Open haris-zynka opened 4 years ago
@haris-zynka If your application is an OAuth2 resource server then it will verify the token in the Authorization
header.
However, it appears the application you are referring to is an OAuth2 client. The OAuth2 client application is redirecting to the Keycloak server in order to obtain a token, which it will then include in requests to the resource server. The client application does not verify the received token.
There's 3 Access types for OAuth2 applications in many SSO solutions: -Public -Confidential -Bearer-only
Bearer only should never redirect users as server will reject the call and does not allow generating new tokens for such client apps. Combining Bearer-only with introspection token URI will work. Then again if I have the client set up for verifying tokens and other stuff, why should I need to make my app resource server? It has client ID and secret and therefor should be able to to what any other app can (with assumption that user accepts it or client app is from the same provider that handels users profile).
So my opinion was it should be possible to put in besides client ID and secret , also access type to bearer only which will tell framework not to do any redirection and check for tokens in headers or other places.
Now, I did setup introspection URI + client info so API is resource server and it works for what I need it. However I think later to change thing on behalf of user I will be required to act as a client and not resource server. I'm mainly asking because I don't think that Spring will detect already existing OAuth2 principal and use it with app if I act with token introspection for authorisation.
Summary
I'm trying to connect Keycloak and Spring Boot with Webflux (Kotlin) and I'm trying to pass Keycloak token as Bearer in Authorization header. Spring Boot App is set as Bearer only client.
Actual Behavior
Redirects me to root URL of Keycloak server
Expected Behavior
It would be good if Spring Security could detect Authorization header nad try to verify it without redirection to root URL
Configuration
Before I only used
Version
5.2.1 Release
Sample