#spring-boot #authentication #keycloak
Вопрос:
У меня есть приложение JavaScript (jQuery), которое отправляет запрос Api приложению Spring Boot, использующему адаптер SpringBoot Keycloak.
После входа в систему пользователя давайте скажем, что
1 — Все сеансы Realm выходят из системы с помощью консоли администратора Keycloak
2 — Приложение Spring Boot перезапущено
3 — Файлы cookie сеанса браузера остаются неизменными (последний вход в систему)
Когда я снова пытаюсь войти в приложение, я получаю следующее исключение
162708 2021-09-14 14:47:10,070 [ajp-nio-0.0.0.0-8009-exec-1] DEBUG org.keycloak.adapters.PreAuthActionsHandler ?:? - adminRequest https://[my-server]/sso/login?state=60f81726-6bec-470a-90b2-2f62dfb2d2f1amp;session_state=f4593998-e3cb-444a-94b6-1e53ab77267damp;code=85df1b52-246e-4839-9b7a-c481e1e577c2.f4593998-e3cb-444a-94b6-1e53ab77267d.442a440e-6df0-40c7-b8cb-3a52123430a0
162708 2021-09-14 14:47:10,070 [ajp-nio-0.0.0.0-8009-exec-1] DEBUG org.keycloak.adapters.PreAuthActionsHandler ?:? - checkCorsPreflight https://[my-server]/sso/login?state=60f81726-6bec-470a-90b2-2f62dfb2d2f1amp;session_state=f4593998-e3cb-444a-94b6-1e53ab77267damp;code=85df1b52-246e-4839-9b7a-c481e1e577c2.f4593998-e3cb-444a-94b6-1e53ab77267d.442a440e-6df0-40c7-b8cb-3a52123430a0
162708 2021-09-14 14:47:10,070 [ajp-nio-0.0.0.0-8009-exec-1] DEBUG org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter ?:? - Attempting Keycloak authentication
162708 2021-09-14 14:47:10,070 [ajp-nio-0.0.0.0-8009-exec-1] TRACE org.keycloak.adapters.RequestAuthenticator ?:? - --> authenticate()
162709 2021-09-14 14:47:10,071 [ajp-nio-0.0.0.0-8009-exec-1] TRACE org.keycloak.adapters.RequestAuthenticator ?:? - try bearer
162709 2021-09-14 14:47:10,071 [ajp-nio-0.0.0.0-8009-exec-1] TRACE org.keycloak.adapters.RequestAuthenticator ?:? - try query parameter auth
162709 2021-09-14 14:47:10,071 [ajp-nio-0.0.0.0-8009-exec-1] TRACE org.keycloak.adapters.RequestAuthenticator ?:? - try oauth
162709 2021-09-14 14:47:10,071 [ajp-nio-0.0.0.0-8009-exec-1] DEBUG org.keycloak.adapters.springsecurity.token.SpringSecurityTokenStore ?:? - Checking if org.keycloak.adapters.springsecurity.authentication.SpringSecurityRequestAuthenticator@bd9ec13 is cached
162709 2021-09-14 14:47:10,071 [ajp-nio-0.0.0.0-8009-exec-1] DEBUG org.keycloak.adapters.OAuthRequestAuthenticator ?:? - there was a code, resolving
162709 2021-09-14 14:47:10,071 [ajp-nio-0.0.0.0-8009-exec-1] DEBUG org.keycloak.adapters.OAuthRequestAuthenticator ?:? - checking state cookie for after code
162709 2021-09-14 14:47:10,071 [ajp-nio-0.0.0.0-8009-exec-1] DEBUG org.keycloak.adapters.OAuthRequestAuthenticator ?:? - ** reseting application state cookie
162727 2021-09-14 14:47:10,089 [ajp-nio-0.0.0.0-8009-exec-1] ERROR org.keycloak.adapters.OAuthRequestAuthenticator ?:? - failed to turn code into token
162727 2021-09-14 14:47:10,089 [ajp-nio-0.0.0.0-8009-exec-1] ERROR org.keycloak.adapters.OAuthRequestAuthenticator ?:? - status from server: 400
162728 2021-09-14 14:47:10,090 [ajp-nio-0.0.0.0-8009-exec-1] ERROR org.keycloak.adapters.OAuthRequestAuthenticator ?:? - {"error":"invalid_grant","error_description":"Code not valid"}
162728 2021-09-14 14:47:10,090 [ajp-nio-0.0.0.0-8009-exec-1] DEBUG org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter ?:? - Auth outcome: FAILED
162740 2021-09-14 14:47:10,102 [ajp-nio-0.0.0.0-8009-exec-1] TRACE org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter ?:? - Failed to process authentication request
org.keycloak.adapters.springsecurity.KeycloakAuthenticationException: Invalid authorization header, see WWW-Authenticate header for details
at org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter.attemptAuthentication(KeycloakAuthenticationProcessingFilter.java:162)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:222)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336)
at org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter.doFilter(KeycloakPreAuthActionsFilter.java:96)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336)
at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:90)
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:75)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
Вот что я получаю в Скрипаче:
Это моя конфигурация
@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
// When using authenticated() instead of hasRole() the authentication flow
// returns a 401:Unauthenticated
http
.authorizeRequests()
.antMatchers(AUTH_CHECK_LIST).hasRole("mcd-role")
.anyRequest().authenticated();
// If CSRF is enabled then POST requests return 303:Forbidden
http.csrf().disable();
// Allow executing Multipart upload requests
http.headers().frameOptions().sameOrigin();
}
Keycloak settings:
keycloak.auth-server-url=https://[my-server]:8543/auth
keycloak.realm=AUTOTEST_PG
keycloak.ssl-required=external
keycloak.resource=mcd-client
keycloak.public-client=true
keycloak.principal-attribute=preferred_username
keycloak.cors=true
Any help is appreciated.