I'm building a spring boot application with microservices and Keycloak for security and angular after dockerizing the app with a docker-compose. all requests requiring authorization, respond with "unauthorized" response
spring.application.name=product-service
server.port=8086
spring.datasource.url=${DATABASE_SERVICE_URL:jdbc:postgresql://localhost:5432/productdb}
spring.datasource.username=gestion_bien_user
spring.datasource.password=root
spring.jpa.hibernate.ddl-auto=update
spring.cloud.discovery.enabled=true
eureka.instance.prefer-ip-address=false
eureka.client.service-url.defaultZone=${DISCOVERY_SERVICE_URL:http://localhost:8761/eureka}
spring.jpa.properties.hibernate.jdbc.time_zone = Africa/Casablanca
spring.security.oauth2.resourceserver.jwt.issuer-uri=${KEYCLOAK_SERVICE_URL_REALM:http://localhost:8890/realms/gestion_bien}
spring.security.oauth2.resourceserver.jwt.jwk-set-uri=${KEYCLOAK_SERVICE_URL_CERTS:http://localhost:8890/realms/gestion_bien/protocol/openid-connect/certs}
here is the security interface :
@Configuration
@EnableWebSecurity
@EnableMethodSecurity(prePostEnabled = true)
public class SecurityConfig {
private JwtAuthConverter jwtAuthConverter;
public SecurityConfig(JwtAuthConverter jwtAuthConverter) {
this.jwtAuthConverter = jwtAuthConverter;
}
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity) throws Exception{
return httpSecurity
.cors(Customizer.withDefaults())
.sessionManagement(sm->sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.csrf(csrf->csrf.disable())
.authorizeHttpRequests(ar->ar.requestMatchers("/stag/**","/product","/product/**","/product/bs/**").permitAll()
.anyRequest().authenticated())
.oauth2ResourceServer(ors->ors.jwt(jwt->jwt.jwtAuthenticationConverter(jwtAuthConverter)))
.build();
}
@Bean
CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOrigins(Arrays.asList("*"));
configuration.setAllowedMethods(Arrays.asList("*"));
configuration.setAllowedHeaders(Arrays.asList("*"));
configuration.setExposedHeaders(Arrays.asList("*"));
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
}
and here is the keycloak and one service docker:
services:
keycloak-service:
image: quay.io/keycloak/keycloak:23.0.3
command: start-dev
environment:
KC_DB: postgres
KC_DB_URL_HOST: postgres_db
KC_DB_URL_DATABASE: keycloak
KC_DB_USERNAME: keycloak
KC_DB_PASSWORD: password
KC_HTTP_ENABLED: "true"
KC_HOSTNAME_STRICT_HTTPS: "false"
KC_DB_SCHEMA: public
KEYCLOAK_ADMIN: admin
KEYCLOAK_ADMIN_PASSWORD: admin
ports:
- "8080:8080"
expose:
- "8080"
depends_on:
postgres_db:
condition: service_healthy
networks:
gestion-bien-network:
gestion-bien-bien-service:
build: ./bien-service
container_name: gestion-bien-bien-service
ports:
- "8086:8086"
expose:
- "8086"
environment:
- DATABASE_SERVICE_URL=jdbc:postgresql://gestion-bien-database-service:5432/productdb
- DISCOVERY_SERVICE_URL=http://gestion-bien-discovery-service:8761/eureka
- KEYCLOAK_SERVICE_URL_REALM=http://keycloak-service:8080/realms/gestion_bien
- KEYCLOAK_SERVICE_URL_CERTS=http://keycloak-service:8080/realms/gestion_bien/protocol/openid-connect/certs
depends_on:
- gestion-bien-discovery-service
- gestion-bien-database-service
- gestion-bien-bon-entre-service
networks:
gestion-bien-network:
gestion-bien-bon-sortie-service:
build: ./bon-sortie-service
container_name: gestion-bien-bon-sortie-service
ports:
- "8082:8082"
expose:
- "8082"
environment:
- DATABASE_SERVICE_URL=jdbc:postgresql://gestion-bien-database-service:5432/exvdb
- DISCOVERY_SERVICE_URL=http://gestion-bien-discovery-service:8761/eureka
- KEYCLOAK_SERVICE_URL_REALM=http://keycloak-service:8080/realms/gestion_bien
- KEYCLOAK_SERVICE_URL_CERTS=http://keycloak-service:8080/realms/gestion_bien/protocol/openid-connect/certs
depends_on:
- gestion-bien-discovery-service
- gestion-bien-database-service
- gestion-bien-bien-service
networks:
gestion-bien-network:
networks:
gestion-bien-network:
driver: bridge
volumes:
pgdata:
and this is my realm on keycloak :
##http://localhost:8080/realms/gestion_bien/.well-known/openid-configuration
{
"issuer": "http://localhost:8080/realms/gestion_bien",
"authorization_endpoint": "http://localhost:8080/realms/gestion_bien/protocol/openid-connect/auth",
"token_endpoint": "http://localhost:8080/realms/gestion_bien/protocol/openid-connect/token",
"introspection_endpoint": "http://localhost:8080/realms/gestion_bien/protocol/openid-connect/token/introspect",
"userinfo_endpoint": "http://localhost:8080/realms/gestion_bien/protocol/openid-connect/userinfo",
"end_session_endpoint": "http://localhost:8080/realms/gestion_bien/protocol/openid-connect/logout",
"frontchannel_logout_session_supported": true,
"frontchannel_logout_supported": true,
"jwks_uri": "http://localhost:8080/realms/gestion_bien/protocol/openid-connect/certs",
"check_session_iframe": "http://localhost:8080/realms/gestion_bien/protocol/openid-connect/login-status-iframe.html",
"grant_types_supported": [
"authorization_code",
"implicit",
"refresh_token",
"password",
"client_credentials",
"urn:openid:params:grant-type:ciba",
"urn:ietf:params:oauth:grant-type:device_code"
],.......
i tried to get response from my angular, and postman with no usefull results I guess the problem occurred when the microservices tried to get the jwk from Keycloak here is on of my application.properties: