On the previous parts, Part 1 and Part 2, it was given an introduction on OAuth and Keycloak configuration. Now I will show how to set up a secure Rest endpoint using Spring Boot and Spring Security.
Setting up the project
Before starting developing the project, two dependencies are required. One is responsible for handling the resource server. The other will handle the OAuth. Below is shown the required dependencies:
<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-oauth2-resource-server</artifactId> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-oauth2-jose</artifactId> </dependency>
Also, we need to configure our resource server by adding Spring Security configuration to our application.yml as shown below:
In our example, we need to configure two properties, issuer-uri and jwk-set-uri. The issuer-uri tells Spring Security where the authorization server is located. In this example, this property will be set with the url of the endpoint to our hello realm configured on Keycloak.
The jwk-set-uri specifys where Spring Security should look for the keys to validate the token signature. For this example, this property will be set with the certs endpoint inside the hello realm.
Building the controller
The built controller is very simple and its only function is to return a body with the text “hello”. But it will only be accessible after by authenticated and authorized users, after passing through the OAuth protocol. In the next section i will show how to secure the /hello endpoint. Below is the controller code:
Securing the application
To secure our application I will create a class named SecurityConfig, this class will be annotated with @Configuration and @EnableWebSecurity, also this class must extend WebSecurityConfigureAdapter. Then we are going to override the configure method, then define our protected endpoint and the rules to access it.
In the above gist the /hello endpoint is protect using the method antMatchers and to access it a token within the scope hello must be provided and only authenticated users will have access to the endpoint.
In the series of articles I introduced a simple OAuth 2 authentication to secure a endpoint. Explaining how the OAuth protocol work and how to set up Keycloak.
Much more can be done with the powerful Keycloak and Spring Security. In the next posts I plan to keep exploring the possibilities of the aforementioned tools, including a two factor authentication.
Hope you enjoyed this posts and stay connected to see what’s next.
To achieve this we add the following sections to the application.yml file. Spring Security 5 automatically configures an OAuth2 client by just specifying the issuer uri value as part of the predefined spring property spring.security.oauth2.client.provider.[id].issuer-uri. For OAuth2 clients you always have to specify the client registration with client id, client secret, authorization grant type, redirect uri to your client callback and optionally the scope.