Best way to access the user ID

[mikoet]

Hey,

I'm quiet new to Keycloak and not very deep into OAuth2 and Spring Security, yet.
What I want to achieve is row based filtering of data so that a user can only read, modify and write its own data into database tables.

I found out so far that I can e.g. work with the JwtAuthenticationToken and receive the userID via the token attribute "sub"

@RestController
@RequestMapping("/api/v1/users/{userId}/someentities")
public class SomeEntitiyController
{
	// ...

	// Get one instance of this entity which is always owned by one specific user
	@GetMapping("/{id}")
	public EntityModel<AccountDto> one(
		JwtAuthenticationToken who,
		@PathVariable("userId") UUID userId,
		@PathVariable("id") Long id)
	{
		LOG.info("ID of accessing user is: {}", who.getTokenAttributes().get("sub"));

		final Account account = repository.findByUserIdAndId(userId, id)
			.orElseThrow(() -> new AccountNotFoundException(id));
		return this.assembler.toModel(account);
	}

Is there a more elegant way to access the user ID? I would prefer to work with the annotation PreAuthorize or some other elegant mechanism, but was not able to use the "who" parameter for those like in…

@PreAuthorize("@userIdService.matches(#who, #userId)")

…where I had injected a service to do the matching of the sub in JwtAuthenticationToken who and the path variable userId. I thought I then could use this service in multiple similar entities.

Any hints how more experiences users would handle such a case elegantly (instead of making a comparison in every mapping method and e.g. throwing an exception on user ID mismatch)?

[ch4mpy]

Few things to note:

• The user subject (sub claim) is unique for a given authorization server and is rarely shared across authorization servers. This means that a user is very likely to have several subjects in multi-tenant environments (several Keycloak realms or identities served by several OpenID Providers like in most of this repo samples). You can use Keycloak subject as an identifier in your Spring application if and only if you are using a single Keycloak realm and will use it forever. Switching to another OP would probably be a hell as it won't know about Keycloak subjects. Using a domain identifier in Spring application is probably a better idea (something like an e-mail, a client ID, or whatever).
• An OAuth2 Authentication implementation should contain the claims contained in (JWT) or introspected from an access token. JwtAuthenticationToken::getTokenAttributes exposes just that.
• This repo contains tutorials with "elegant way" to perform access control using access token claims. resource-server_with_specialized_oauthentication for instance configures a custom SpEL DSL for expressions like @PreAuthorize("is(#username) or isNice() or onBehalfOf(#username).can('greet')")

[mikoet]

To 1) I see nothing that speaks against using a single Keycloak realm for my application. I need some ID (identifying property) that does not change. I would guess e-mail addresses can change, too, just like usernames. Maybe I get a better understanding of this later.
To 2+3) Alright. That was actually the last sample project I was playing around with, but I wasn't sure if that is the right way to go for me, since an ID seemed so substancial to me. Then I'll do it similar to that example.

Thanks for your answer and the great work on this project.