-
Hey, I'm quiet new to Keycloak and not very deep into OAuth2 and Spring Security, yet. I found out so far that I can e.g. work with the JwtAuthenticationToken and receive the userID via the token attribute "sub"
Is there a more elegant way to access the user ID? I would prefer to work with the annotation PreAuthorize or some other elegant mechanism, but was not able to use the "who" parameter for those like in…
…where I had injected a service to do the matching of the sub in Any hints how more experiences users would handle such a case elegantly (instead of making a comparison in every mapping method and e.g. throwing an exception on user ID mismatch)? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
Few things to note:
|
Beta Was this translation helpful? Give feedback.
Few things to note:
sub
claim) is unique for a given authorization server and is rarely shared across authorization servers. This means that a user is very likely to have several subjects in multi-tenant environments (several Keycloak realms or identities served by several OpenID Providers like in most of this repo samples). You can use Keycloak subject as an identifier in your Spring application if and only if you are using a single Keycloak realm and will use it forever. Switching to another OP would probably be a hell as it won't know about Keycloak subjects. Using a domain identifier in Spring application is probably a better idea (something like an e-mail, a client…