st is stateful (request authorization is session-based and relies on cookies), the 2nd is stateless (no session and request authorization is token-based).
If using OIDC (and you should) on a client with oauth2Login, this should be enough:
spring:
security:
oauth2:
client:
provider:
sso:
issuer-uri: ${issuer-uri}
registration:
login:
provider: sso
authorization-grant-type: authorization_code
client-id: ${client-id}
client-secret: ${client-secret}
scope:
- openid
OIDC on a resource server:
spring:
security:
oauth2:
resourceserver:
jwt:
issuer-uri:
issuer-uri: ${issuer-uri}
But to use realm_access.roles and resource_access.{client-id}.roles (which are the standard Keycloak claims for user roles), you'll have to configure a custom authorities converter.
You might read this articles I wrote for Baeldung to:
- get started with Keycloak & Spring
- secure SPAs with the OAuth2 BFF pattern (implementations for Angular, React, and Vue)
spring.security.oauth2.client.*configuration properties. If you set the provider issuer-uri property, then Spring Security eagerly contacts that server to discover the provider's endpoint URIs. – Chin Huang Commented 2 days ago