Should I explicitly verify Keycloak token or this is done by Keycloak adapter?

馋奶兔 提交于 2021-02-10 23:14:35

问题


There is a Spring-boot REST API, that needs to be secured by Keycloak, the application is using Keycloak-Spring-Security adapter (6.0.1).

A call to an API endpoint, carries along the bearer token, obtained from Keycloak (currently through postman).

I'm able to perform a successful REST endpoint call, but other thing is troubling me - should I explicitly verify the token against the public key?

1 - Is the adapter performing verification of the token against the public key, or should I implement it?

2 - If the adapter is doing this - can you point out in which classes is this getting done?

3 - If - not - how should this verification be implemented? Are there any Keycloak libraries that I can use to verify the token?


回答1:


Well, after a few days of searching the web for answer - I got it. I looked into the code of Keycloak-spring-security-adapter and found it.

First of all I got the logging lever for keycloak to DEBUG:

logging.level.org.keycloak=DEBUG

Then I tried to access my endpoint with bad token (I expected that this is going to produce an exception, i.e. more visible trace; and it did):

    2019-10-17 10:18:57,905 | 30860 | http-nio-8081-exec-2 |  |  |  |  | DEBUG |  | org.keycloak.adapters.PreAuthActionsHandler | adminRequest http://localhost:8081/error 
    2019-10-17 10:18:57,906 | 30860 | http-nio-8081-exec-2 |  |  |  |  | DEBUG |  | org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter | Request is to process authentication 
    2019-10-17 10:18:57,906 | 30860 | http-nio-8081-exec-2 |  |  |  |  | DEBUG |  | org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter | Attempting Keycloak authentication 
    2019-10-17 10:18:57,906 | 30860 | http-nio-8081-exec-2 |  |  |  |  | DEBUG |  | org.keycloak.adapters.BearerTokenRequestAuthenticator | Found [1] values in authorization header, selecting the first value for Bearer. 
    2019-10-17 10:18:57,906 | 30860 | http-nio-8081-exec-2 |  |  |  |  | DEBUG |  | org.keycloak.adapters.BearerTokenRequestAuthenticator | Verifying access_token 
    2019-10-17 10:18:57,908 | 30860 | http-nio-8081-exec-2 |  |  |  |  | DEBUG |  | org.keycloak.adapters.BearerTokenRequestAuthenticator | Failed to verify token 
    2019-10-17 10:18:57,908 | 30860 | http-nio-8081-exec-2 |  |  |  |  | DEBUG |  | org.keycloak.adapters.RequestAuthenticator | Bearer FAILED 
    2019-10-17 10:18:57,908 | 30860 | http-nio-8081-exec-2 |  |  |  |  | DEBUG |  | org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter | Auth outcome: FAILED 
    2019-10-17 10:18:57,925 | 30860 | http-nio-8081-exec-2 |  |  |  |  | DEBUG |  | org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter | Authentication request failed: org.keycloak.adapters.springsecurity.KeycloakAuthenticationException: Invalid authorization header, see WWW-Authenticate header for details org.keycloak.adapters.springsecurity.KeycloakAuthenticationException: Invalid authorization header, see WWW-Authenticate header for details
        at org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter.attemptAuthentication(KeycloakAuthenticationProcessingFilter.java:158)
        at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
    .....

From then on it is clear that the token is being verified, if you look into the classes that take part, you'll see that it is getting verified against the public key in certain situations.

Classes that take part in this authentication & verification are, in my case (bearer-only) are:

org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter
org.keycloak.adapters.BearerTokenRequestAuthenticator

Hopefully this can help other people like me to find their way in Keycloak.



来源:https://stackoverflow.com/questions/58389882/should-i-explicitly-verify-keycloak-token-or-this-is-done-by-keycloak-adapter

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!