I have problems authorizing users via Bearer TOKEN that I receive from Keycloak.
The task is to authorize user requests that come from an Angular application to my back-end Thorntail 2.5.0.Final micro-service. I have the front-end part covered and the application appends Authorization: Bearer {TOKEN} to every request to my service.
I have tried following these 2 guides: https://rieckpil.de/howto-microprofile-jwt-authentication-with-keycloak-and-react/ https://kodnito.com/posts/microprofile-jwt-with-keycloak/
with thorntail microprofile and keycloak-micropfofile-jwt-fractions, but none of them seem to work.
@Inject
@ConfigProperty(name = "message")
private String message;
@Inject
private JsonWebToken callerPrincipal;
@GET
@RolesAllowed("testrole")
@ApiOperation(value = "Pridobi uporabnike", notes = "Pridobi vse uporabnike iz baze.", response = Uporabnik.class)
public Response getUsers() {
return Response.ok(callerPrincipal.getRawToken() + " is allowed to read message: " + message).build();
}
and got the following response
null is allowed to read message: Very Secure 42!
The 2. thing I tried is adding the keycloak fraction and sending the token via header following this example https://github.com/thorntail/thorntail-examples/tree/master/security/keycloak
I added the resources/keycloak.json
{
"realm": "Intra",
"auth-server-url": "https://idm.ra.net/auth",
"ssl-required": "external",
"resource": "prenosOSBE",
"verify-token-audience": true,
"credentials": {
"secret": "e9709793-9333-40a7-bb95-2026ad98b568"
},
"use-resource-role-mappings": true,
"confidential-port": 0
}
and the KeycloakSecurityContextFilter.java from the example. If I try to make a call to my endpoint I get 401 Unauthorized or 403 Forbidden if I don't send a token with my request.
So what I want to know is which fraction is meant to be used if my task is to authorize users via Bearer token on my Thorntail microservice?
microprofile-jwt, keycloak-microprofile-jwt or keycloak and what is the minimal required configuration for it to work?
The keycloak fraction is the Keycloak adapter for WildFly per https://www.keycloak.org/docs/4.8/securing_apps/index.html#jboss-eap-wildfly-adapter It lets you use the common security mechanisms from Java EE (<security-constraint>s in web.xml etc.) You can see an example here: https://github.com/rhoar-qe/thorntail-test-suite/tree/master/wildfly/keycloak
The microprofile-jwt lets you use bare MicroProfile JWT (that is, @RolesAllowed on JAX-RS resources, etc.). You have to configure the expected issuer, its public key etc., as described in MP JWT documentation. You can see an example here: https://github.com/rhoar-qe/thorntail-test-suite/tree/master/microprofile/microprofile-jwt-1.0
The keycloak-microprofile-jwt is a bit of a mix. It doesn't expose the Keycloak adapter, but uses it internally to validate tokens issued by Keycloak, and exposes the tokens via MicroProfile JWT. You can see an example here: https://github.com/thorntail/thorntail/tree/master/testsuite/testsuite-keycloak-mpjwt