spring-projects / spring-security

Spring Security
http://spring.io/projects/spring-security
Apache License 2.0
8.85k stars 5.91k forks source link

Autoconfig bearer only clients OIDC #8008

Open haris-zynka opened 4 years ago

haris-zynka commented 4 years ago

Summary

I'm trying to connect Keycloak and Spring Boot with Webflux (Kotlin) and I'm trying to pass Keycloak token as Bearer in Authorization header. Spring Boot App is set as Bearer only client.

Actual Behavior

Redirects me to root URL of Keycloak server

Expected Behavior

It would be good if Spring Security could detect Authorization header nad try to verify it without redirection to root URL

Configuration

Before I only used

  security:
    oauth2:
      client:
        registration:
          x-users:
            client-id: xxx
            client-secret: xxx
        provider:
          x-users:
            authorization-uri: https://xxx/auth/
            token-uri: https://xxx/auth/realms/test/protocol/openid-connect/token
            user-info-uri: https://xxx/auth/realms/test/protocol/openid-connect/userinfo
            user-name-attribute: sub
            jwk-set-uri: https://xxx/auth/realms/test/protocol/openid-connect/certs
            issuer-uri: https://xxx/auth/realms/test

Version

5.2.1 Release

Sample

eleftherias commented 4 years ago

@haris-zynka If your application is an OAuth2 resource server then it will verify the token in the Authorization header.

However, it appears the application you are referring to is an OAuth2 client. The OAuth2 client application is redirecting to the Keycloak server in order to obtain a token, which it will then include in requests to the resource server. The client application does not verify the received token.

haris-zynka commented 4 years ago

There's 3 Access types for OAuth2 applications in many SSO solutions: -Public -Confidential -Bearer-only

Bearer only should never redirect users as server will reject the call and does not allow generating new tokens for such client apps. Combining Bearer-only with introspection token URI will work. Then again if I have the client set up for verifying tokens and other stuff, why should I need to make my app resource server? It has client ID and secret and therefor should be able to to what any other app can (with assumption that user accepts it or client app is from the same provider that handels users profile).

So my opinion was it should be possible to put in besides client ID and secret , also access type to bearer only which will tell framework not to do any redirection and check for tokens in headers or other places.

Now, I did setup introspection URI + client info so API is resource server and it works for what I need it. However I think later to change thing on behalf of user I will be required to act as a client and not resource server. I'm mainly asking because I don't think that Spring will detect already existing OAuth2 principal and use it with app if I act with token introspection for authorisation.