I have set up two web applications (app1
and app2
) and I am using Keycloak to handle authentication. To do this I set up 2 clients (client1
for app1
, client2
for app2
). So far this works fine and I am able to login to my apps.
But now I want to add some restrictions:
user1
and user2
).user1
to only have access to app1
user2
to only have access to app2
app1
and app2
, sometimes at different levels. (e.g. user3
could be an admin user for app1
but a regular user for app2
To try and get this to work, I haver done the following
user1
belongs to group1
and user2
belongs to group2
.Despite configuring all these settings, user1
and user2
can still login to both applications, its as if authorization is being ignored.
How do I get this to work??
Regarding the apps:
app1
is a web application running on Spring Boot 1.5app2
is a web application running on Spring Boot 2.7authorization-uri
, token-uri
, user-info-uri
etc.I am using keycloak 21.1.1.
I think I finally found what I was looking for...
While KeyCloak lets you define roles for your application, it does not actually enforce these roles! Instead, these roles are passed to the application as part of the JWT Token. It is the applications responsibility to enforce these roles.
In Spring Boot, an extra step is required. You need to create a class that implements GrantedAuthoritiesMapper
in order to map the JWT roles to authorities in Spring Boot.