Spring Security OAuth2 implementation for machine-to-machine authentication process on WebFlux endpoints.

We are using Keycloak as authorization server into a Docker image :

• Start the Keycloak authorization server using the following docker command :

docker run -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin -p 8080:8080 jboss/keycloak:4.6.0.Final

• Configure the client to use by importing the JSON file keycloak-master-clients.json in the Keycloak import menu, using a Skip policy if a resource already exists
• Verify that the client security-client is well added
• Get the security-client secret by :
  • Going into the Clients menu
  • Click on the security-client list entry
  • In the Credentials tab, click on the "Regenerate Secret" button
  • Copy the secret generated and store it for later

The resource server security-server project is composed of the following packages :

• the main package "server" containing :
  • ServerApplication.java : the main app
• the configuration package "server.config" containing
  • CustomAuthenticationConverter.java : the JWT token analyzer
  • ServerSecurityConfig.java : the configuration implementing the security web filter chain
  • ServerSecurityProperties.java : the properties listed in the application.yml file (with prefix : "com.security.oauth2.jwt")
• the controller package "server.controller" :
  • ServerController.java : exposing one endpoint /principal

To start the security server application :

• Import the sercurity-serverproject as a "Maven project" into your IDE
• Start the Java application using your IDE command

The client application security-client project is composed of the following packages :

• the main package "client" containing :
  • ClientApplication.java : the main app sending a request to the /principal endpoint
• the configuration package "client.config" containing :
  • ApiConfig.java : properties linked for data fetching (with prefix : "com.api")
  • WebClientSecurityConfig.java : the configuration implementing the WebClient customizer
  • WebClientSecurityCustomizer.java : add automatically an exchange function as filter

To start the security client application :

• Import the sercurity-clientproject as a "Maven project" into your IDE
• In the src/main/resources, add an application-my.properties file with the following property :

  security.client.secret=SECRET_FROM_KEYCLOAK
  

  Replace the SECRET_FROM_KEYCLOAK by the secret generated in the security-client credentials tab.
• Start the Java application using your IDE command

Principle

Once started, the security-client is connecting to the security-server on the /principal endpoint resulting in an identification of the calling application by the server.

Server application

On one side, the security-server hence displays the content of the clientId of the JWT token :

c.s.server.controller.ServerController   : App authentified : 'security-client'

Client application

On the other side, the security-client application logs the result from the request to the server which is is application name authenticated:

com.security.client.ClientApplication    : Server response : 'security-client'