This issue breaks the whole idea of Keycloak at the moment.

@mraible does any of your recent PRs address this?

@deepu105 I don't think so. I have a hard time believing Spring Security doesn't handle refresh tokens properly, but I could be wrong. Maybe @jgrandja has some advice?

@deepu105 @mraible Based on the log provided:

org.springframework.security.oauth2.client.resource.OAuth2AccessDeniedException, Unable to obtain a new access token for resource 'null'. The provider manager is not configured to support it.

This tells me that the OAuth Client is not configured with an authorization_grant that supports refresh_token grant. Is it possible your client is configured with implicit or client_credentials grant?

@jgrandja We use Spring Security's OAuth support and @EnableOAuth2Sso in JHipster. See the following files for how it's configured:

• SecurityConfiguration.java.ejs#L76
• application.yml.ejs#L200

Related: do we need all the properties in application.yml? https://github.com/jhipster/generator-jhipster/issues/7281

Looking at the code and OAuth2RestTemplate is configured with AuthorizationCodeAccessTokenProvider so it is using authorization_grant which supports refresh_token grant. I'm not sure what's going on without getting deeper into the issue.

Are you able to publish to a repo that reproduces the issue so I can debug for you?

Thanks @mraible and @jgrandja for looking into this; I've also run into the same issue as the OP.

We use Spring Security's OAuth support and @EnableOAuth2Sso in JHipster. See the following files for how it's configured:

• SecurityConfiguration.java.ejs#L76
• application.yml.ejs#L200

I think that, since the issue relates to microservices, SecurityConfiguration.java.ejs#L76 maybe isn't the relevant file.

I can see the @EnableOAuth2Sso annotation being applied in the gateway at OAuth2SsoConfiguration.java.ejs#L36. I can't find it anywhere in my microservice app.

Are you able to publish to a repo that reproduces the issue so I can debug for you?

I've made a repo which can be used to reproduce the issue with JHipster 4.14.1. It contains two apps: a gateway and microservice, which I've creatively named gateway and microservice. The below also assumes that Docker is available to create Registry and KeyCloak containers from the default JHipster images.

Recreating the issue

Clone the example repository and cd into it:

git clone https://gitlab.com/ImperfectClone/jhipster-issue-6929.git && cd jhipster-issue-6929

KeyCloak and Registry (Docker)

Start KeyCloak in Docker - all configuration is per the default provided by JHipster, except for accessTokenLifespan in jhipster-realm.json. This has been reduced from 300 to 60 seconds, just to speed up reproducing the issue (the issue is the same with this set to 300, it just takes five minutes instead of one to manifest):

docker-compose -f gateway/src/main/docker/keycloak.yml up -d

Start the JHipster Registry in Docker:

docker-compose -f gateway/src/main/docker/jhipster-registry.yml up -d

(If KeyCloak isn't up in time, the Registry will fail to start and the above command will need to be repeated when KeyCloak is ready.)

Gateway

From the gateway directory run:

• yarn install or npm i to fetch node_modules and
• bash mvnw -Pdev,webpack to run the Gateway.

Microservice

From the microservice directory, run bash mvnw to start it.

Steps to reproduce via UI

Once everything has been started, visit http://localhost:8080.

Click 'sign in' and enter username 'admin' and password 'admin' into the KeyCloak login screen.

Select the 'Transformer' entry from the 'Entities' menu. This should present a list of a few Transformers (which have been added via the microservice Liquibase). The 'View' and 'Edit' buttons on the UI will work as expected for the first 60 seconds.

After waiting for >60 seconds, click on 'View' or 'Edit'.

The error message reported by the OP will display in the microservice log:

Could not fetch user details: class 
org.springframework.security.oauth2.client.resource.OAuth2AccessDeniedException
Unable to obtain a new access token for resource 'null'. The provider manager is not 
configured to support it.

At this point the front-end will redirect to the home route. The value of the JSESSIONID cookie gets updated here, and, navigating back to 'Transformer', everything works as expected again for another 60 seconds.

@ImperfectClone Thanks but I would prefer a stripped down sample (without docker) that reproduces the issue. Ideally, samples that I can startup locally.

Thanks but I would prefer a stripped down sample (without docker) that reproduces the issue. Ideally, samples that I can startup locally.

@jgrandja Thanks - I'm happy to adjust the sample[0] if I can, though I'm afraid I don't know enough about the Spring Security part to be able to judge which bits I should strip down. From a JHipster standpoint, this is (as far as I can see) the minimal possible app that recreates the issue.

On the local/Docker point: the above instructions do run the Gateway and Microservice locally and without Docker - it's just the Registry and KeyCloak that are run in Docker; this seemed (certainly in KeyCloak's case) to be the easiest way to provide this, since the JHipster image + conf files pre-configure it to 'just work' with the Gateway and microservice, whereas to get them working with any external/pre-existing KeyCloak instance you'd need to modify the application configuration. So, you could just ignore the KeyCloak and Registry sections of my post and modify the conf to use whatever Eureka and KeyCloak instances you wanted to instead, and not use the Docker images - but maybe I've misunderstood what you meant here.

[0] https://gitlab.com/ImperfectClone/jhipster-issue-6929.git

Thanks for putting together the sample @ImperfectClone.

I managed to figure out the issue and it's mostly mis-configuration.

Gateway

• MicroserviceSecurityConfiguration is configured as a @EnableResourceServer when it's not a Resource Server as your Microservice app acts as the Resource Server
• Your are providing a @Bean of type UserInfoTokenServices in MicroserviceSecurityConfiguration but this bean is auto-configured for you by @EnableOAuth2Sso. Even if you were to provide your own UserInfoTokenServices, you need to at least set the OAuth2RestTemplate via UserInfoTokenServices.setRestTemplate. I would recommend to allow Boot to auto-configure this for you so don't provide your own UserInfoTokenServices @Bean if you can avoid it.
• You're configuring a JwtTokenStore. This is only required by a @EnableResourceServer
• You don't need to configure the following properties: token-info-uri, prefer-token-info, jwt.key-uri. NOTE: user-info-uri is required by @EnableOAuth2Sso

Microservice

• MicroserviceSecurityConfiguration is configured with a @Bean of type UserInfoTokenServices which is used by @EnableOAuth2Sso. However, you don't have @EnableOAuth2Sso in this app which makes sense given that it's a Resource Server. This is where the main issue lies. When the Resource Server receives a request (e.g. /transformers) it will use the UserInfoTokenServices to call the user-info-uri to get the User's Info. First off, this flow only should happen in the @EnableOAuth2Sso app (Gateway). Second, the client that makes the call to user-info-uri is client-id=internal, which is not the client that has the refresh_token (client-id=web_app has it in Gateway). So when client internal calls the user-info-uri using the access token granted to client web_app, after the token expires, a 401 is triggered by the Resource Server and should be caught by the Javascript client in Gateway to handle it. Given that Gateway is not using OAuth2RestTemplate (which handles refresh_token), the javascript client will need to handle the 401 and perform the refresh_token grant. It would be much easier if you configured things in such a way so that OAuth2RestTemplate handles this for you.

So a few things to fix in your configuration. Hope this helps.

@jgrandja Thank you very much for taking the time to diagnose these configuration issues! I'll work on fixing these problems in my project.

I've applied @jgrandja's suggestion to use OAuth2RestTemplate to my sample - in a new branch, minimal_fix. The diff with the version reproducing the issue can be viewed here.

To checkout on the fix branch:
git clone https://gitlab.com/ImperfectClone/jhipster-issue-6929.git && cd jhipster-issue-6929 && git checkout minimal_fix

(Of course, just git checkout master to get back to the state that reproduces the issue.)

This represents an attempt to execute the smallest change I could find that would allow the gateway to successfully refresh an expired token before passing requests to the microservice. In other words, I've not yet made the other configuration changes suggested, but the minimum change I could get working that produces the desired behaviour from a microservices + KeyCloak app produced by the current version of the generator.

Furthermore, I'm sure my approach isn't the optimal way to apply this fix - but it is working and therefore may provide a useful workaround to others experiencing this issue (at your own risk if I've broken the security entirely without realising!) until a version of the generator in which this issue is resolved becomes available.

Description of changes

What I've done is to add an @Bean for OAuth2RestTemplate to MicroserviceSecurityConfiguration.java:

@Bean
public OAuth2RestTemplate oAuth2RestTemplate(
    OAuth2ProtectedResourceDetails oAuth2ProtectedResourceDetails,
    OAuth2ClientContext oAuth2ClientContext
) {
    return new OAuth2RestTemplate(oAuth2ProtectedResourceDetails, oAuth2ClientContext);
}

I've then changed TokenRelayFilter.run() to extract the token from the OAuth2RestTemplate, replacing the use of the static method in AuthorizationHeaderUtil for this purpose.

public static final String AUTHORIZATION_HEADER = "Authorization";
public static final String TOKEN_TYPE = "Bearer";

private final Logger log = LoggerFactory.getLogger(TokenRelayFilter.class);

@Autowired
private OAuth2RestTemplate oAuth2RestTemplate;

@Override
public Object run() {
    RequestContext ctx = RequestContext.getCurrentContext();
    try {
        ctx.addZuulRequestHeader(
            AUTHORIZATION_HEADER,
            String.format("%s %s", TOKEN_TYPE, this.oAuth2RestTemplate.getAccessToken())
        );
    } catch (Exception e) {
        log.debug(
            "Exception " + e.getClass() + " for expired session for " +
                ctx.getRequest().getRemoteUser()
        );
    }
    return null;
}

I'm catching all Exceptions here so that, when the session does expire (testable by reducing 'Tokens -> SSO Session Idle' in KeyCloak UI or ssoSessionIdleTimeout in jhipster-realm.json) and OAuth2RestTemplate.getAccessToken() throws, the exception doesn't prevent the null from being returned, which in turn would prevent the user from getting redirected to the KeyCloak login page and instead present them with an empty view of the protected route (I think due to HTTP 500 rather then 401 being received on the client). The exception seems always to be UserRedirectRequiredException - but I wasn't confident there were no other cases so left the generic Exception handler there for now.

I have incorporated most of the point discussed here on this repository :
https://github.com/farrault/jhipster_oauth2_microservice/pull/1/files

I'm very open to discuss with you the different points.

@farrault I attempted to make the changes in your repository in https://github.com/jhipster/generator-jhipster/pull/7666. I doubt this has everything it needs, and it might break monoliths. Hopefully, Travis tests can figure out what breaks. Please review and let me know what I missed.

For me this is solved with the latest changes from @farrault and @mraible so I'm closing this