How to configure Thorntail 2.5.0.Final to authorize users with JWT token from Keycloak?

I have problems authorizing users via Bearer TOKEN that I receive from Keycloak.

The task is to authorize user requests that come from an Angular application to my back-end Thorntail 2.5.0.Final micro-service. I have the front-end part covered and the application appends Authorization: Bearer {TOKEN} to every request to my service.

I have tried following these 2 guides:
https://rieckpil.de/howto-microprofile-jwt-authentication-with-keycloak-and-react/
https://kodnito.com/posts/microprofile-jwt-with-keycloak/

with thorntail microprofile and keycloak-micropfofile-jwt-fractions, but none of them seem to work.

    @Inject
    @ConfigProperty(name = "message")
    private String message;
    @Inject
    private JsonWebToken callerPrincipal;


    @GET
    @RolesAllowed("testrole")
    @ApiOperation(value = "Pridobi uporabnike", notes = "Pridobi vse uporabnike iz baze.", response = Uporabnik.class)
    public Response getUsers() {
        return Response.ok(callerPrincipal.getRawToken() + " is allowed to read message: " + message).build();
    }

and got the following response

null is allowed to read message: Very Secure 42!

The 2. thing I tried is adding the keycloak fraction and sending the token via header following this example https://github.com/thorntail/thorntail-examples/tree/master/security/keycloak

I added the resources/keycloak.json

{
  "realm": "Intra",
  "auth-server-url": "https://idm.ra.net/auth",
  "ssl-required": "external",
  "resource": "prenosOSBE",
  "verify-token-audience": true,
  "credentials": {
    "secret": "e9709793-9333-40a7-bb95-2026ad98b568"
  },
  "use-resource-role-mappings": true,
  "confidential-port": 0
}

and the KeycloakSecurityContextFilter.java from the example.
If I try to make a call to my endpoint I get 401 Unauthorized or 403 Forbidden if I don’t send a token with my request.

So what I want to know is which fraction is meant to be used if my task is to authorize users via Bearer token on my Thorntail microservice?

microprofile-jwt, keycloak-microprofile-jwt or keycloak and what is the minimal required configuration for it to work?

1
Leave a Reply

avatar
1 Comment threads
0 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
1 Comment authors
Jason Recent comment authors
  Subscribe  
newest oldest most voted
Notify of
Jason
Guest

The keycloak fraction is the Keycloak adapter for WildFly per https://www.keycloak.org/docs/4.8/securing_apps/index.html#jboss-eap-wildfly-adapter It lets you use the common security mechanisms from Java EE (<security-constraint>s in web.xml etc.) You can see an example here: https://github.com/rhoar-qe/thorntail-test-suite/tree/master/wildfly/keycloak The microprofile-jwt lets you use bare MicroProfile JWT (that is, @RolesAllowed on JAX-RS resources, etc.). You have to configure the expected issuer, its public key etc., as described in MP JWT documentation. You can see an example here: https://github.com/rhoar-qe/thorntail-test-suite/tree/master/microprofile/microprofile-jwt-1.0 The keycloak-microprofile-jwt is a bit of a mix. It doesn’t expose the Keycloak adapter, but uses it internally to validate tokens issued by Keycloak, and exposes the tokens… Read more »