Comments (5)
In 2.3.0, I reorganized the properties, but this is mostly code shuffling, you should have about the same configuration options.
It is possible I lost a few very low-level JWT claims like jti
in the process, but see at the end of this post how you can set it in privateClaims
).
How comes your @controller code (or @service or any other "business" code) needs access to such claims (session_state
and jti
)? Shouldn't this be used by upstream frameworks only (like Spring-security, before access is granted and KeycloakAuthenticationToken is build)?
The reason for this change is I chose to get closer to the OpenID spec to re-use some code I wrote for another OpenID Authentication
implementation (I personally don't use KeycloakAuthenticationToken
any more mostly because Keycloak Spring libs are moving too slow). This spec is there https://openid.net/specs/openid-connect-core-1_0.html
Current state:
- IDToken claims are in
@WithMockKeycloakAuth(id = @IdTokenClaims(...))
- StandardClaims are in `@WithMockKeycloakAuth(oidc = @OidcStandardClaims(...))
- KeycloakAccessToken, which wraps Keycloak private claims (not in the standard) are defined in
@WithMockKeycloakAuth(accessToken = @KeycloakAccessToken(...))
What this means for you:
- if you are looking for OpenID standard claims, set it either in @WithMockKeycloakAuth
id
oroidc
properties (sub
is standard IDToken claim and so underid
) - if you are looking for Keycloak "standard" claims (I mean for the claims I knew at moment I wrote the lib), dig under
accessToken
property - if you want to set claims that are neither in OpenID nor Keycloak specs (like
jti
andsession_state
or claims I missed), you should still be able to set it inprivateClaims
As usual, samples are rather informative:
@Test
@WithMockKeycloakAuth(
authorities = { "USER", "AUTHORIZED_PERSONNEL" },
id = @IdTokenClaims(sub = "42"),
oidc = @OidcStandardClaims(
email = "[email protected]",
emailVerified = true,
nickName = "Tonton-Pirate",
preferredUsername = "ch4mpy"),
accessToken = @KeycloakAccessToken(
realmAccess = @KeycloakAccess(roles = { "TESTER" }),
authorization = @KeycloakAuthorization(
permissions = @KeycloakPermission(rsid = "toto", rsname = "truc", scopes = "abracadabra"))),
privateClaims = @ClaimSet(stringClaims = @StringClaim(name = "foo", value = "bar")))
public void whenAuthenticatedWithKeycloakAuthenticationTokenThenCanGreet() throws Exception {
api.get("/greet")
.andExpect(status().isOk())
.andExpect(content().string(startsWith("Hello ch4mpy! You are granted with ")))
.andExpect(content().string(containsString("AUTHORIZED_PERSONNEL")))
.andExpect(content().string(containsString("USER")))
.andExpect(content().string(containsString("TESTER")));
}
from spring-addons.
I re-open. Further investigations needed
from spring-addons.
Hi, thanks for the response!
How comes your @controller code (or @service or any other "business" code) needs access to such claims (session_state and jti)? Shouldn't this be used by upstream frameworks only (like Spring-security, before access is granted and KeycloakAuthenticationToken is build)?
I create a audit Filter what use this information by auditing purposes. In fact this fields are not relevant by the test, but the object is used to other things, including a way to obtained the user data. As this three fields are always informed by Keycloak, I defined they as not null
in my Kotlin code
It is possible I lost a few very low-level JWT claims like jti in the process, [...]
I don't found any reference in the current branch to jti
by the Github seach
--
Ok, now I change to the similar example,
@WithMockKeycloakAuth(
authorities=[CLASSROOM_TURMAS_CADASTRAR_COMANDO],
id=IdTokenClaims(sub="00000000-0000-0000-0000-000000000000"),
oidc = OidcStandardClaims(),
privateClaims = ClaimSet(stringClaims=[
StringClaim(name = "jti", value = "00000000-0000-0000-0000-000000000000"),
StringClaim(name = IDToken.SESSION_STATE, value = "00000000-0000-0000-0000-000000000000")
])
)
but this privateClaims only populate otherClaims
This spec is there https://openid.net/specs/openid-connect-core-1_0.html
session_scope
can be found in https://openid.net/specs/openid-connect-session-1_0.html#CreatingUpdatingSessions, but is a draft
Congratulations for the awesome project :D !
from spring-addons.
Renamed privateClaims
to otherClaims
in @WithMockKeycloakAuth
for clarity: Keycloak's token model does not support private claims at root as per JWT spec. Instead, it maps unknown claims to otherClaims
properties.
Added jti
and nbf
(from JWT spec) to @IdTokenClaims
(an ID token is a JWT)
Also added session_state
to @IdTokenClaims
as per https://openid.net/specs/openid-connect-session-1_0.html#CreatingUpdatingSessions
Sample usage:
@WithMockKeycloakAuth(
authorities = { "USER", "AUTHORIZED_PERSONNEL" },
id = @IdTokenClaims(
sub = "42",
jti = "123-456-789",
nbf = "2020-11-18T20:38:00Z",
sessionState = "987-654-321"),
oidc = @OidcStandardClaims(
email = "[email protected]",
emailVerified = true,
nickName = "Tonton-Pirate",
preferredUsername = "ch4mpy"),
accessToken = @KeycloakAccessToken(
realmAccess = @KeycloakAccess(roles = { "TESTER" }),
authorization = @KeycloakAuthorization(
permissions = @KeycloakPermission(rsid = "toto", rsname = "truc", scopes = "abracadabra"))),
otherClaims = @ClaimSet(stringClaims = @StringClaim(name = "foo", value = "bar")))
Please re-open if you find other missing claims.
P.S.
@SrMouraSilva sorry for abnormally long processing. I got caught by urgent stuff at work, then changed my laptop (and had to re-install everything) and then just ... forgot about this opened issue => so very, very sorry :(
from spring-addons.
@SrMouraSilva sorry for abnormally long processing. I got caught by urgent stuff at work, then changed my laptop (and had to re-install everything) and then just ... forgot about this opened issue => so very, very sorry :(
Hi ch4mpy! I completely understand the situation. Thank you for your availability! I am updating my code.
from spring-addons.
Related Issues (20)
- NPE when trying to protect client HOT 2
- After 7.3.0 authentication for web mvc client against keycloak ends in endless redirect HOT 8
- Exception thrown when `post-logout-redirect-path` configuration property is null HOT 1
- Post-login success & failure URI params and headers on authentication request are ignored in reactive applications HOT 1
- `authorization-request-params` ignored HOT 1
- POST /logout response Forbidden 403 HOT 9
- Support several JWT authentication converters (or converters with a `@Qualifier` which is not `jwtAuthenticationConverter`)
- Doubled path-prefix by `SpringAddonsServerOAuth2AuthorizationRequestResolver` HOT 1
- Allow anonymous CORS preflight requests (`OPTIONS` requests to a path configured with CORS) HOT 1
- Configuration properties to add parameters to token requests HOT 1
- Spring Starter OICD, Resource Server: Option to disable the default behavior for authorized/protected routes HOT 1
- BFF configuration token is not refreshed HOT 3
- Getting response 401 (Unauthorized) for permit-all requests after update HOT 2
- (Not a bug)Why the custom JwtDecoder bean is useless HOT 2
- `spring-security-oauth2-resource-server`, `spring-security-oauth2-client` and `spring-webflux` should be `optional` dependencies HOT 1
- Support for resource owner password credential flow (ROPC) HOT 1
- Handle CORS Requests with Keycloak's "allowed-origins" claim like the keycloak adapter (now deprecated) HOT 2
- Downstream services times out reading request body when csrf is set to cookie-accessible-from-js HOT 2
- Expand servlet-client tutorial to show calling servlet-resource-server with user that has NICE privileges. HOT 2
- Logout Issue (Invalid CSRF Token) HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from spring-addons.