spring boot security use keycloak sessions
Question
I'm new to security and I'm trying to understand how to implement proper security without any overkill.
Below are my questions.
- I don't want to allow 3rd party clients to use my API and hence I don't see any importance of OAuth 2.0. Hence I'm looking to use the sessions generated by keycloak (or Ory Kratos) in my Spring Boot Security. Any guidance on how to do that.
- I have come across an application https://opstra.definedge.com/ which security is implemented using keycloak (can see the URL pattern). But in the requests, I can't see any JWT token in the chrome DevTools Network Tab while performing any network requests. I think they are implementing it the way I wanted. Any overview on how it is implemented.
1 answers
solution1
1 2022-09-26 16:41:43
What about controlling the origin of the requests on your resource-server (CORS configuration)? That is not specific to OAuth2 (yet compatible) and aims at just that: filtering which origins (host + port) can access which resource location (URL).
There is a notion of confidential client in Keycloak where the client must provide a password in addition to client-id to exchange authorization codes for access-tokens, but this does not apply to client running on devices you cannot trust (Angular, Vue, React, native mobile apps, etc.): code can be reversed enginereed to read that password.
OAuth2 comes with much more than just easing multi-client scenarios. You should read this article for a refresher on
- OAuth2 (and its value)
- resource-server security configuration (with CORS)
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.