I have read some articles for Keycloak spring implementation (eg: easily-secure-your-spring-boot-applications-with-keycloak ) but no one mention how to use with JWT.
I have created zuul api gateway and add Keycloak adapter as described in the previously linked article. That's ok, but I want to use JWT with keycloak.
Mentioned elsewhere set the client access type to bearer-only and the session strategy to NullAuthenticatedSessionStrategy. That's enough or need something else for JWT?
So my questions:
Keycloak access token is a JWT
. It is a JSON
and each field in that JSON
is called a claim
. By default, logged in username
is returned in a claim
named “preferred_username”
in access token
. Spring Security OAuth2 Resource Server expects username in a claim
named “user_name”
. So, you need to create mapper to map logged in username
to a new claim
named user_name
.
In order to provide access to client (micro-service), respective role
needs to be assigned/mapped to user
.
In your spring boot application, then you need to configure connection to keycloak server, providing, auth
url, token
url, scope
, grant-type
, client-id
and client-secret
.
Afterthat, your app be able to parse JWT token, you need to create some JwtAccessTokenCustomizer
. This class should extend DefaultAccessTokenConverter
and implement JwtAccessTokenConverterConfigurer
classes. The main logic lays in public OAuth2Authentication extractAuthentication(Map<String, ?> tokenMap)
method.
Then you need to configure OAuth2 Resource Server
to provide access for other micro services. For that you define here - Oauth2RestTemplate
Bean.
And in the end, secure your REST API, via the standard configuration Component
.
So, you can see that, it is a large work, and couldn't be described with code, show some of your work, divide it to the chunk, and ask interesting your questions.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.