Keycloak authentication flow in a microservices based environment - McMap

About

Keycloak authentication flow in a microservices based environment

Asked 10/2, 2020 at 15:20 Answered 12/2, 2020 at 6:47

Solved spring-boot authentication microservices openid keycloak

W

1

11

I want to use Keycloak in a microservices based environment, where authentication is based on OpenID endpoints REST calls ("/token", no redirection to keycloak login page), a flow that I thought of would be something like this:

1. Front-end SPA retrieves the tokens from the "/token" endpoint and stores in browser's localStorage, then sends it with every request.

2. Gateway-level authentication: Acess Token is passed from the front end to the gateway, gateway consults Keycloak server to check if the token is still valid (not invalidated by a logout end-point call).

3. Micro-service based authorization: Acess Token is passed from the Gateway to the microservices, using Spring Boot adapter the microservices check the signature of the token offline (bearer-only client?) then based on the role in the token do the authorization.

My questions are: Does this flow make sense or can you suggest another flow? What type of Keycloak clients to use? What's an ideal way to pass Tokens using Spring Boot Adapter, and should it be done like that in the first place? Please keep in mind that I am not a Keycloak expert, I've done my research but I still have doubts.

Worthless answered 10/2, 2020 at 15:20 Comment(1)

It is recommended to use authorization flow instead of implicit flow. I suggest that you read this: https://mcmap.net/q/1158835/-replacing-oauth2-implicit-grant-with-authorization-code-without-client-secret – Aromaticity 11/2, 2020 at 17:10

E

5

Your Front-end SPA should be public-client and springboot micro service should be Bearer only Client and Gateway could be Confidential Client.

You can check the Keycloak provided oidc adapters. For springboot you use the keycloak provided adapter

Similar solution using api gateway is discussed here

Evilminded answered 12/2, 2020 at 6:47 Comment(4)

Exactly, this is what I thought of doing. I have some questions: 1. why do I need a public client for the SPA since i'm going to user the OID '/token' endpoint to retrieve the token (no redirection to a keycloak login page, i'll make my own) 2. I understand that the micro-services are bearer only, thus the token's signature is verified offline, but for the Gateway, does it have to check that the token is not 'invalidated' by a logout by going to the KC server on each request, that's a lot? The post you shared does not really adress my issue. – Worthless 12/2, 2020 at 8:52

If you are not using public Client , how and where you are going to store the client secret in you SPA? Gateway can verify signature on a JWT received from SPA. – Evilminded 13/2, 2020 at 20:18

i'm storing the confidential client's secret in a config file in the SPA. From your response, I assume that's a bad practice. – Worthless 13/2, 2020 at 21:8

Not recommended for applications which are accessible over internet. – Evilminded 13/2, 2020 at 23:1

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.