Reputation: 21
Spring gateway(webflux) - oauth security - issue
Spring 2.2.5.RELEASE Spring Gateway - spring-cloud-starter-gateway - spring-cloud-security - spring-boot-starter-oauth2-resource-server
SSO: keycloak 8.0.2 (docker)
I've an issue with spring gateway security configuration. In my system there are a Spring gateway and Keycloak instance behind a proxy and firewall and I would like them to communicate inside the private network. See the following image for the architecture structure.
In fact in my private network I have not access to the internet because of the firewall rules.
I tried to configure spring provider using for the authorization-uri the public address of keycloak and for token-uri/jwk-set-uri/user-info-uri the private address of keycloak: this configuration doesn't work because seems that authorization-uri and user-info-uri must have the same base url.
security:
oauth2:
client:
...
provider:
myprovider:
authorization-uri: http://sso.domain.it/auth/realms/myrealm/protocol/openid-connect/auth
token-uri:http://sso.private.name/auth/realms/myrealm/protocol/openid-connect/token
jwk-set-uri: http://sso.private.name/auth/realms/myrealm/protocol/openid-connect/certs
user-info-uri: http://sso.private.name/auth/realms/myrealm/protocol/openid-connect/userinfo
user-name-attribute: preferred_username
I get 401 and Keycloak logs this error:
21:33:20,636 WARN [org.keycloak.events] (default task-14) type=USER_INFO_REQUEST_ERROR, realmId=myrealm, clientId=null, userId=null, ipAddress=x.x.x.x, error=invalid_token, auth_method=validate_access_token
If I try to set the user-info-uri with keycloak public address the authentication flow works correctly (obviously removing firewall rules).
WORKS BUT NOT OK
security:
oauth2:
client:
...
provider:
myprovider:
authorization-uri: http://sso.domain.it/auth/realms/myrealm/protocol/openid-connect/auth
token-uri: http://sso.private.name/auth/realms/myrealm/protocol/openid-connect/token
jwk-set-uri: http://sso.private.name/auth/realms/myrealm/protocol/openid-connect/certs
user-info-uri: http://sso.domain.it/auth/realms/myrealm/protocol/openid-connect/userinfo
user-name-attribute: preferred_username
Upvotes: 2
Views: 692
Answers (1)
Reputation: 11
The problem is that when Keycloak generates JWT, it records issuer in it, in your case - accoring to authorization-uri hostname: sso.domain.it. When you later access it with sso.private.name, mentioned in the user-info-uri field - there will be no match, which in turn causes 401 Unauthorized.
To fix the issue, you need to set up environment variable for Keyloak
KEYCLOAK_FRONTEND_URL: http://sso.domain.it/auth
in the way you prefer - via Docker/Kubernetes environment, Keycloak startup command line etc
Upvotes: 1
Related Questions
- Webflux - Spring Boot - oAuth2 client with http proxy support
- Spring OAuth2 Authorization Server + Spring WebFlux
- Reactive spring authorization server
- Reactive Spring Security Oauth2 : invalid redirect url
- Spring WebFlux Security OAuth 2.0 User Service
- Spring Gateway OAuth - Full URL on redirect
- Spring WebClient with OAuth2 authorization
- Spring Webflux OAuth 2 resource server
- Authentication with OAuth2 in Webflux Spring
- Spring security oauth2 - Can't access /oauth/token route