The latest articles on DEV Community by Yuan Ji (@jiwhiz). https://dev.to/jiwhiz https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F40383%2Fb31cd1f8-9967-4ba1-97e1-e10cc1a6e593.jpeg https://dev.to/jiwhiz en Yuan Ji Sun, 13 Oct 2024 05:40:20 +0000 https://dev.to/jiwhiz/how-to-build-an-elm-land-project-for-production-36jo https://dev.to/jiwhiz/how-to-build-an-elm-land-project-for-production-36jo <p>After completing my demo project on <a href="https://github.com/jiwhiz/keycloak-spring-security-oauth2-token-exchange-demo" rel="noopener noreferrer">Keycloak OAuth2 Token Exchange</a>, I decided to expand the idea and created a new demo project called <a href="https://github.com/jiwhiz/my-ai-doctor" rel="noopener noreferrer">my-ai-doctor</a>. Unlike the previous demo, which focused on backend integration, this project uses Elm for the UI and Docker Compose to run all six servers locally: the Keycloak server, API server, and the SPA web servers for both MyDoctor and MyHealth.</p> <h3> Fixing the Elm Compiler for Linux ARM 64 </h3> <p>The first challenge was building the Elm Land project and deploying it to Docker containers. Initially, I used a standard Dockerfile to build my Elm UI project, but soon hit a roadblock:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> &gt; [build 8/9] RUN npm install: 8.709 npm error code 1 8.709 npm error path /app/node_modules/elm 8.709 npm error command failed 8.709 npm error command sh -c node install.js 8.709 npm error -- ERROR ----------------------------------------------------------------------- 8.709 npm error 8.709 npm error I am detecting that your computer (linux_arm64) may not be compatible with any 8.709 npm error of the official pre-built binaries. 8.709 npm error 8.709 npm error I recommend against using the npm installer for your situation. Check out the 8.709 npm error alternative installers at https://github.com/elm/compiler/releases/tag/0.19.1 8.709 npm error to see if there is something that will work better for you. 8.709 npm error 8.709 npm error From there I recommend asking for guidance on Slack or Discourse to find someone 8.709 npm error who can help with your specific situation. 8.709 npm error 8.709 npm error -------------------------------------------------------------------------------- </code></pre> </div> <p>After some investigation, I found that the latest Elm compiler (version 0.19.1) <a href="https://github.com/elm/compiler/issues/2283" rel="noopener noreferrer">does not support linux_arm64</a>. This meant I could build and run Elm projects on my Apple Mac Mini Pro natively, but not inside Docker. Fortunately, <a href="https://github.com/lydell" rel="noopener noreferrer">Simon Lydell</a> and <a href="https://github.com/supermario" rel="noopener noreferrer">Mario Rogic</a> created a new version of the <a href="https://www.npmjs.com/package/@lydell/elm" rel="noopener noreferrer">elm npm package</a>, which supports Linux ARM 64. Based on <a href="https://github.com/ryan-haskell/vite-plugin-elm-watch/issues/3" rel="noopener noreferrer">this discussion</a>, the solution was to override the elm package in my <code>package.json</code> file by adding these lines:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>"overrides": { "elm": "npm:@lydell/elm" } </code></pre> </div> <p>This replaces the Elm npm module in the locally downloaded <code>node_modules</code> directory with the <code>@lydell/elm</code> module, allowing the unofficial Elm compiler to work correctly on the Linux ARM64 platform.</p> <h3> Passing Environment Variables to UI Code </h3> <p>When developing the AI Doctor system locally, the UI SPA connects to the backend API at <code>http://api.mydoctor:8081/api/v1/records</code>. However, when running the entire demo inside Docker, the API is accessible via port 80 with the help of an Nginx reverse proxy: <code>http://api.mydoctor/api/v1/records</code>. The challenge was how to dynamically change the backend API URL in the Elm code.</p> <p>The Elm Land documentation briefly mentions <a href="https://elm.land/reference/elm-land-json.html#app-env" rel="noopener noreferrer">environment variables</a>, but without detailed examples. I found a helpful blog, <a href="https://seanrmurphy.medium.com/deploy-and-elm-frontend-to-cloudflare-pages-f8859db1ed51" rel="noopener noreferrer">Deploying an Elm Frontend to Cloudflare Pages</a>, which provided some hints on how to pass environment variables to an Elm Land app. After studying the Elm Land documentation again (<a href="https://elm.land/guide/working-with-js.html#sending-initial-data" rel="noopener noreferrer">here</a> and <a href="https://elm.land/reference/elm-land-json.html#app-env" rel="noopener noreferrer">here</a>), I realized it was quite straightforward to pass different values as environment variables to Elm code.</p> <p>In the <code>interop.js</code> file, we can pick environment variables and pass them to Elm code as <a href="https://guide.elm-lang.org/interop/flags" rel="noopener noreferrer"><code>Flags</code></a>. For example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">export</span> <span class="kd">const</span> <span class="nx">flags</span> <span class="o">=</span> <span class="p">({</span> <span class="nx">env</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">apiBaseUrl</span><span class="p">:</span> <span class="nx">env</span><span class="p">.</span><span class="nx">API_BASE_URL</span> <span class="p">};</span> <span class="p">};</span> </code></pre> </div> <p>Here, we pass the backend API base URL as a field in <code>flags</code>, which is then saved into <code>Shared.Model</code>.</p> <p>First, I needed to customize the Shared module:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>elm-land customize shared </code></pre> </div> <p>This command will move three files from <code>.elm-land</code> into <code>src</code> folder: <code>Shared.elm</code>, <code>Shared/Model.elm</code> and <code>Shared/Msg.elm</code>.</p> <p>Next, I added the field <code>apiBaseUrl</code> to <code>Shared.Model.Model</code>. Here is the code for <code>Shared/Model.elm</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight elm"><code><span class="k">module</span> <span class="kt">Shared</span><span class="o">.</span><span class="kt">Model</span> <span class="k">exposing</span> <span class="p">(</span><span class="kt">Model</span><span class="p">)</span> <span class="k">type</span> <span class="k">alias</span> <span class="kt">Model</span> <span class="o">=</span> <span class="p">{</span> <span class="n">apiBaseUrl</span> <span class="p">:</span> <span class="kt">String</span> <span class="p">}</span> </code></pre> </div> <p>In <code>Shared.elm</code>, I decoded the flags and passed <code>apiBaseUrl</code> to <code>Shared.Model.Model</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight elm"><code><span class="c1">-- FLAGS</span> <span class="k">type</span> <span class="k">alias</span> <span class="kt">Flags</span> <span class="o">=</span> <span class="p">{</span> <span class="n">apiBaseUrl</span> <span class="p">:</span> <span class="kt">String</span> <span class="p">}</span> <span class="n">decoder</span> <span class="p">:</span> <span class="kt">Json</span><span class="o">.</span><span class="kt">Decode</span><span class="o">.</span><span class="kt">Decoder</span> <span class="kt">Flags</span> <span class="n">decoder</span> <span class="o">=</span> <span class="kt">Json</span><span class="o">.</span><span class="kt">Decode</span><span class="o">.</span><span class="n">map</span> <span class="kt">Flags</span> <span class="p">(</span><span class="kt">Json</span><span class="o">.</span><span class="kt">Decode</span><span class="o">.</span><span class="n">field</span> <span class="s">"</span><span class="s2">apiBaseUrl"</span> <span class="kt">Json</span><span class="o">.</span><span class="kt">Decode</span><span class="o">.</span><span class="n">string</span><span class="p">)</span> <span class="c1">-- INIT</span> <span class="k">type</span> <span class="k">alias</span> <span class="kt">Model</span> <span class="o">=</span> <span class="kt">Shared</span><span class="o">.</span><span class="kt">Model</span><span class="o">.</span><span class="kt">Model</span> <span class="n">init</span> <span class="p">:</span> <span class="kt">Result</span> <span class="kt">Json</span><span class="o">.</span><span class="kt">Decode</span><span class="o">.</span><span class="kt">Error</span> <span class="kt">Flags</span> <span class="o">-&gt;</span> <span class="kt">Route</span> <span class="p">()</span> <span class="o">-&gt;</span> <span class="p">(</span> <span class="kt">Model</span><span class="o">,</span> <span class="kt">Effect</span> <span class="kt">Msg</span> <span class="p">)</span> <span class="n">init</span> <span class="n">flagsResult</span> <span class="n">route</span> <span class="o">=</span> <span class="p">(</span> <span class="p">{</span> <span class="n">apiBaseUrl</span> <span class="o">=</span> <span class="k">case</span> <span class="n">flagsResult</span> <span class="k">of</span> <span class="kt">Ok</span> <span class="n">flags</span> <span class="o">-&gt;</span> <span class="n">flags</span><span class="o">.</span><span class="n">apiBaseUrl</span> <span class="kt">Err</span> <span class="n">_</span> <span class="o">-&gt;</span> <span class="s">"</span><span class="s2">"</span> <span class="p">}</span> <span class="o">,</span> <span class="kt">Effect</span><span class="o">.</span><span class="n">none</span> <span class="p">)</span> </code></pre> </div> <p>The <code>Shared.Model.Model</code> (or <code>Shared.Model</code>) is then passed to each page, so the <code>apiBaseUrl</code> can be accessed whenever we need to call the backend API. See example code at <a href="https://github.com/jiwhiz/my-ai-doctor/blob/main/mydoctor/mydoctor-ui/src/Pages/Test.elm" rel="noopener noreferrer"><code>Pages/Test.elm</code></a></p> <h3> Setting Environment Variables </h3> <p>To set environment variables like <code>API_BASE_URL</code>, you first need to declare them in the <code>elm-land.json</code> file under <a href="https://elm.land/reference/elm-land-json.html#app-env" rel="noopener noreferrer">app.env</a>, as:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"app"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"env"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"API_BASE_URL"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <blockquote> <p>For security reasons, all environment variables are hidden from your Elm Land application by default.<br> When you want to share an environment variable with your app, the app.env field is the one spot check</p> </blockquote> <p>See my <a href="https://github.com/jiwhiz/my-ai-doctor/blob/main/mydoctor/mydoctor-ui/elm-land.json" rel="noopener noreferrer"><code>elm-land.json</code></a> file, and I also declared <code>AUTH_SERVER_URL</code> for Keycloak server address and <code>WS_BASE_URL</code> for backend chatbot WebSocket address.</p> <p>Then, you can pass <code>API_BASE_URL</code> in the command line when developing locally:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>API_BASE_URL=http://api.mydoctor:8081/api/v1 elm-land server </code></pre> </div> <p>For production builds, use the <code>ENV</code> directive in the <code>Dockerfile</code> like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">ENV</span><span class="s"> API_BASE_URL="http://api.mydoctor/api/v1"</span> </code></pre> </div> <p>See my <a href="https://github.com/jiwhiz/my-ai-doctor/blob/main/mydoctor/mydoctor-ui/Dockerfile" rel="noopener noreferrer"><code>Dockerfile</code></a> for mydoctor-ui app.</p> <p>You can find all source code at <a href="https://github.com/jiwhiz/my-ai-doctor" rel="noopener noreferrer">https://github.com/jiwhiz/my-ai-doctor</a>. This is still a work in progress. Please let me know if you find this blog is helpful.</p> elmland docker env Yuan Ji Tue, 17 Sep 2024 03:37:25 +0000 https://dev.to/jiwhiz/using-chatgpt-o1-to-write-ui-code-with-elm-2cb7 https://dev.to/jiwhiz/using-chatgpt-o1-to-write-ui-code-with-elm-2cb7 <p>After I finished my <a href="https://github.com/jiwhiz/keycloak-spring-security-oauth2-token-exchange-demo" rel="noopener noreferrer">Oauth 2 Token Exchange demo project</a>, I suddenly had a desire to write the front end UI with <a href="https://elm-lang.org/" rel="noopener noreferrer">Elm language</a>. Elm is my favorite front end language: elegant, functional, strongly typed.</p> <p>But I haven't touched Elm for over a year, so it would take a while to remember how to start. Fortunately, or coincidentally, <a href="https://openai.com/index/introducing-openai-o1-preview/" rel="noopener noreferrer">ChatGPT o1 just came out</a>, and I wanted to see if it is as good as people say.</p> <p>So I wrote a detailed prompt and asked ChatGPT o1 to give me a simple web application using the Elm language and the elm-land framework, also using keycloak to do login with port. I love the <a href="https://elm.land/" rel="noopener noreferrer">Elm Land framework</a>, and it is still well maintained today. </p> <p>It gave me step-by-step instructions on how to setup the <code>mydoctor-elm</code> project, exactly the same as what Elm Land document says, but using my project name instead. Excellent job!</p> <p>Then it gave me <code>Main.elm</code> code with port implementation to connect with <code>keycloak.js</code>. I copied to VS Code, and, to my surprise, it passed Elm compiler's type check!</p> <p>Unfortunately the javascript portion of the code was not correct; it resembled interop examples from the <a href="https://guide.elm-lang.org/interop/ports" rel="noopener noreferrer">official Elm documentation</a> or online examples. The issue is that, as a framework, Elm Land has its own way to handle port with Javascript; the structure of the JS code is quite different. I think it is because there isn't enough training data (meaning not many open-source projects using Elm Land with ports) for ChatGPT to figure out how to write Javascript code within Elm Land constraints. Besides, its code also didn't handle keycloak login well.</p> <p>So I read the <a href="https://elm.land/guide/working-with-js.html" rel="noopener noreferrer">Elm Land documentation</a> again and wrote my own code. I have to say Elm Land documentation is really good! I quickly finished <code>interop.js</code> and got it working. During the coding process, I asked ChatGPT serval questions about how to handle promise, how to use 'check-sso' for silent authentication, and it gave me correct answers, because those are very common questions.</p> <p>I posted my <code>interop.js</code> code here so next time when someone ask ChatGPT how to connect keycloak.js with port in Elm Land project, they can get some code that works:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">Keycloak</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">keycloak-js</span><span class="dl">'</span><span class="p">;</span> <span class="kd">var</span> <span class="nx">keycloak</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Keycloak</span><span class="p">({</span> <span class="na">url</span><span class="p">:</span> <span class="dl">'</span><span class="s1">http://auth.mydoctor:8080</span><span class="dl">'</span><span class="p">,</span> <span class="na">realm</span><span class="p">:</span> <span class="dl">'</span><span class="s1">mydoctor-demo</span><span class="dl">'</span><span class="p">,</span> <span class="na">clientId</span><span class="p">:</span> <span class="dl">'</span><span class="s1">mydoctor-elm</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// This is called BEFORE your Elm app starts up</span> <span class="c1">// </span> <span class="c1">// The value returned here will be passed as flags </span> <span class="c1">// into your `Shared.init` function.</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">flags</span> <span class="o">=</span> <span class="p">({</span> <span class="nx">env</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="p">}</span> <span class="c1">// This is called AFTER your Elm app starts up</span> <span class="c1">//</span> <span class="c1">// Here you can work with `app.ports` to send messages</span> <span class="c1">// to your Elm application, or subscribe to incoming</span> <span class="c1">// messages from Elm</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">onReady</span> <span class="o">=</span> <span class="p">({</span> <span class="nx">app</span><span class="p">,</span> <span class="nx">env</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Initialize Keycloak</span> <span class="nx">keycloak</span> <span class="p">.</span><span class="nf">init</span><span class="p">({</span> <span class="na">onLoad</span><span class="p">:</span> <span class="dl">'</span><span class="s1">check-sso</span><span class="dl">'</span><span class="p">,</span> <span class="na">silentCheckSsoRedirectUri</span><span class="p">:</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">origin</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">/assets/silent-check-sso.html</span><span class="dl">'</span> <span class="p">})</span> <span class="p">.</span><span class="nf">then</span><span class="p">(</span><span class="nf">function </span><span class="p">(</span><span class="nx">result</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">keycloak</span><span class="p">.</span><span class="nx">authenticated</span><span class="p">)</span> <span class="p">{</span> <span class="nx">app</span><span class="p">.</span><span class="nx">ports</span><span class="p">.</span><span class="nx">onLoginSuccess</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="nx">keycloak</span><span class="p">.</span><span class="nx">token</span><span class="p">);</span> <span class="p">}</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="nx">app</span><span class="p">.</span><span class="nx">ports</span> <span class="o">&amp;&amp;</span> <span class="nx">app</span><span class="p">.</span><span class="nx">ports</span><span class="p">.</span><span class="nx">login</span> <span class="o">&amp;&amp;</span> <span class="nx">app</span><span class="p">.</span><span class="nx">ports</span><span class="p">.</span><span class="nx">logout</span><span class="p">)</span> <span class="p">{</span> <span class="nx">app</span><span class="p">.</span><span class="nx">ports</span><span class="p">.</span><span class="nx">login</span><span class="p">.</span><span class="nf">subscribe</span><span class="p">(</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">keycloak</span> <span class="p">.</span><span class="nf">login</span><span class="p">()</span> <span class="p">.</span><span class="nf">then</span><span class="p">(</span><span class="nf">function </span><span class="p">()</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">keycloak</span><span class="p">.</span><span class="nx">authenticated</span><span class="p">)</span> <span class="p">{</span> <span class="nx">app</span><span class="p">.</span><span class="nx">ports</span><span class="p">.</span><span class="nx">onLoginSuccess</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="nx">keycloak</span><span class="p">.</span><span class="nx">token</span><span class="p">);</span> <span class="p">}</span> <span class="p">})</span> <span class="p">.</span><span class="k">catch</span><span class="p">(</span><span class="nf">function </span><span class="p">()</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Failed to login Keycloak</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> <span class="p">})</span> <span class="nx">app</span><span class="p">.</span><span class="nx">ports</span><span class="p">.</span><span class="nx">logout</span><span class="p">.</span><span class="nf">subscribe</span><span class="p">(</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Call logout()</span><span class="dl">"</span><span class="p">);</span> <span class="nx">keycloak</span> <span class="p">.</span><span class="nf">logout</span><span class="p">()</span> <span class="p">.</span><span class="nf">then</span><span class="p">(</span><span class="nf">function </span><span class="p">()</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">After logout: </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">keycloak</span><span class="p">.</span><span class="nx">authenticated</span><span class="p">);</span> <span class="p">})</span> <span class="p">.</span><span class="k">catch</span><span class="p">(</span><span class="nf">function </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Failed to logout Keycloak</span><span class="dl">'</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="nx">err</span><span class="p">);</span> <span class="p">});</span> <span class="p">})</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The full <code>mydoctor-elm</code> project can be found at <a href="https://github.com/jiwhiz/keycloak-spring-security-oauth2-token-exchange-demo/tree/main/mydoctor/mydoctor-elm" rel="noopener noreferrer">GitHub</a>.</p> <p>Overall, after this simple experiment, I was very impressed that its Elm code passed type checking on the first try. However, for situations where answers are not easily found online, it still generates incorrect code, so developers can not fully trust it. For simple tasks, I don't need to search online and read many pages to find the answer, just ask ChatGPT, and the results are pretty good. So ChatGPT o1 is a better coding assistant, my productivity improved a lot. What is your experience with ChatGPT o1 as a developer?</p> chatgpto1 elm keycloak elmland Yuan Ji Sat, 14 Sep 2024 07:07:45 +0000 https://dev.to/jiwhiz/oauth-2-token-exchange-with-spring-security-and-keycloak-1a6i https://dev.to/jiwhiz/oauth-2-token-exchange-with-spring-security-and-keycloak-1a6i <h2> Introduction </h2> <p>In today's interconnected digital landscape, companies often collaborate to provide seamless services to their users. In this post, we’ll explore a scenario involving two hypothetical companies: <strong>MyDoctor</strong> and <strong>MyHealth</strong>. We’ll demonstrate how <strong>MyHealth</strong> users can log in to <strong>MyDoctor</strong> using their <strong>MyHealth</strong> credentials, and how <strong>MyDoctor</strong>'s backend can securely call <strong>MyHealth</strong>'s APIs on behalf of the user. To achieve this, we’ll leverage <a href="https://datatracker.ietf.org/doc/html/rfc8693" rel="noopener noreferrer">OAuth 2 Token Exchange (RFC8693)</a> with <a href="https://spring.io/projects/spring-security" rel="noopener noreferrer">Spring Security</a> and <a href="https://www.keycloak.org/" rel="noopener noreferrer">Keycloak</a>.</p> <p>All the code can be found in my GitHub project <a href="https://github.com/jiwhiz/keycloak-spring-security-oauth2-token-exchange-demo" rel="noopener noreferrer">here</a>. </p> <h2> Business Scenario </h2> <p>Let’s start by outlining the scenario:</p> <ul> <li><p><strong>MyHealth</strong>: A service where users can view their health records.</p></li> <li><p><strong>MyDoctor</strong>: A service where users can register, log in, and talk to AI doctors to get medical advice.</p></li> </ul> <p>Now, imagine <strong>MyHealth</strong> users want to access <strong>MyDoctor</strong> without creating a new account. Additionally, for <strong>MyDoctor</strong>'s AI bot to give better advice, the backend needs to securely access <strong>MyHealth</strong>'s APIs to retrieve user health records or other user-specific data.</p> <p>In the past, this could have been done using <a href="https://en.wikipedia.org/wiki/API_key" rel="noopener noreferrer">API key</a>, where <strong>MyHealth</strong> would assign a unique secret key to <strong>MyDoctor</strong> for accessing <strong>MyHealth</strong> API. However, this approach only authenticates the application, meaning <strong>MyDoctor</strong> would have full access to all of <strong>MyHealth</strong>’s data, which raises trust and security concerns.</p> <p>To avoid this, <strong>MyHealth</strong> needs to authenticate the actual user and apply proper access controls. So, how can <strong>MyDoctor</strong> impersonate the current logged-in user and access <strong>MyHealth</strong>’s APIs? We can use OAuth 2’s Token Exchange extension, which allows one token (e.g., from MyDoctor) to be exchanged for another token (e.g., from MyHealth) that has the correct permissions for that user.</p> <h2> Understanding OAuth 2 Token Exchange </h2> <p>Token Exchange <a href="https://datatracker.ietf.org/doc/html/rfc8693" rel="noopener noreferrer">RFC 8693</a> is an extension to the standard OAuth 2.0 that allows a client to exchange an existing token for another token. This is particularly useful in scenarios where:</p> <ul> <li>A client needs to access resources on behalf of the user from multiple APIs.</li> <li>There is a need to exchange one token (e.g., an ID token or access token) for another token (e.g., an access token with specific permissions or scope).</li> </ul> <p>In this scenario:</p> <ul> <li>A <strong>MyHealth</strong> user logs into <strong>MyDoctor</strong> via Keycloak’s identity provider linking.</li> <li>The <strong>MyDoctor</strong> backend exchanges the received token for one that allows it to access <strong>MyHealth</strong>'s APIs.</li> </ul> <h2> Keycloak Setup and Linking Identity Providers </h2> <p>To enable <strong>MyHealth</strong> users to log in to <strong>MyDoctor</strong> via their <strong>MyHealth</strong> account, we need to configure <strong>Keycloak</strong> to act as the identity provider (IdP). Since Token Exchange is a preview feature, you have to start the Keycloak server with <code>--features=preview</code>.</p> <h4> Setting up Keycloak for MyHealth </h4> <ol> <li>Create a new realm <code>myhealth-demo</code> for the <strong>MyHealth</strong> keycloak server.</li> <li>Under the <code>myhealth-demo</code> realm, create a new client <code>myhealth-ui</code> for <strong>MyHealth</strong>'s frontend. Add the client role <code>view-health-record</code>. Since it is a SPA web application, disable <code>Client authentication</code>.</li> <li>Add a user John Doe, login id <code>john</code>, password <code>john</code> with client role <code>view-health-record</code>.</li> <li>Create a new client <code>mydoctor-api-server</code> for the <strong>MyDoctor</strong> backend API server to access <strong>MyHealth</strong> API endpoints.</li> <li>Create another client <code>mydoctor-auth</code> for <strong>MyDoctor</strong> keycloak server to link <strong>MyHealth</strong> keycloak server as an identity provider.</li> </ol> <h4> Setting up Keycloak for MyDoctor </h4> <ol> <li>Create a new realm <code>mydoctor-demo</code> for the <strong>MyDoctor</strong> keycloak server.</li> <li>Under the <code>mydoctor-demo</code> realm, create a new client <code>mydoctor-ui</code> for <strong>MyDoctor</strong>'s frontend. Add client role <code>edit-appointment</code> and <code>view-appointment</code>. Disable <code>Client authentication</code>.</li> <li>Add a user <code>doctor</code> with the client role <code>edit-appointment</code>.</li> <li>Add another client <code>mydoctor-api</code> for the backend API server to do token exchange requests.</li> <li>In <code>Realm settings</code>, select <code>User registration</code> tab, click button <code>Assign role</code> to add role <code>view-appointment</code>, so any new user will automatically have this role.</li> </ol> <h4> Adding MyHealth as an Identity Provider: </h4> <ol> <li>In the <strong>MyDoctor</strong> keycloak server under <code>mydoctor-demo</code> realm, navigate to <strong>Identity Providers</strong> and select <strong>OpenID Connect</strong>.</li> <li>Enter the details of the <strong>MyHealth</strong> Keycloak server, using the well-known OpenID configuration URL <code>http://auth.myhealth:8090/realms/myhealth-demo/.well-known/openid-configuration</code>.</li> <li>Enter client ID and secret of <code>mydoctor-auth</code> client from <strong>MyHealth</strong> keycloak server.</li> <li>Turn on <code>Store tokens</code>.</li> <li>Follow the Keycloak documentation <a href="https://www.keycloak.org/docs/latest/securing_apps/#internal-token-to-external-token-exchange" rel="noopener noreferrer">7.3. Internal token to external token exchange</a>, to enable permissions for token exchange, and create a client policy.</li> </ol> <p>It is very tedious to setup Keycloak servers correctly, however, you can find the step-by-step instructions in my Github project to start two Keycloak servers with docker and take a look at all the settings. Just login to Keycloak servers using <code>admin</code> as username and password at <a href="http://mydoctor:8080/admin/master/console/#/mydoctor-demo" rel="noopener noreferrer">http://mydoctor:8080</a> and <a href="http://myhealth:8090/admin/master/console/#/myhealth-demo" rel="noopener noreferrer">http://myhealth:8090</a>.</p> <h2> Implementing OAuth 2 Token Exchange in Spring Security </h2> <p>Token Exchange has been <a href="https://spring.io/blog/2024/03/19/token-exchange-support-in-spring-security-6-3-0-m3" rel="noopener noreferrer">supported in Spring Security since version 6.3</a>. Below, we will demonstrate how <strong>MyDoctor</strong>’s backend can use this feature to retrieve the health records of a logged-in <strong>MyHealth</strong> user.</p> <h4> Configure MyHealth API Server App: </h4> <p>The <strong>MyHealth</strong> backend API <code>myhealth-api</code> is an OAuth 2 resource server. Add the following dependency in <code>build.gradle</code>:</p> <div class="highlight js-code-highlight"> <pre class="highlight gradle"><code> <span class="n">implementation</span> <span class="s1">'org.springframework.boot:spring-boot-starter-oauth2-resource-server'</span> </code></pre> </div> <p>Config spring security in <code>ProjectConfig</code>:</p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="nd">@Configuration</span> <span class="nd">@EnableWebSecurity</span> <span class="nd">@EnableMethodSecurity</span><span class="o">(</span><span class="n">securedEnabled</span> <span class="o">=</span> <span class="kc">true</span><span class="o">)</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">ProjectConfig</span> <span class="o">{</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">SecurityFilterChain</span> <span class="nf">filterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="c1">// @formatter:off</span> <span class="n">http</span> <span class="o">.</span><span class="na">csrf</span><span class="o">(</span><span class="nl">AbstractHttpConfigurer:</span><span class="o">:</span><span class="n">disable</span><span class="o">)</span> <span class="o">.</span><span class="na">cors</span><span class="o">((</span><span class="n">cors</span><span class="o">)</span> <span class="o">-&gt;</span> <span class="n">cors</span><span class="o">.</span><span class="na">configurationSource</span><span class="o">(</span><span class="n">request</span> <span class="o">-&gt;</span> <span class="o">{</span> <span class="kt">var</span> <span class="n">corsConfig</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">CorsConfiguration</span><span class="o">();</span> <span class="n">corsConfig</span><span class="o">.</span><span class="na">setAllowedOrigins</span><span class="o">(</span><span class="nc">List</span><span class="o">.</span><span class="na">of</span><span class="o">(</span><span class="s">"http://myhealth:4210"</span><span class="o">));</span> <span class="n">corsConfig</span><span class="o">.</span><span class="na">setAllowedMethods</span><span class="o">(</span> <span class="nc">List</span><span class="o">.</span><span class="na">of</span><span class="o">(</span><span class="s">"GET"</span><span class="o">,</span> <span class="s">"POST"</span><span class="o">,</span> <span class="s">"OPTIONS"</span><span class="o">,</span> <span class="s">"PUT"</span><span class="o">,</span> <span class="s">"DELETE"</span><span class="o">)</span> <span class="o">);</span> <span class="n">corsConfig</span><span class="o">.</span><span class="na">setAllowedHeaders</span><span class="o">(</span><span class="nc">List</span><span class="o">.</span><span class="na">of</span><span class="o">(</span><span class="s">"*"</span><span class="o">));</span> <span class="n">corsConfig</span><span class="o">.</span><span class="na">setAllowCredentials</span><span class="o">(</span><span class="kc">true</span><span class="o">);</span> <span class="k">return</span> <span class="n">corsConfig</span><span class="o">;</span> <span class="o">}))</span> <span class="o">.</span><span class="na">authorizeHttpRequests</span><span class="o">(</span><span class="n">authorize</span> <span class="o">-&gt;</span> <span class="n">authorize</span> <span class="o">.</span><span class="na">requestMatchers</span><span class="o">(</span><span class="nc">HttpMethod</span><span class="o">.</span><span class="na">OPTIONS</span><span class="o">,</span> <span class="s">"/**"</span><span class="o">).</span><span class="na">permitAll</span><span class="o">()</span> <span class="o">.</span><span class="na">requestMatchers</span><span class="o">(</span><span class="s">"/api/records"</span><span class="o">).</span><span class="na">hasAuthority</span><span class="o">(</span><span class="s">"ROLE_view_health_record"</span><span class="o">)</span> <span class="o">.</span><span class="na">anyRequest</span><span class="o">().</span><span class="na">authenticated</span><span class="o">()</span> <span class="o">)</span> <span class="o">.</span><span class="na">oauth2ResourceServer</span><span class="o">(</span><span class="n">oauth2ResourceServer</span> <span class="o">-&gt;</span> <span class="n">oauth2ResourceServer</span> <span class="o">.</span><span class="na">jwt</span><span class="o">(</span> <span class="n">jwt</span> <span class="o">-&gt;</span> <span class="n">jwt</span><span class="o">.</span><span class="na">jwtAuthenticationConverter</span><span class="o">(</span><span class="k">new</span> <span class="nc">KeycloakJwtAuthenticationConverter</span><span class="o">(</span><span class="nc">List</span><span class="o">.</span><span class="na">of</span><span class="o">(</span><span class="s">"myhealth-ui"</span><span class="o">,</span> <span class="s">"mydoctor-api-server"</span><span class="o">))))</span> <span class="o">)</span> <span class="o">;</span> <span class="c1">// @formatter:on</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">JwtDecoder</span> <span class="nf">jwtDecoder</span><span class="o">(</span><span class="nc">OAuth2ResourceServerProperties</span> <span class="n">oAuth2ResourceServerProperties</span><span class="o">)</span> <span class="o">{</span> <span class="nc">NimbusJwtDecoder</span> <span class="n">jwtDecoder</span> <span class="o">=</span> <span class="nc">NimbusJwtDecoder</span><span class="o">.</span><span class="na">withJwkSetUri</span><span class="o">(</span><span class="n">oAuth2ResourceServerProperties</span><span class="o">.</span><span class="na">getJwt</span><span class="o">().</span><span class="na">getJwkSetUri</span><span class="o">()).</span><span class="na">build</span><span class="o">();</span> <span class="n">jwtDecoder</span><span class="o">.</span><span class="na">setJwtValidator</span><span class="o">(</span><span class="nc">JwtValidators</span><span class="o">.</span><span class="na">createDefaultWithIssuer</span><span class="o">(</span><span class="n">oAuth2ResourceServerProperties</span><span class="o">.</span><span class="na">getJwt</span><span class="o">().</span><span class="na">getIssuerUri</span><span class="o">()));</span> <span class="k">return</span> <span class="n">jwtDecoder</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>The <code>KeycloakJwtAuthenticationConverter</code> is the <a href="https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/core/convert/converter/Converter.html" rel="noopener noreferrer">Spring Converter</a> to translate OAuth 2 access token claims of <code>resource_access</code> to Spring Security <code>GrantedAuthority</code>. I copied the code from StackOverflow discussion <a href="https://stackoverflow.com/questions/72226464/how-configure-the-jwtauthenticationconverter-for-a-specific-claim-structure/72301501#72301501" rel="noopener noreferrer">How configure the JwtAuthenticationConverter for a specific claim structure?</a></p> <p>And here is the config for resource server in application.yml:</p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">spring</span><span class="pi">:</span> <span class="na">security</span><span class="pi">:</span> <span class="na">oauth2</span><span class="pi">:</span> <span class="na">resourceserver</span><span class="pi">:</span> <span class="na">jwt</span><span class="pi">:</span> <span class="na">issuer-uri</span><span class="pi">:</span> <span class="s">http://auth.myhealth:8090/realms/myhealth-demo</span> <span class="na">jwk-set-uri</span><span class="pi">:</span> <span class="s">http://auth.myhealth:8090/realms/myhealth-demo/protocol/openid-connect/certs</span> </code></pre> </div> <h4> Configure <strong>MyDoctor</strong> API Server App: </h4> <p><strong>MyDoctor</strong> API backend needs to call <strong>MyHealth</strong> API, so it acts as both an OAuth 2 Resource Server and an OAuth 2 Client. Add these dependencies in<code>build.gradle</code>:</p> <div class="highlight js-code-highlight"> <pre class="highlight gradle"><code> <span class="n">implementation</span> <span class="s1">'org.springframework.boot:spring-boot-starter-oauth2-resource-server'</span> <span class="n">implementation</span> <span class="s1">'org.springframework.boot:spring-boot-starter-oauth2-client'</span> </code></pre> </div> <p>In application.yml, configure the two clients <code>myhealth-client</code> and <code>mydoctor-client</code>:</p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">spring</span><span class="pi">:</span> <span class="na">security</span><span class="pi">:</span> <span class="na">oauth2</span><span class="pi">:</span> <span class="na">resourceserver</span><span class="pi">:</span> <span class="na">jwt</span><span class="pi">:</span> <span class="na">issuer-uri</span><span class="pi">:</span> <span class="s">http://auth.mydoctor:8080/realms/mydoctor-demo</span> <span class="na">jwk-set-uri</span><span class="pi">:</span> <span class="s">http://auth.mydoctor:8080/realms/mydoctor-demo/protocol/openid-connect/certs</span> <span class="na">client</span><span class="pi">:</span> <span class="na">registration</span><span class="pi">:</span> <span class="na">myhealth-client</span><span class="pi">:</span> <span class="na">client-id</span><span class="pi">:</span> <span class="s">mydoctor-api-server</span> <span class="na">authorization-grant-type</span><span class="pi">:</span> <span class="s">urn:ietf:params:oauth:grant-type:jwt-bearer</span> <span class="na">provider</span><span class="pi">:</span> <span class="s">health-auth-provider</span> <span class="na">mydoctor-client</span><span class="pi">:</span> <span class="na">client-id</span><span class="pi">:</span> <span class="s">mydoctor-api</span> <span class="na">client-secret</span><span class="pi">:</span> <span class="s">nvYxjQFYGdNI8zj5Nb3Jz25ezWgN1cE8</span> <span class="na">client-authentication-method</span><span class="pi">:</span> <span class="s">client_secret_basic</span> <span class="na">authorization-grant-type</span><span class="pi">:</span> <span class="s">urn:ietf:params:oauth:grant-type:token-exchange</span> <span class="na">provider</span><span class="pi">:</span> <span class="s">doctor-auth-provider</span> <span class="na">provider</span><span class="pi">:</span> <span class="na">doctor-auth-provider</span><span class="pi">:</span> <span class="na">token-uri</span><span class="pi">:</span> <span class="s">http://auth.mydoctor:8080/realms/mydoctor-demo/protocol/openid-connect/token</span> <span class="na">health-auth-provider</span><span class="pi">:</span> <span class="na">token-uri</span><span class="pi">:</span> <span class="s">http://auth.myhealth:8090/realms/myhealth-demo/protocol/openid-connect/token</span> </code></pre> </div> <p>You can see those two clients have two different providers.</p> <p>When <strong>MyDoctor</strong> UI calls backend API endpoint of <code>http://api.mydoctor:8081/api/records</code>, backend API server actually calls <strong>MyHealth</strong> API endpoint <code>http://api.myhealth:8082/api/record</code> using WebClient:</p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="nd">@RestController</span> <span class="nd">@RequestMapping</span><span class="o">(</span><span class="s">"/api"</span><span class="o">)</span> <span class="nd">@RequiredArgsConstructor</span> <span class="nd">@Slf4j</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">RecordController</span> <span class="o">{</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">WebClient</span> <span class="n">webClient</span><span class="o">;</span> <span class="nd">@GetMapping</span><span class="o">(</span><span class="s">"/records"</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">Message</span><span class="o">&gt;</span> <span class="nf">getHealthRecords</span><span class="o">(</span> <span class="nd">@RegisteredOAuth2AuthorizedClient</span><span class="o">(</span><span class="s">"mydoctor-client"</span><span class="o">)</span> <span class="nc">OAuth2AuthorizedClient</span> <span class="n">doctorAuthClient</span> <span class="o">)</span> <span class="o">{</span> <span class="nc">String</span> <span class="n">token</span> <span class="o">=</span> <span class="n">doctorAuthClient</span><span class="o">.</span><span class="na">getAccessToken</span><span class="o">().</span><span class="na">getTokenValue</span><span class="o">();</span> <span class="n">log</span><span class="o">.</span><span class="na">debug</span><span class="o">(</span><span class="s">"Exchanged access token is:\n {}\n"</span><span class="o">,</span> <span class="n">token</span><span class="o">);</span> <span class="kt">var</span> <span class="n">result</span> <span class="o">=</span> <span class="n">webClient</span><span class="o">.</span><span class="na">get</span><span class="o">()</span> <span class="o">.</span><span class="na">uri</span><span class="o">(</span><span class="s">"http://api.myhealth:8082/api/records"</span><span class="o">)</span> <span class="o">.</span><span class="na">headers</span><span class="o">((</span><span class="n">headers</span><span class="o">)</span> <span class="o">-&gt;</span> <span class="n">headers</span><span class="o">.</span><span class="na">setBearerAuth</span><span class="o">(</span><span class="n">token</span><span class="o">))</span> <span class="o">.</span><span class="na">retrieve</span><span class="o">()</span> <span class="o">.</span><span class="na">bodyToMono</span><span class="o">(</span><span class="k">new</span> <span class="nc">ParameterizedTypeReference</span><span class="o">&lt;</span><span class="nc">List</span><span class="o">&lt;</span><span class="nc">Message</span><span class="o">&gt;&gt;()</span> <span class="o">{})</span> <span class="o">.</span><span class="na">block</span><span class="o">()</span> <span class="o">;</span> <span class="n">log</span><span class="o">.</span><span class="na">debug</span><span class="o">(</span><span class="s">"Return result from MyHealth API Server: {}"</span><span class="o">,</span> <span class="n">result</span><span class="o">);</span> <span class="k">return</span> <span class="n">result</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>We have to impersonate current user as <strong>MyHealth</strong> user, so we add bearer token to WebClient http request header. The token is coming from injected <code>doctorAuthClient</code>, which is resolved by <code>OAuth2AuthorizedClientArgumentResolver</code> using client registration ID <code>mydoctor-client</code>. This client will call <strong>MyDoctor</strong> keycloak server to do Token Exchange, passing current login user access token from <strong>MyDoctor</strong> keycloak, and get a new access token from <strong>MyHealth</strong> keycloak server.</p> <p>All the tricky parts are in Spring Security configuration:</p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="nc">OAuth2AuthorizedClientProvider</span> <span class="nf">tokenExchange</span><span class="o">(</span> <span class="nc">ClientRegistrationRepository</span> <span class="n">clientRegistrationRepository</span><span class="o">,</span> <span class="nc">OAuth2AuthorizedClientRepository</span> <span class="n">authorizedClientRepository</span> <span class="o">)</span> <span class="o">{</span> <span class="nc">Function</span><span class="o">&lt;</span><span class="nc">OAuth2AuthorizationContext</span><span class="o">,</span> <span class="nc">OAuth2Token</span><span class="o">&gt;</span> <span class="n">subjectResolver</span> <span class="o">=</span> <span class="o">(</span><span class="n">context</span><span class="o">)</span> <span class="o">-&gt;</span> <span class="o">{</span> <span class="k">if</span> <span class="o">(</span><span class="n">context</span><span class="o">.</span><span class="na">getPrincipal</span><span class="o">()</span> <span class="k">instanceof</span> <span class="nc">JwtAuthenticationToken</span> <span class="n">jwtAuthenticationToken</span><span class="o">)</span> <span class="o">{</span> <span class="nc">Jwt</span> <span class="n">jwt</span> <span class="o">=</span> <span class="n">jwtAuthenticationToken</span><span class="o">.</span><span class="na">getToken</span><span class="o">();</span> <span class="nc">OAuth2AccessToken</span> <span class="n">token</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">OAuth2AccessToken</span><span class="o">(</span><span class="nc">TokenType</span><span class="o">.</span><span class="na">BEARER</span><span class="o">,</span> <span class="n">jwt</span><span class="o">.</span><span class="na">getTokenValue</span><span class="o">(),</span> <span class="n">jwt</span><span class="o">.</span><span class="na">getIssuedAt</span><span class="o">(),</span> <span class="n">jwt</span><span class="o">.</span><span class="na">getExpiresAt</span><span class="o">());</span> <span class="n">log</span><span class="o">.</span><span class="na">debug</span><span class="o">(</span><span class="s">"Get Access Token for current user from JwtAuthenticationToken: {}"</span><span class="o">,</span> <span class="n">token</span><span class="o">.</span><span class="na">getTokenValue</span><span class="o">());</span> <span class="k">return</span> <span class="n">token</span><span class="o">;</span> <span class="o">}</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">RuntimeException</span><span class="o">(</span><span class="s">"Cannot resolve subject token with context principal "</span> <span class="o">+</span> <span class="n">context</span><span class="o">.</span><span class="na">getPrincipal</span><span class="o">()</span> <span class="o">);</span> <span class="o">};</span> <span class="nc">Converter</span><span class="o">&lt;</span><span class="nc">TokenExchangeGrantRequest</span><span class="o">,</span> <span class="nc">RequestEntity</span><span class="o">&lt;?&gt;&gt;</span> <span class="n">requestEntityConverter</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">TokenExchangeGrantRequestEntityConverter</span><span class="o">()</span> <span class="o">{</span> <span class="nd">@Override</span> <span class="kd">protected</span> <span class="nc">MultiValueMap</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">,</span> <span class="nc">String</span><span class="o">&gt;</span> <span class="nf">createParameters</span><span class="o">(</span><span class="nc">TokenExchangeGrantRequest</span> <span class="n">grantRequest</span><span class="o">)</span> <span class="o">{</span> <span class="nc">MultiValueMap</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">,</span> <span class="nc">String</span><span class="o">&gt;</span> <span class="n">parameters</span> <span class="o">=</span> <span class="kd">super</span><span class="o">.</span><span class="na">createParameters</span><span class="o">(</span><span class="n">grantRequest</span><span class="o">);</span> <span class="n">parameters</span><span class="o">.</span><span class="na">add</span><span class="o">(</span><span class="s">"requested_issuer"</span><span class="o">,</span> <span class="s">"myhealth-keycloak-oidc"</span><span class="o">);</span> <span class="k">return</span> <span class="n">parameters</span><span class="o">;</span> <span class="o">}</span> <span class="o">};</span> <span class="nc">DefaultTokenExchangeTokenResponseClient</span> <span class="n">accessTokenResponseClient</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">DefaultTokenExchangeTokenResponseClient</span><span class="o">();</span> <span class="n">accessTokenResponseClient</span><span class="o">.</span><span class="na">setRequestEntityConverter</span><span class="o">(</span><span class="n">requestEntityConverter</span><span class="o">);</span> <span class="nc">TokenExchangeOAuth2AuthorizedClientProvider</span> <span class="n">authorizedClientProvider</span> <span class="o">=</span> <span class="k">new</span> <span class="nf">TokenExchangeOAuth2AuthorizedClientProvider</span><span class="o">();</span> <span class="n">authorizedClientProvider</span><span class="o">.</span><span class="na">setSubjectTokenResolver</span><span class="o">(</span><span class="n">subjectResolver</span><span class="o">);</span> <span class="n">authorizedClientProvider</span><span class="o">.</span><span class="na">setAccessTokenResponseClient</span><span class="o">(</span><span class="n">accessTokenResponseClient</span><span class="o">);</span> <span class="k">return</span> <span class="n">authorizedClientProvider</span><span class="o">;</span> <span class="o">}</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">OAuth2AuthorizedClientManager</span> <span class="nf">authorizedClientManager</span><span class="o">(</span> <span class="nc">ClientRegistrationRepository</span> <span class="n">clientRegistrationRepository</span><span class="o">,</span> <span class="nc">OAuth2AuthorizedClientService</span> <span class="n">clientService</span><span class="o">,</span> <span class="nc">OAuth2AuthorizedClientRepository</span> <span class="n">authorizedClientRepository</span> <span class="o">)</span> <span class="o">{</span> <span class="nc">OAuth2AuthorizedClientProvider</span> <span class="n">authorizedClientProvider</span> <span class="o">=</span> <span class="nc">OAuth2AuthorizedClientProviderBuilder</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">refreshToken</span><span class="o">()</span> <span class="o">.</span><span class="na">clientCredentials</span><span class="o">()</span> <span class="o">.</span><span class="na">provider</span><span class="o">(</span><span class="n">tokenExchange</span><span class="o">(</span><span class="n">clientRegistrationRepository</span><span class="o">,</span> <span class="n">authorizedClientRepository</span><span class="o">))</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="nc">AuthorizedClientServiceOAuth2AuthorizedClientManager</span> <span class="n">authorizedClientManager</span> <span class="o">=</span> <span class="k">new</span> <span class="nf">AuthorizedClientServiceOAuth2AuthorizedClientManager</span><span class="o">(</span><span class="n">clientRegistrationRepository</span><span class="o">,</span> <span class="n">clientService</span><span class="o">);</span> <span class="n">authorizedClientManager</span><span class="o">.</span><span class="na">setAuthorizedClientProvider</span><span class="o">(</span><span class="n">authorizedClientProvider</span><span class="o">);</span> <span class="k">return</span> <span class="n">authorizedClientManager</span><span class="o">;</span> <span class="o">}</span> <span class="nd">@Bean</span> <span class="nc">WebClient</span> <span class="nf">webClient</span><span class="o">(</span><span class="nc">OAuth2AuthorizedClientManager</span> <span class="n">authorizedClientManager</span><span class="o">)</span> <span class="o">{</span> <span class="nc">ServletOAuth2AuthorizedClientExchangeFilterFunction</span> <span class="n">oauth2Client</span> <span class="o">=</span> <span class="k">new</span> <span class="nf">ServletOAuth2AuthorizedClientExchangeFilterFunction</span><span class="o">(</span><span class="n">authorizedClientManager</span><span class="o">);</span> <span class="n">oauth2Client</span><span class="o">.</span><span class="na">setDefaultClientRegistrationId</span><span class="o">(</span><span class="s">"myhealth-client"</span><span class="o">);</span> <span class="k">return</span> <span class="nc">WebClient</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">apply</span><span class="o">(</span><span class="n">oauth2Client</span><span class="o">.</span><span class="na">oauth2Configuration</span><span class="o">())</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> </code></pre> </div> <p>It took me several days to get it working! I got the idea from Spring Security project <a href="https://github.com/spring-projects/spring-security/issues/15408" rel="noopener noreferrer">issue discussion</a>, and <a href="https://www.keycloak.org/docs/latest/securing_apps/#_token-exchange" rel="noopener noreferrer">Keycloak documentation</a>.</p> <p>First, using <code>subjectResolver</code> to get JWT token from current security context, because we are using <code>KeycloakJwtAuthenticationConverter</code> to store <code>JwtAuthenticationToken</code> object as <code>Principal</code>. Pass it to <code>TokenExchangeOAuth2AuthorizedClientProvider</code>, so this client provider can call <strong>MyDoctor</strong> keycloak server with current login user’s access token.</p> <p>Second, Keycloak server implements RFC8693 Token Exchange a little differently:</p> <blockquote> <p>Token exchange in Keycloak is a very loose implementation of the OAuth Token Exchange specification at the IETF. We have extended it a little, ignored some of it, and loosely interpreted other parts of the specification.</p> </blockquote> <p>The Keycloak token exchange request parameters include <code>requested_issuer</code>, which is the alias of the ID provider in <strong>MyDoctor</strong> configuration, the <code>MyHealth Keycloak</code>, and its alias is <code>myhealth-keycloak-oidc</code>. Since <code>requested_issuer</code> is not <a href="https://datatracker.ietf.org/doc/html/rfc8693#name-request" rel="noopener noreferrer">the standard RFC8693 request parameters</a>, Spring Security doesn’t support it as well. Fortunately I can hack <code>TokenExchangeOAuth2AuthorizedClientProvider</code> with a customized <code>OAuth2AccessTokenResponseClient</code> to set <code>requested_issuer</code> parameter inside <code>TokenExchangeGrantRequestEntityConverter</code>. See above code in <code>tokenExchange()</code>.</p> <p>Third, config <code>OAuth2AuthorizedClientManager</code> with <code>OAuth2AuthorizedClientProvider</code> from <code>tokenExchange()</code>, so our <code>doctorAuthClient</code> above can call <strong>MyDoctor</strong> Keycloak server to do token exchange as client ID <code>mydoctor-api</code>!</p> <p>Last, build <code>WebClient</code> with <code>ServletOAuth2AuthorizedClientExchangeFilterFunction</code>, passing client registration ID <code>myhealth-client</code>, so this <code>WebClient</code> will be able to call <strong>MyHealth</strong> API as client ID <code>mydoctor-api-server</code>, but we use the access token exchanged from <strong>MyDoctor</strong> Keycloak server as bearer token.</p> <p>You can open <strong>MyDoctor</strong> UI at <code>http://mydoctor:4200</code>, <br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbu0apim7ri9bzhmvksae.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbu0apim7ri9bzhmvksae.png" alt="MyDoctor Website"></a></p> <p>and click <code>Login</code> button, to redirect to <strong>MyDoctor</strong> Keycloak Login Page:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fayso7sf9rlr5mzqjc1fs.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fayso7sf9rlr5mzqjc1fs.png" alt="MyDoctor Keycloak Login"></a></p> <p>Then click <code>MyHealth Keycloak</code> button to login with <strong>MyHealth</strong> Keycloak server:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffp5ivo9i55petuss1j26.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffp5ivo9i55petuss1j26.png" alt="MyHealth Keycloak Login"></a></p> <p>You can see the host changed from <code>auth.mydoctor:8080</code> to <code>auth.myhealth:8090</code>.</p> <p>Login with <strong>MyHealth</strong> user John Doe (username and password as <code>john</code>), you can see in <strong>MyDoctor</strong> Keycloak server admin console, under <code>mydoctor-demo</code> realm, a new user <code>john</code> was added, and this user has links to another identity provider <code>Myhealth-keycloak-oidc</code>.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1fz3mx3vktwt4hio50o2.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1fz3mx3vktwt4hio50o2.png" alt="MyDoctor Keycloak User"></a></p> <p>In <strong>MyDoctor</strong> UI, after login, you can click button <code>call http://api.mydoctor:8081/api/records</code>, so UI will call <strong>MyDoctor</strong> backend, and backend server actually will first call <strong>MyDoctor</strong> Keycloak server to do Token Exchange, then call <strong>MyHealth</strong> API server to get user health records.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzt68aurk2xxvsblnyryc.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzt68aurk2xxvsblnyryc.png" alt="MyDoctor UI"></a></p> <p>From <code>mydoctor-api</code> server log, we can find out the access token used by <strong>MyDoctor</strong> UI is </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"exp"</span><span class="p">:</span><span class="w"> </span><span class="mi">1726293365</span><span class="p">,</span><span class="w"> </span><span class="nl">"iat"</span><span class="p">:</span><span class="w"> </span><span class="mi">1726293065</span><span class="p">,</span><span class="w"> </span><span class="nl">"auth_time"</span><span class="p">:</span><span class="w"> </span><span class="mi">1726293065</span><span class="p">,</span><span class="w"> </span><span class="nl">"jti"</span><span class="p">:</span><span class="w"> </span><span class="s2">"c01fc98f-f959-42ba-a25b-7e8e1a29dc12"</span><span class="p">,</span><span class="w"> </span><span class="nl">"iss"</span><span class="p">:</span><span class="w"> </span><span class="s2">"http://auth.mydoctor:8080/realms/mydoctor-demo"</span><span class="p">,</span><span class="w"> </span><span class="nl">"aud"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"broker"</span><span class="p">,</span><span class="w"> </span><span class="s2">"account"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"sub"</span><span class="p">:</span><span class="w"> </span><span class="s2">"5adba68d-c9cc-487d-a9e2-62bfae549483"</span><span class="p">,</span><span class="w"> </span><span class="nl">"typ"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Bearer"</span><span class="p">,</span><span class="w"> </span><span class="nl">"azp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"mydoctor-ui"</span><span class="p">,</span><span class="w"> </span><span class="nl">"sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"40cd230f-a5af-4308-84dc-e5f856bc0a0e"</span><span class="p">,</span><span class="w"> </span><span class="nl">"acr"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"allowed-origins"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"http://mydoctor:4200"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"realm_access"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"roles"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"default-roles-mydoctor-demo"</span><span class="p">,</span><span class="w"> </span><span class="s2">"offline_access"</span><span class="p">,</span><span class="w"> </span><span class="s2">"uma_authorization"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"resource_access"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"mydoctor-ui"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"roles"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"view-appointment"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"broker"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"roles"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"read-token"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"account"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"roles"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"manage-account"</span><span class="p">,</span><span class="w"> </span><span class="s2">"manage-account-links"</span><span class="p">,</span><span class="w"> </span><span class="s2">"view-profile"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"scope"</span><span class="p">:</span><span class="w"> </span><span class="s2">"openid email profile"</span><span class="p">,</span><span class="w"> </span><span class="nl">"email_verified"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"John Doe"</span><span class="p">,</span><span class="w"> </span><span class="nl">"preferred_username"</span><span class="p">:</span><span class="w"> </span><span class="s2">"john"</span><span class="p">,</span><span class="w"> </span><span class="nl">"given_name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"John"</span><span class="p">,</span><span class="w"> </span><span class="nl">"family_name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Doe"</span><span class="p">,</span><span class="w"> </span><span class="nl">"email"</span><span class="p">:</span><span class="w"> </span><span class="s2">"john.doe@demo.com"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>And after token exchange, the access token used by <strong>MyDoctor</strong> API server:</p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"exp"</span><span class="p">:</span><span class="w"> </span><span class="mi">1726293365</span><span class="p">,</span><span class="w"> </span><span class="nl">"iat"</span><span class="p">:</span><span class="w"> </span><span class="mi">1726293065</span><span class="p">,</span><span class="w"> </span><span class="nl">"auth_time"</span><span class="p">:</span><span class="w"> </span><span class="mi">1726293065</span><span class="p">,</span><span class="w"> </span><span class="nl">"jti"</span><span class="p">:</span><span class="w"> </span><span class="s2">"6c221b25-9b49-45e1-975a-88448104050d"</span><span class="p">,</span><span class="w"> </span><span class="nl">"iss"</span><span class="p">:</span><span class="w"> </span><span class="s2">"http://auth.myhealth:8090/realms/myhealth-demo"</span><span class="p">,</span><span class="w"> </span><span class="nl">"aud"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"myhealth-ui"</span><span class="p">,</span><span class="w"> </span><span class="s2">"account"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"sub"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1b0d98b6-ea18-4dbd-9d6e-a83e621c07c2"</span><span class="p">,</span><span class="w"> </span><span class="nl">"typ"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Bearer"</span><span class="p">,</span><span class="w"> </span><span class="nl">"azp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"mydoctor-auth"</span><span class="p">,</span><span class="w"> </span><span class="nl">"sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"531b04de-1ac5-4b04-8125-4c8ca10872bf"</span><span class="p">,</span><span class="w"> </span><span class="nl">"acr"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"allowed-origins"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"http://auth.mydoctor:8080/*"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"realm_access"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"roles"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"default-roles-myhealth-demo"</span><span class="p">,</span><span class="w"> </span><span class="s2">"offline_access"</span><span class="p">,</span><span class="w"> </span><span class="s2">"uma_authorization"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"resource_access"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"myhealth-ui"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"roles"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"view-health-record"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"account"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"roles"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"manage-account"</span><span class="p">,</span><span class="w"> </span><span class="s2">"manage-account-links"</span><span class="p">,</span><span class="w"> </span><span class="s2">"view-profile"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"scope"</span><span class="p">:</span><span class="w"> </span><span class="s2">"openid profile email"</span><span class="p">,</span><span class="w"> </span><span class="nl">"email_verified"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"John Doe"</span><span class="p">,</span><span class="w"> </span><span class="nl">"preferred_username"</span><span class="p">:</span><span class="w"> </span><span class="s2">"john"</span><span class="p">,</span><span class="w"> </span><span class="nl">"given_name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"John"</span><span class="p">,</span><span class="w"> </span><span class="nl">"family_name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Doe"</span><span class="p">,</span><span class="w"> </span><span class="nl">"email"</span><span class="p">:</span><span class="w"> </span><span class="s2">"john.doe@demo.com"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Before exchange, the access token has the role of <code>view-appointment</code> for <code>mydoctor-ui</code>, and after exchange, it has the role of <code>view-health-record</code> for <code>myhealth-ui</code>. Quite amazing!</p> <h2> Conclusion </h2> <p>Recently, I designed and implemented an integration allowing users to log in to Company A using Company B’s account and access Company B’s APIs on the user’s behalf. By combining Keycloak’s identity provider linking and the OAuth 2 Token Exchange protocol, we can provide a seamless experience while maintaining secure API calls between different systems.</p> <p>However, as of September 2024, Token Exchange is still a preview feature in Keycloak, and Spring Security has only recently added support for it. I hope this guide helps others attempting to implement this functionality in their projects. </p> oauth2 tokenexchange springsecurity keycloak