0

I deployed a Standalone Keycloak (KC) server and I developed one API that acts as a resource server(it is not supposed to handle login/registration of users etc) with Spring Boot. I want this API to be secured with KC JWT tokens. I expect every user coming has already obtained a JWT token. To the security configurations of my API I added the following configuration: spring.security.oauth2.resourceserver.jwt.issuer-uri=http://localhost:8180/auth/realms/<REALM_NAME>.

Everything works as expected, my API is able to allow only authenticated and authorized users to call the endpoints. However, I have the following question:

As my configurations are right now, anyone who receives a token from my KC server and the issuer-uri can build another API and do her/his own stuff. How is it possible to restrict the KC server in order to be used only from APIs that I allow? E.g: my API should provide a client_name and a client-secret before it is allowed to verify a token with the issuer.

I am using spring-boot-starter-oauth2-resource-server to configure OAuth2 instead of the one that Keycloak provides. I am running Spring Boot 2.4, Spring Security 5 and Keycloak 12.0.4.

vgm
  • 23
  • 2
  • This is what OAuth 2.0 Clients are for. Clients authenticate to the authorization server and are granted tokens. Then, clients present those tokens to your resource server. How do clients to your resource server first obtain their token? – jzheaux Mar 29 '21 at 18:56
  • Via a keycloak client. The main issue is how to restrict KC to accept requests only from specific IP addresses, so not everyone with the issuer-uri to be able to validate token if there are not in the specified IPs? – vgm Mar 29 '21 at 22:39

0 Answers0