@@TheDevWorldbySergioLema I see but it wouldnt be better to configure api gateway as resource server and there provides configuration to secure some of services? It seems to be best solution if Spring Cloud Api Gateway is an entry point
Hey Sergio, thanks for a great tutorial. I've been looking for one covering both a backend and frontend connected to keycloak. I was wondering how you would implement redirect when logging out? As of this tutorial the logout button works but it doesn't take you back to the index page. I've been trying to use your solution for the signin callback, but with no luck. How would you implement the callback for logout?
Hi Rekishi, thanks for your interest. I didn't try to the logout, but it's a good question. Did you check the settings of the frontend oidc-client library post_logout_redirect_uri (github.com/IdentityModel/oidc-client-js/wiki)? Maybe just adding this configuration when creating the frontend client is enough. If that's the case, let me know your feedbacks.
@@TheDevWorldbySergioLema Thanks for the quick reply. I managed to solve it for now by adding the "post_logout_redirect_uri:" field to settings when creating the UserManager, then setting the same url in Keycloak and copying your signin-callback.html page and remaking it for using "signoutRedirectCallback()"
How do you allow post requests using this keycloak flow? I am always getting back a missing csrf token error. Any idea how to configure this or to disable csrf?
To allow the POST requests, make sure to allow the CORS in the application.yml of the Gateway. About the CSRF, I din't anything particular, it was disable by defautl.
Hi, It seems, in this scenario, the role of the cloud gateway api is just to convey the request to different resource server(backend resources) endpoints? It has no contribution to the security. Here the first line of action takes place with the user requesting the react frontend, which redirects the user to keycloak login page if the user not logged in? In some scenarios where the cloud gateway is a part of the security and is the first line of action, and its called BFF(backend for front end) , if I am not mistaken. Is that right?
Yes, in this scenario the backend is acting as a BFF, you're right. The security is split between the frontend (as the client server) and the private backend (as the resources server). The API gateway is only there to redirect the requests
Thanks for the video. However, I have a question. Is there a way to login to keycloak without redirecting to the keycloak login page? I have a custom login screen in my ReactJS app and I want to make use of it instead.
Agree, I think resource server brings us too much overhead given microservices in reality hides behind the gateway and frontend cannot access it directly. So I would like to see a solution where we only parse the token in gateway once via some filter. And then pass the the resolved userId to microservcies through some http header(Not pass token, this way we don't need to set each and every micro-service as a resource server.
Great Video. It helped me a lot...We are planning to use Spring 3.1 Authorization server . I am tryin to use the React Code to connect to Spring Auth server. Login Screen is comming and the login is successful.. but in the end I am getting the following error in the signin-callback.html : No matching state found in storage. Could you please tell me how to fix this issue. With Keycloak it is fine....Thanks
Thank you Rajeev. I've been looking around and found this information (github.com/IdentityModel/oidc-client-js/issues/1044). It seems to be the cookies.
Do you use the Spring Cloud Api Gateway? Or directly Spring Security? If you use Spring Security, check this other video where I configure the CORS: ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-phs90_s0Mjk.html
Hi! I have a doubt. I have a Web site that must access protected API. I have a Spring Cloud gateway and some microservices and here I implemented the authorization based on roles.. Now I followed the way to register the Gateway as confidential client on Keycloak and store in it client_id and secret_id. I was wondering if this way was better and what the differences were. Thanks
Using the authentication with Keycloak is very useful if you have many different applications (clients) which need this same authentication. If you only have one application (client), maybe putting all the authentication logic inside may reduce the complexity. But, using Keycloak is using a string authentication system, OAuth2. Which was tested for many years. Using you own authentication system means that you must take care of the security breaches. What I recommend? It depends on you (and your team): * if you need the same authentication system for many application -> use Keycloak * if you don't know much about security breaches or authentication systems -> use Keycloak * otherwise -> use a simple authentication system inside you already existing application Hope this will help you
It's not mandatory. You can let the value to profile, name, email or openid. It says what kind of information you want to fetch from the User's profile.
Could gateway be also a resource server so it can validate tokens? In my case I get Cors error: Missing allow origin header in preflight request, I already tried several ways to enable Cors with no luck.
Yes, someone already told me about this alternative. I will try to make another video with this solution. About the CORS problem, you must configure them in both the api gateway and keycloak. Try with different browsers (sometimes they act differently).
@@TheDevWorldbySergioLema thank you i have last question You have installed keycloak legacy version . Would it be a problem if we use the release version?
@@TheDevWorldbySergioLema Like logout was working but it was not redirect back to app, I have to set post logout redirect url and it worked. Thanks for the video.
Yes, that's the goal of an SSO, you use keycloak just to sign, not to register. If you want to register the users in your application and manage their accounts, it's another authentication system you need
Some parts need more explanations, some parts are just coding. I explain while what I'm doing in a more dynamic way than just talking in front of a screen for 5 minutes I'm sorry, but that's my way to do videos
@@TheDevWorldbySergioLema the keycloak documentation is terrible and I've wasted weeks trying to figure out how to integrate a rails api with a react frontend with keycloak. One of the worst documented projects I've ever seen.