In my application, I am using keycloak with the Authorization server that I have created in Spring Boot application. I have implemented authentication and authorization using OpenID Connect. In Client Authentication parameter in keycloak, I have selected client_secret_post option. The configuration can be seen in the image below: 
In my Authorization server that I have developed in spring boot, I have also done the same thing. 
Now when I debug the code, I can see that with token request http://auth-server:9000/oauth2/token, the client id and client secret are sent in request paramrters as can be seen in the image below
But with the userinfo request http://auth-server:9000/userinfo, I see that the client id and client secret are not sent in request parameters instead the client id and client secret are decoded and sent in the authorization Header as can be seen in the image below
Is this the expected behaviour or am I missing something? Why the client_id and client_secret are not being sent as request parameters for the userinfo endpoint URL http://auth-server:9000/userinfo also?
CodePudding user response:
Keycloak is an authorization-server. Don't create an other one.
Your Spring applications should be configured as either:
- resource-server for REST APIs. Tutorials there
- client for UIs (spring applications serving Thymeleaf pages, as well as native mobile apps and rich clients written with Angular, React, Vue, etc.). Use an OIDC client lib for that.
spring-boot-starter-oauth2-clientis to be used for Spring clients (like those with Thymeleaf), angular-auth-oidc-client with Angular, etc.
CodePudding user response:
Oh, I have figured it out. When User Info URL endpoint http://auth-server:9000/userinfo is triggered, in the the authorization header actually token is sent that has been retrieved from the token endpoint http://auth-server:9000/oauth2/token. So this is the expected behaviour I guess.