Granted Authorities from an endpoint?

[david-randoll]

I've been using spring-addons and it's been great. Recently, I have been implementing permissions based authentication and so far @PreAuthorize and permissions all works okay.

However, as more roles are being added the token is now too big for the request headers. I have increased the max headers size a few times but was wondering if there is an alternative solution.

From a few research, I've seen on the keycloak forem they recommended excluding the claims from the JWT token and instead getting them to the User info endpoint.

How can I get the roles from the user info and convert them into granted Authorities? Is it as simple as passing the hashmap to the OpenIdClaimSet constructor?

@Configuration
@EnableMethodSecurity
public static class SecurityConfig {
    @Bean
    Converter<Jwt, OAuthentication<OpenidClaimSet>> authenticationFactory(Converter<Map<String, Object>, Collection<? extends GrantedAuthority>> authoritiesConverter) {
        return jwt -> new OAuthentication<>(new OpenidClaimSet(jwt.getClaims()),
                authoritiesConverter.convert(jwt.getClaims()), jwt.getTokenValue());
    }
}

[ch4mpy]

Hi @david-randoll !

I'm glad to read that spring-addons is useful to you ;)

As a preamble, the best option is probably to find a way to keep the tokens small enough to avoid that roundtrip to the authorization server: it will add some latency to the requests and some extra load on the authorization server (you could use some caching, but still, these is quite some resources wasting). As it is pretty rare to need hundreds of roles for a single client, an option I'd recommend to evaluate is to limit the usage of "realm" roles as much as possible and favor the usage of "client" roles. With correct client roles mappers, you could probably seriously reduce tokens size.

That said, yes you can use whatever you like as authorities source, even a database or web-service call, when converting a Jwt into an Authentication. With spring-addons-starter-oidc, it is as simple as exposing a ClaimSetAuthoritiesConverter bean. This bean will be injected as authoritiesConverter to the authenticationFactory in your question (or to the default authentication factory if you're just fine with JwtAuthenticationToken).

If you want access to the raw token string to call the userinfo endpoint, you could consider overriding the JwtAbstractAuthenticationTokenConverter bean (or to just change the body of your authenticationFactory) instead of overriding the default ClaimSetAuthoritiesConverter. But as the answer from userinfo endpoint contains much more than what you need, calling the right role-mapper endpoint is probably a better idea and the authorities converter is just enough for that (search for an exact match for GET /admin/realms/{realm}/users/{user-id}/role-mappings in Keycloak admin REST API doc).

To write your own authorities converter, you may get some inspiration from the PersistedGrantedAuthoritiesRetriever in the webmvc-jwt-default-jpa-authorities sample.

You'll probably end with something like that (exposing such a bean would be just enough with spring-addons):

@Component
public class RemoteGrantedAuthoritiesRetriever implements ClaimSetAuthoritiesConverter {
    private final KeycloakAdminApi keycloak;
    private final String keycloakRealm;

    public RemoteGrantedAuthoritiesRetriever(KeycloakAdminApi keycloak, @Value("${keycloak-realm}") String keycloakRealm) {
        this.keycloak = keycloak;
        this.keycloakRealm = keycloakRealm;
    }

    @Override
    @Cacheable
    public Set<GrantedAuthority> convert(@NonNull Map<String, Object> claims) {
        final var userRoleMappings = keycloak.getUserRoleMappings(keycloakRealm, (String) claims.get(JwtClaimNames.SUB));
        // see https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#MappingsRepresentation
        final var realmRoles = ((List<Map<String, Object>>) userRoleMappings.get("realmMappings")).stream();
        final var clientsRoles = ((Map<String, List<Map<String, Object>>>) userRoleMappings.get("clientMappings")).values().stream().flatMap(List::stream);

        return Stream.concat(realmRoles, clientsRoles).map(role -> (String) role.get("name")).map(SimpleGrantedAuthority::new).collect(Collectors.toSet());
    }
}

With:

@HttpExchange(accept = MediaType.APPLICATION_JSON_VALUE)
public interface KeycloakAdminApi {

    @GetExchange(url = "/admin/realms/{realm}/users/{user-id}/role-mappings")
    Map<String, Object> getUserRoleMappings(@PathVariable(name = "realm") String realm, @PathVariable(name = "user-id") String userId);
}

You can of course use your favorite REST client as usual to send the query, but you could also have a look at the new "magically generated" @HttpExchange proxies (no need to write the implementation of the interface above, Spring does it for you), with maybe the "experimental" spring-addons-starter-rest: you'll probably need a token issued with client credentials to authorize such a request.

Again, think twice before implementing such a solution. It would be preferable to remove some fat from tokens rather than adding a roundtrip to the authorization server. For that, you could be using client roles, or smarter Keycloak mappers, or whatever (hard to tell without knowing your system internals).

[david-randoll]

Hi @ch4mpy

Thank you very much for answering my question. Using your answer, I was able to do the below to get it working. I wasn't sure if there was a better way to get the bearer token than through the HttpServletRequest.

I did check out what you did with the HttpExchange. I love how you made it simple to create the HttpServiceProxyFactory. I had done something similar to what you did but only with the default bearer provider (from SecurityContextHolder). I'll be swapping out mine for yours as yours has other providers that are very useful.

Once again, thank you very much. This project has been very helpful.

@Slf4j
@Primary
@Component
@RequiredArgsConstructor
@Conditional(UseRemoteAuthorities.class)
public class RemoteGrantedAuthoritiesRetriever implements ClaimSetAuthoritiesConverter {
    private final KeycloakApi keycloakApi;
    private final HttpServletRequest request;

    private String getBearerToken() {
        return request.getHeader("Authorization");
    }

    @Override
    public Set<GrantedAuthority> convert(@NonNull Map<String, Object> claims) {
        log.debug("Retrieving authorities from Keycloak...");
        String realm = AuthUtils.getRealm(claims);
        var token = getBearerToken();
        UserInfoResponse userInfo = keycloakApi.getUserInfo(realm, token);
        if (ObjectUtils.isEmpty(userInfo) || ObjectUtils.isEmpty(userInfo.getRealmAccess())) return Set.of();
        Set<String> realmRoles = userInfo.getRealmAccess().getRoles();
        if (ObjectUtils.isEmpty(realmRoles)) return Set.of();
        log.debug("Done retrieving authorities from Keycloak");
        return realmRoles.stream().map(SimpleGrantedAuthority::new).collect(Collectors.toSet());
    }
}

public interface KeycloakApi {
    @GetExchange("/realms/{realmName}/protocol/openid-connect/userinfo")
    UserInfoResponse getUserInfo(@PathVariable(name = "realmName") String realmName, @RequestHeader("Authorization") CharSequence bearerToken);
}
``