Home > Net >  How do I link my SpringBoot application to a specific keycloak client?
How do I link my SpringBoot application to a specific keycloak client?

Time:02-15

I'm trying to implement an authentication system for my spring boot application using keycloak using password grant flow , and it works fine for the most part there's one bit I dont understand.

(I'm gonna reference the sample source from javacodegeeks because I'm learning it through their guide.)

In this guide: https://examples.javacodegeeks.com/keycloak-in-a-spring-boot-application/

It says to setup the following configuration on my application.properties :

# application configuration
server:
  port: 9000
# keycloak configuration
keycloak:
  # name of the created realm
  realm: jcgassignment
  # name of the created client
  resource: spring-security-demo-app
  # indicates that our service has been created as a bearer-only (by default it is false)
  bearer-only: true
  # url of our Keycloak server
  auth-server-url: 'http://localhost:8100/auth'

and if I'm understanding this right, this config specifically links my springboot app with a client created within my keycloak realm. Telling my keycloak adapter to connect to this specific keycloak server, into this specific client, to verify a jwt token.

but for some reason, even if I disable the client (in this case spring-security-demo-app), my springboot app is still able to communicate with the keycloak server and verify a jwt, and thus is still able to return a 200OK response, how is that?

Is my spring boot app not correctly linked with my keycloak realm client? or am I understanding this wrong?

CodePudding user response:

This is probably due to how a JWT is validated and how Keycloak handles his Keysets.

A client does not need the explicitly call the emitter server to authenticate a JWT, it's a stateless authentication method. Those tokens are generated with a private key when issued and then validated against a public certificate. In Keycloak those Keysets are scoped to the realm, and not to the client.

What appends is that the authentication server exposes certificates through a public URL ( for Keycloak http://keycloak.domain.com/auth/realms/[REALM-ID]/protocol/openid-connect/certs ), which the client uses to authenticate the token without sending them to the authentication server.

In short: A JWTs is valid as long as it is not expired and a certificate allows his validation.

To get back at your case, the user is authenticated on the client and the JWT is generated with the realm Keysets. If you disable the client on Keycloak after, the used keyset remains active, and so does the token.

One solution would be to disable the keyset and force refresh the cache that the client's server probably keeps.

This is inherent in how JWTs works and not specific to Keycloak.

CodePudding user response:

To add to Baptiste's answer: when you disable the client in Keycloak it means that the server will no longer issue new tokens to the client. So the client will be able to neither authenticate new users nor refresh access tokens. Still, JWTs already issued to the client (as Baptiste noted), are valid as long as the certificates haven't changed, and the token hasn't expired.

  • Related