I created a spring boot backend microservice as a oauth 2 resource server. In the calling microservice, I get an access token (client_credentials grant_type) from keycloak and then send it as Bearer Authorization header. In the called microservice, I get this exception:
InvalidBearerTokenException: org.springframework.security.oauth2.server.resource.InvalidBearerTokenException:
An error occurred while attempting to decode the Jwt: Malformed token
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.csrf(AbstractHttpConfigurer::disable)
.authorizeHttpRequests(authz ->
// prettier-ignore
authz.anyRequest().permitAll() // it is already permitAll()
)
.sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.oauth2ResourceServer((oauth2) -> oauth2.jwt(Customizer.withDefaults()).authenticationEntryPoint((request, response, exception) -> {
System.out.println("Authentication failed"); // here I set a break point and I get the cause of exception
BearerTokenAuthenticationEntryPoint delegate = new BearerTokenAuthenticationEntryPoint();
delegate.commence(request, response, exception);
}));
return http.build();
}
Is there a way to tell the ressource server that this is not an IdToken but just a bearer token ?
Setting the client as bearer-only, does it solve the issue ?
Instead of getting this format:
{
"access_token": "eyJraWQiOiI4YWY4Zjc2Zi0zMTdkLTQxZmYtYWY5Yi1hZjg5NDg4ODM5YzciLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJtZXNzYWdpbmctY2xpZW50IiwiYXVkIjoibWVzc2FnaW5nLWNsaWVudCIsIm5iZiI6MTYyNzMzNDQ1MCwic2NvcGUiOlsibWVzc2FnZTpyZWFkIl0sImlzcyI6Imh0dHA6XC9cL2xvY2FsaG9zdDo5MDAwIiwiZXhwIjoxNjI3MzM0NzUwLCJpYXQiOjE2MjczMzQ0NTAsImp0aSI6IjBiYjYwZjhkLWIzNjItNDk0MC05MGRmLWZhZDg4N2Q1Yzg1ZSJ9.O8dI67B_feRjOn6pJi5ctPJmUJCNpV77SC4OiWqmpa5UHvf4Ud6L6EFe9LKuPIRrEWi8rMdCdMBOPKQMXvxLoI3LMUPf7Yj973uvZN0E988MsKwhGwxyaa_Wam8wFlk8aQlN8SbW3cKdeH-nKloNMdwjfspovefX521mxouaMjmyXdIFrM5WZ15GZK69NIniACSatE-pc9TAjKYBDbC65jVt_zHEvDQbEkZulF2bjrGOZC8C3IbJWnlKgkcshrY44TtrGPyCp2gIS0TSUUsG00iSBBC8E8zPU-YdfaP8gB9_FwUwK9zfy_hU2Ykf2aU3eulpGDVLn2rCwFeK86Rw1w",
"expires_in": 299,
"scope": "profile",
"token_type": "Bearer"
}
I get this format:
{
"access_token": "075c47a9-c456-4367-b941-84e355f87155",
"scope": "profile",
"token_type": "Bearer",
"expires_in": 3599
}
This seems to be a keycloak issue, as you are receiving what appears to be a UUID instead of a JWT. If your resource server is configured to expect JWTs, then your configuration is invalid either on keycloak or the resource server (depending on which is intended). If Keycloak is configured correctly, then you can try configuring your resource server to use opaque tokens, using the configuration in the docs.
If that doesn't answer your question, please provide more information about your configuration both on the Keycloak side as well as the resource server. There is not enough information in your question to determine the cause of the issue.