Keycloak asks for login credentials even when a valid token is provided

Question

I'm trying to use Keycloak to secure a Spring Boot API using Spring Security. The API is running on port 8080 and Keycloak is on port 8081. This is my filter chain:

@Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http.authorizeHttpRequests()
                .requestMatchers(HttpMethod.POST, "/api/posts*").authenticated()
                .anyRequest().permitAll()
                .and()
                .csrf().disable();

        http.oauth2Login()
                .and()
                .logout()
                .logoutSuccessUrl("/");

        return http.build();
    }

When I try to POST to /api/posts from Insomnia, It shows me the login screen even though I provided valid credentials. (The access token is also there but it's not in the screenshot)

application.properties:

spring.security.oauth2.client.registration.keycloak.client-id=backend
spring.security.oauth2.client.registration.keycloak.authorization-grant-type=authorization_code
spring.security.oauth2.client.registration.keycloak.scope=openid

spring.security.oauth2.client.provider.keycloak.issuer-uri=http://localhost:8081/realms/test
spring.security.oauth2.client.provider.keycloak.user-name-attribute=preferred_username

Keycloak client config:

This answer will solve your problems: https://stackoverflow.com/a/74572732/619830 — ch4mp, Dec 19 '22 at 17:14

score 1 · Accepted Answer · answered Dec 19 '22 at 08:43

If you want to secure your API with tokens received from Keycloak, you should use the oauth2ResourceServer directive in your security configuration. You're using oauth2Login. So in the security filter chain, you should have something like this:


@Value("${pring.security.oauth2.client.provider.keycloak.issuer-uri}")
String issuerUri;

...

.oauth2ResourceServer(oauth2ResourceServer ->
    oauth2ResourceServer.jwt(jwt ->
        jwt.decoder(JwtDecoders.fromIssuerLocation(issuerUri))
    )
);

Have a look at this tutorial we've created at Curity that shows how to create a Spring Boot API protected with JWTs: https://curity.io/resources/learn/spring-boot-api/ You can have a look at the complete solution there.

In this tutorial, authorities mapping is Spring's default one: from `scp` claim only when the `role` claim should probably considered too. I demo how to do it in [my own tutorials](https://github.com/ch4mpy/spring-addons/tree/master/samples/tutorials) from Java conf (with `spring-boot-starter-oauth2-resource-server`) or just properties (with a starter of my own which is a very thin wrapper arround `spring-boot-starter-oauth2-resource-server`) — ch4mp, Dec 19 '22 at 17:10

Keycloak asks for login credentials even when a valid token is provided

1 Answers1