Berner Fachhochschule, Technik und Informatik

Spring Security

Project: OpenID Connect

The objective of this exercise is to use OpenID Connect for authentication with a Keycloak authorization server.
  1. Add the starter spring-boot-starter-security-oauth2-resource-server as Maven dependency.
  2. Remove the password encoder, user details service and basic authentication from the security configurations of the catalog and order microservices, and instead configure the microservices as resource servers using JSON web tokens.
  3. Add a converter to the configuration that converts JSON web tokens from the Keycloak server into authentication tokens as follows:
    • The authorities are mapped from the claim roles of the JWT
    • The principal name is taken from the claim username if it is an employee JWT, and from the claim email if it is a customer JWT
  4. Set the application property spring.security.oauth2.resourceserver.jwt.issuer-uri to the Keycloak's server address https://auth.distsys.ch/auth/realms/bfh.
  5. Use Postman's OAuth 2.0 authentication with bookstore as the client ID and Keycloak's metadata to obtain ID tokens for the following users, and use them to access the microservices:

    UsernamePasswordRole
    john12345EMPLOYEE
    alice12345CUSTOMER
    bob12345CUSTOMER
© Stephan Fischli, https://distsys.bfh.ch/fischli