I have restful Spring Boot app with basic auth. I want to integrate Keycloak and change auth to oauth2 with jwt token (from Keycloak). So I have doubt about how to do it. With a help of oauth2 resource service(but I want my own forms for login and registration) or keycloak admin client or keycloak rest api?
It is my WebSecurityConfig.java
@Configuration
@EnableWebSecurity
public class WebSecurityConfig implements WebMvcConfigurer {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.authorizeHttpRequests(request -> request
.requestMatchers("/webhook").permitAll()
.requestMatchers("/swagger-ui/**").permitAll()
.requestMatchers("/api-docs/**").permitAll()
.requestMatchers("/").permitAll()
.requestMatchers("/home").permitAll()
.requestMatchers("/products").permitAll()
.requestMatchers("/products_html").permitAll()
.requestMatchers("/confirm-email").permitAll()
.requestMatchers("/register").permitAll()
.requestMatchers("/login").permitAll()
.requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()
.requestMatchers("/admin/**").hasRole(String.valueOf(CustomerRole.ADMIN))
.requestMatchers("/subscriptions/**").authenticated()
.requestMatchers("/customers/**").authenticated()
.requestMatchers("/profile").authenticated()
.requestMatchers("/profile/**").authenticated()
.anyRequest().authenticated());
http.httpBasic(withDefaults())
.csrf(AbstractHttpConfigurer::disable)
.headers(c -> c
.frameOptions()
.disable());
http.formLogin()
.loginPage("/login")
.usernameParameter("email")
.passwordParameter("password")
.defaultSuccessUrl("/", true)
.failureUrl("/login?error")
.permitAll()
.and()
.logout()
.logoutUrl("/logout");
return http.build();
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
public UserDetailsService userDetailsService(CustomerRepository customerRepository, CustomerService mapper) {
return email -> customerRepository.findByEmailIgnoreCase(email)
.map(mapper::toUserDetails).orElseThrow(() -> new UsernameNotFoundException(email + " not found"));
}
@Bean
public LocaleResolver localeResolver() {
SessionLocaleResolver localeResolver = new SessionLocaleResolver();
localeResolver.setDefaultLocale(Locale.US);
return localeResolver;
}
@Bean
public LocaleChangeInterceptor localeChangeInterceptor() {
LocaleChangeInterceptor interceptor = new LocaleChangeInterceptor();
interceptor.setParamName("lang");
return interceptor;
}
@Bean(name = "messageSource")
public ResourceBundleMessageSource bundleMessageSource() {
ResourceBundleMessageSource messageSource = new ResourceBundleMessageSource();
messageSource.setBasename("messages");
messageSource.setDefaultEncoding("UTF-8");
return messageSource;
}
@Override
public void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(localeChangeInterceptor());
}
}
You just don't write identification forms in your app. This is not how authorization_code flow works.
What you can do is styling the UI exposed by your authorisation server to users. For Keycloak, this is documented there.