Reputation: 751
How does the authorization rules are validated by keycloak authorization server using spring rest adapter
I have set up the keycloak server and created the spring rest application with keycloak rest adapters. The Authorizations rules are working fine.
I would like to know about the internal working of the keycloak spring boot rest adapter. How the logged in user's token is validated against policy and permission set in keycloak admin client.
Upvotes: 5
Views: 1025
Answers (1)
Reputation: 1059
You are correct, access token does not contain all these details.
In Keycloak when you are using server side adapters the client will be configured to use the standard flow and not the implicit flow of OIDC.
In standard flow when you login using keycloak IDP your front-end redirects to Keycloak IDP and asks for you credentials. If you have the right credentials login is successful and you are redirected back to your app. In this redirect your app gets a code which it then sends to the back-end rest call. This code is used by spring adapter in the spring boot app to make a call to Keycloak IDP server and it is this call in which the boot application will get the user context to take all the authorization decisions as a response from the Keycloak server.
Hope this makes sense.
Upvotes: 2
Related Questions
- Validate token on keycloak server for every api call
- Keycloak + spring cloud gateway + authentication and authorization
- Keycloak JWT Validation using Java Spring Security + KC Adapter
- Spring Keycloak adapter Permissions Policy Enforcer. How to set it up
- Spring Boot Keycloak - How to verify Bearer token?
- Implement Keycloack Authorization server using Spring Security 5 OAuth2
- Should I explicitly verify Keycloak token or this is done by Keycloak adapter?
- Authorization Server
- Types of authentication in OAuth2 in Spring: How does authentication via user credentials work?
- Oauth2: how should the resource server know if the access token is valid?