SSO for Spring WebFlux — Reactive Authentication and Authorization
Reactive applications introduce new challenges for SSO.
Spring WebFlux does not use thread-local security context like MVC, so you must handle authentication and authorization differently.
1️⃣ Reactive context vs thread-local
In Spring MVC:
- SecurityContextHolder uses thread-local storage
- Filters populate authentication before reaching controllers
In WebFlux:
- No thread-local — reactive chains pass context via Reactor Context
- Logging or accessing
SecurityContextHolder.getContext() outside the reactive chain often returns null
Debug tip: Always log authentication inside Mono/Flux using deferContextual.
2️⃣ Integrating Keycloak with WebFlux
Use keycloak-spring-boot-starter with spring-security-webflux dependencies.
Key steps:
- Configure reactive security adapter
- Set
SecurityWebFilterChain bean
- Map Keycloak roles to reactive authorities
Example:
@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http
.authorizeExchange()
.pathMatchers("/public/**").permitAll()
.anyExchange().authenticated()
.and()
.oauth2Login();
return http.build();
}
3️⃣ Common WebFlux SSO issues
- Null authentication in reactive chain — occurs if context not propagated
- Roles not applied — must extract from JWT/IdP claims
- Redirect loops — check
redirect-uri configuration
- Token expiration — same as MVC, but refresh must be reactive
4️⃣ Logging and debugging
Always log inside the reactive chain:
Mono handleRequest(ServerWebExchange exchange) {
return ReactiveSecurityContextHolder.getContext()
.doOnNext(ctx -> {
Authentication auth = ctx.getAuthentication();
log.info("User={}, authorities={}",
auth.getName(), auth.getAuthorities());
})
.then();
}
This ensures you see the **real authentication state** per request.
5️⃣ Authorization in WebFlux
Use hasRole() or hasAuthority() in ServerHttpSecurity rules:
http.authorizeExchange()
.pathMatchers("/admin/**").hasRole("ADMIN")
.anyExchange().authenticated();
Remember: roles must be correctly mapped from Keycloak claims.
6️⃣ Systematic WebFlux SSO debugging workflow
- Check Keycloak logs for token issuance
- Verify token reaches your WebFlux app
- Log authentication inside reactive chain
- Validate roles/authorities
- Check redirect URIs for login/logout flows
- Enable DEBUG logging for
org.keycloak.adapters and org.springframework.security
Final thoughts
- Reactive SSO requires understanding the context propagation
- WebFlux apps need different logging than MVC
- Once you log correctly and map roles, SSO works seamlessly
- Use the systematic workflow for every authentication issue
Series complete
You have now learned:
- SSO concepts and protocols
- Integrating Keycloak with Spring Boot (MVC)
- Debugging SSO authentication issues
- Handling SSO in Spring WebFlux applications
Part of the Spring Boot SSO Series
❤️ Support This Blog
If this post helped you, you can support my writing with a small donation.
Thank you for reading.
Comments
Post a Comment