How to configure when keycloak is in Kubernetes?

[david-randoll]

My services/Keycloak runs inside a Kubernetes cluster, so I configured the ISS with the internal URL. The issuer is mismatched which caused a 401.

A similar thing happened when I ran all my services, including Keycloak behind an Nginx proxy.

Is there some configuration I am missing?

[ch4mpy]

You should use the service public name. For instance, the issuer for my Keycloak instance in K8s for the quiz application is https://oidc.c4-soft.com/auth/realms/quiz.

If you can't configure Keycloak to use a hostname accessible from your resource server, then define the jwk-set-uri in addition to (keeps the issuer validator in JWT decoder) or instead of (removes the issuer validation) the iss property.

[david-randoll]

Thank you very much for your very fast response. Your suggestion for using the jwkSetUri works.

However, I am trying to do multi-tenancy with it. What would I put for the jwkSetUri? Or maybe I need to modify the code in the DynamicTenantsAuthenticationManagerResolver?

I'm assuming the below is cuz Kubernetes wasn't able to access the external URL.

[ch4mpy]

localhost is not a K8s service name: it is a loopback from a docker container to itself

[ch4mpy]

I am about to release a version with authentication manager resolvers supporting dynamic multi-tenancy through Keycloak realms (accept all issuers with a given prefix).

Here is what the synchronized version looks like (for servlet resource servers):

class IssuerStartsWithAuthenticationManagerResolver implements AuthenticationManagerResolver<String> {

	private final String issuerPrefix;
	private final Converter<Jwt, AbstractAuthenticationToken> authenticationConverter;
	private final Map<String, AuthenticationManager> jwtManagers = new ConcurrentHashMap<>();

	/**
	 * @param issuerPrefix            what access tokens iss claim must start with
	 * @param authenticationConverter converter from a valid {@link Jwt} to an {@link AbstractAuthenticationToken} instance
	 */
	public IssuerStartsWithAuthenticationManagerResolver(String issuerPrefix, Converter<Jwt, AbstractAuthenticationToken> authenticationConverter) {
		super();
		this.issuerPrefix = issuerPrefix.toString();
		this.authenticationConverter = authenticationConverter;
	}

	@Override
	public AuthenticationManager resolve(String issuer) {
		if (!jwtManagers.containsKey(issuer)) {
			if (!issuer.startsWith(issuerPrefix)) {
				throw new UnknownIssuerException(issuer);
			}
			final var decoder = NimbusJwtDecoder.withIssuerLocation(issuer).build();
			var provider = new JwtAuthenticationProvider(decoder);
			provider.setJwtAuthenticationConverter(authenticationConverter);
			jwtManagers.put(issuer, provider::authenticate);
		}
		return jwtManagers.get(issuer);

	}

	@ResponseStatus(HttpStatus.UNAUTHORIZED)
	static class UnknownIssuerException extends RuntimeException {
		private static final long serialVersionUID = -7140122776788781704L;

		public UnknownIssuerException(String issuer) {
			super("Unknown issuer: %s".formatted(issuer));
		}
	}
}

All you'll have to do to switch to this authentication manager resolver is exposing this 2 beans in your conf:

@Bean
ConfigurableClaimSetAuthoritiesConverter authoritiesConverter(@Value("${keycloak-host}") URI keycloakHost, SpringAddonsOidcProperties addonsProperties) {
	final var opProperties = addonsProperties.getOpProperties(keycloakHost.toString());
	return new ConfigurableClaimSetAuthoritiesConverter(claims -> opProperties.getAuthorities());
}

@Bean
AuthenticationManagerResolver<HttpServletRequest> authenticationManagerResolver(
		@Value("${keycloak-host}") URI keycloakHost,
		Converter<Jwt, AbstractAuthenticationToken> authenticationConverter) {
	return new JwtIssuerAuthenticationManagerResolver(new IssuerStartsWithAuthenticationManagerResolver(keycloakHost.toString(), authenticationConverter));
}

The reason for the first bean is that the default expectation is that there are authorities mapping properties for each issuer. In the case of a Keycloak server with dynamic realms, we'll have only one set of authorities mapping properties (with the prefix as iss property). This 1st bean is configured with a custom authorities mapping provider always using the same properties instead of searching for an entry with the issuer of the token (which contains the realm and which we can not know at configuration time)

[david-randoll]

I finally got it working!

So, I had issue with your code compiling. this line return new ConfigurableClaimSetAuthoritiesConverter(claims -> opProperties.getAuthorities()); I also tried using your 'IssuerStartsWithAuthenticationManagerResolver' but spring was complaining that a bean with name authenticationManagerResolver already exists (i added @Primary but still same issue).

Your IssuerStartsWithAuthenticationManagerResolver inspired me to do the below and this worked. I extracted the realm and concat it with the keycloak-host.

@Component
public class DynamicTenantsAuthenticationManagerResolver implements AuthenticationManagerResolver<HttpServletRequest> {

    private final Converter<Jwt, ? extends AbstractAuthenticationToken> jwtAuthenticationConverter;
    private final Map<String, AuthenticationManager> jwtManagers = new ConcurrentHashMap<>();
    private final JwtIssuerAuthenticationManagerResolver delegate = new JwtIssuerAuthenticationManagerResolver(this::getAuthenticationManager);

    public DynamicTenantsAuthenticationManagerResolver(Converter<Jwt, ? extends AbstractAuthenticationToken> jwtAuthenticationConverter) {
        this.jwtAuthenticationConverter = jwtAuthenticationConverter;
    }

    @Override
    public AuthenticationManager resolve(HttpServletRequest context) {
        return delegate.resolve(context);
    }

    @Value("${keycloak-host}")
    private String issuerBaseUri;
    public AuthenticationManager getAuthenticationManager(String issuerUriString) {
        var tenantId = issuerUriString.substring(issuerUriString.lastIndexOf('/') + 1);
        if (ObjectUtils.isEmpty(tenantId)) {
            throw new IllegalArgumentException("Invalid issuerUriString: " + issuerUriString);
        }
        var newIssuerUri = URI.create(issuerBaseUri) + "/realms/" + tenantId;
        return this.jwtManagers.computeIfAbsent(newIssuerUri, this::buildAuthenticationManager);
    }

    private AuthenticationManager buildAuthenticationManager(String issuerUriString) {
        final var decoder = NimbusJwtDecoder.withIssuerLocation(issuerUriString).build();
        var provider = new JwtAuthenticationProvider(decoder);
        provider.setJwtAuthenticationConverter(jwtAuthenticationConverter);
        return provider::authenticate;
    }
}

@Component
@Conditional({IsKeycloakEnabled.class, IsMultiTenancyEnabled.class})
public class DynamicTenantProperties extends SpringAddonsOidcProperties {

    @Value("${keycloak-host}")
    private URI keycloakHost;

    @Override
    public OpenidProviderProperties getOpProperties(String issOrJwks) throws MissingAuthorizationServerConfigurationException {
        return super.getOpProperties(keycloakHost.toString());
    }
}

    @Bean
    @Primary
    JwtAbstractAuthenticationTokenConverter authenticationConverter(
            Converter<Map<String, Object>, Collection<? extends GrantedAuthority>> authoritiesConverter,
            DynamicTenantProperties addonsProperties, @Value("${keycloak-host}") URI keycloakHost) {
        return jwt -> {
            final var issProperties = addonsProperties.getOpProperties(keycloakHost.toString());
            return new OAuthentication<>(
                    new OpenIdClaimSet(jwt.getClaims(), issProperties.getUsernameClaim()),
                    authoritiesConverter.convert(jwt.getClaims()),
                    jwt.getTokenValue()
            );
        };
    }

[david-randoll]

Once again, thank you very much for your fast response. This is an awesome library, really great work by the team and I give it a star. The multi tenancy with Keycloak was the main reason for using it.

[ch4mpy]

I am about to release

Sure that current version is not ready for the snippets I provided. This comes with a few changes (including authorities properties resolution and beans definitions you bumped into).

I'll release within the next 24h, please be patient.

[ch4mpy]

@david-randoll 7.2.0 is out. Sample usage for dynamic multi-tenancy with Keycloak realms in this security conf. You are probably interested only the 3 first beans (the methodSecurityExpressionHandler addresses another concern)

[david-randoll]

Awesome!! I will check it out

[david-randoll]

Two more random questions:

1. can I do a permit all for say /test but only for POST method?
   
2. How does intellij make your properties orange and ones I defined is red? I did do @ConfigurationProperties(prefix = "keycloak") on a class but can't really F12 on it.
   

[ch4mpy]

The permit-all properties are intended to provide with very coarse access control (per path, not per HTTP method). Use method security (@PreAuthorize, clearly my favorite option) or expose a ResourceServerAuthorizeExchangeSpecPostProcessor bean (look in the source the possible declination and pick the one adapted to your application type).

IDEs use src/main/resources/META-INF/additional-spring-configuration-metadata.json to resolve properties. Create this file and add entries for your own properties. You might use <artifactId>spring-boot-configuration-processor</artifactId> to help you. Read the docs for details

[david-randoll]

Does the @PreAuthorize have a way to work with anonymous? I tried @PreAuthorize("permitAll") and @PreAuthorize("hasAuthority('Anonymous')") but these didn't let me call the endpoint without authenticating.

[ch4mpy]

@PreAuthorize("permitAll()")