SSO for Spring WebFlux — Reactive Authentication and Authorization

By -

SSO for Spring WebFlux — Reactive Authentication and Authorization

Reactive applications introduce new challenges for SSO. Spring WebFlux does not use thread-local security context like MVC, so you must handle authentication and authorization differently.

1️⃣ Reactive context vs thread-local

In Spring MVC:

  • SecurityContextHolder uses thread-local storage
  • Filters populate authentication before reaching controllers

In WebFlux:

  • No thread-local — reactive chains pass context via Reactor Context
  • Logging or accessing SecurityContextHolder.getContext() outside the reactive chain often returns null

Debug tip: Always log authentication inside Mono/Flux using deferContextual.

2️⃣ Integrating Keycloak with WebFlux

Use keycloak-spring-boot-starter with spring-security-webflux dependencies.

Key steps:

  1. Configure reactive security adapter
  2. Set SecurityWebFilterChain bean
  3. Map Keycloak roles to reactive authorities

Example: 



@Bean

public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {

    http

        .authorizeExchange()

        .pathMatchers("/public/**").permitAll()

        .anyExchange().authenticated()

        .and()

        .oauth2Login();

    return http.build();

}

3️⃣ Common WebFlux SSO issues

  • Null authentication in reactive chain — occurs if context not propagated
  • Roles not applied — must extract from JWT/IdP claims
  • Redirect loops — check redirect-uri configuration
  • Token expiration — same as MVC, but refresh must be reactive

4️⃣ Logging and debugging

Always log inside the reactive chain: 



Mono handleRequest(ServerWebExchange exchange) {

    return ReactiveSecurityContextHolder.getContext()

        .doOnNext(ctx -> {

            Authentication auth = ctx.getAuthentication();

            log.info("User={}, authorities={}", 

                     auth.getName(), auth.getAuthorities());

        })

        .then();

}

This ensures you see the **real authentication state** per request.

5️⃣ Authorization in WebFlux

Use hasRole() or hasAuthority() in ServerHttpSecurity rules: 



http.authorizeExchange()

    .pathMatchers("/admin/**").hasRole("ADMIN")

    .anyExchange().authenticated();

Remember: roles must be correctly mapped from Keycloak claims.

6️⃣ Systematic WebFlux SSO debugging workflow

  1. Check Keycloak logs for token issuance
  2. Verify token reaches your WebFlux app
  3. Log authentication inside reactive chain
  4. Validate roles/authorities
  5. Check redirect URIs for login/logout flows
  6. Enable DEBUG logging for org.keycloak.adapters and org.springframework.security

Final thoughts

  • Reactive SSO requires understanding the context propagation
  • WebFlux apps need different logging than MVC
  • Once you log correctly and map roles, SSO works seamlessly
  • Use the systematic workflow for every authentication issue

Series complete

You have now learned:

  • SSO concepts and protocols
  • Integrating Keycloak with Spring Boot (MVC)
  • Debugging SSO authentication issues
  • Handling SSO in Spring WebFlux applications

Part of the Spring Boot SSO Series

❤️ Support This Blog

If this post helped you, you can support my writing with a small donation. Thank you for reading.

Coffee ☕ Thanks 🙏 Extra Support ❤️

Comments

Post a Comment

Popular posts from this blog

fixed: embedded-redis: Unable to run on macOS Sonoma

By -
Image
Issue you might see below error while trying to run embedded-redis for your testing on your macOS after you upgrade to Sonoma. java.lang.RuntimeException: Can't start redis server. Check logs for details. Redis process log: at redis.embedded.AbstractRedisInstance.awaitRedisServerReady(AbstractRedisInstance.java:70) at redis.embedded.AbstractRedisInstance.start(AbstractRedisInstance.java:42) at redis.embedded.RedisServer.start(RedisServer.java:9) Solution use the latest one: https://mv   ...
Read more

Copying MDC Context Map in Web Clients: A Comprehensive Guide

By -
Image
Introduction In distributed systems, maintaining context across microservices is crucial for effective logging and tracing. The Mapped Diagnostic Context (MDC) in logging frameworks like Logback or Log4j allows developers to propagate contextual information such as request IDs, user IDs, or correlation IDs across threads and services. When using web clients to make outgoing requests, it's essential to propagate the MDC context map to ensure consistency and traceability. This guide will provide   ...
Read more

Reset user password for your own Ghost blog

By -
Image
If you do not config mail up for your ghost blog, it maybe a big problem once you lost your user password. however, methods are always more than problems. We can fix it up by reset it. 1. Find out your database name in your ghost config, it is maybe in config.production.json   "database": {     "client": "mysql",     "connection": {       "host": "localhost",       "user": "ghost-452",       "password": "dade1b0565f2585e07c7",       "database": "ghost_production_acm" 2. Use mysql to reset the password. mysql -u root -p Enter the password for root account. mysql> use ghost_production_acm; mysql> select * from users; ghost use bcrypthash for the password. You can get bcrypt hash string from http://bcrypthashgenerator.apphb.com/ mysql>update users set password=' $2b$10$PaL8tKcU4i0CsjRrM6BhROVQMwwLFw2HSx/kWlAUgja23fNllc2Fy' where ...
Read more