/de.dkutzer.demo.oauth2.spring.boot.security.feign

Primary LanguageJava

Create a Non-Secured Client Service via Spring Security to access another ResourceServer with OAuth2/OpenId-Connect

A demo app to show

  • how to implement a backend service
    • not secured by itself
    • using Feign Clients (from Spring Cloud) to access remote secured services
  • Only Spring Security Dependencies:
	compile('org.springframework.boot:spring-boot-starter-security')
	compile('org.springframework.security.oauth:spring-security-oauth2')
	compile 'org.springframework.cloud:spring-cloud-starter-security'

configuration:

The configuration is done in the SecurityConfiguration.java. The credentials are stored in the application.yml The Feign Clients configuration is done in Person${GRANT_TYPE}FeignClientConfiguration.java.

setup of the keycloak server:

Realm: demo-realm
|
|-Client: demo-client
|         | 
|         |-access-type: confidential
|         |-Service Account Enabled: true
|         |-authorization enabled: true
|
|-Roles: demo_user_role, ROLE_DEMO_SPRING_SECURITY
|
|-User: demo-user
|       |-Password: 123
|       |-Role Mappings: demo_user_role, ROLE_DEMO_SPRING_SECURITY

Run the Demo

Prepare Keycloak

Start a local Keycloak Instance. Using Docker is recommended.

version: '2'
services:
  keycloak-service:
    image: jboss/keycloak
    ports:
      - 8280:8080
    environment:
      KEYCLOAK_USER: admin
      KEYCLOAK_PASSWORD: admin
  • Open the Admin Console with http://localhost:8280/ entering admin/admin.
  • Create the realm called: 'demo-realm'
  • Import the demo-realm.json
  • Open the "demo-client" tab "credentials" and generate a new secret
  • Paste the new secret into the application.yml

Start the Demo from https://github.com/HaVonTe1/de.dkutzer.demo.oauth2.spring.boot.security.resourceserver on Port 8081 or use docker to map dynamic ports.

Now run this app and call GET localhost:8080/person. This will redirect the request to the resourceserver and the RestTemplate will enrich the request with an access token from Keycloak. The response from the resourcesever will be delegated to this app and results will show up.

Exported Endpoints

  • GET /person : responds a fixed list of person entities FOR authorised access only