Friday, November 30, 2018

Secure spring boot application with keycloak

In last blog post of this series we saw how we can configure keycloak for our application.
Now in this tutorial we
will see how we can use keycloak with spring boot.

Prerequisite
  • Docker
  • Keycloak

Version
  • Spring Boo: 1.5.17.RELEASE
  • Java: 1.8
  • Keycloak: 4.0.5-Final


Create sample spring boot application
Dependencies
  • Spring-boot-starter-web
  • Keycloak-spring-boot-starter

Create rest controller class


Secure App with keycloak
Add maven dependency for keycloak and spring security
  • spring-boot-starter-security
  • keycloak-spring-boot-starter

Configure keycloak server url and realms details in application.properties file


Configure keycloak security settings in the application
Add the blow class to configure the keycloak

KeycloakSecurityConfigurer.class extends KeycloakWebSecurityConfigurerAdapter.class
that
provide convenient base class for creating a WebSecurityConfigurer instance secured by Keycloak.

GrantedAuthoritiesMapper is mapping interface which use to convert case of the role used in the keycloak from
lower case to uppercase.

 KeycloakAuthenticationProvider perform authentication process.

NullAuthenticatedSessionStrategy since we are using rest full service so we can provide null authenticated
session strategy.

 KeycloakConfigResolver use to tell keycloak to use spring boot configuration.
Instead
use the configuration from the spring boot configuration resolver.

 keycloakAuthenticationProcessingFilterRegistrationBean, keycloakPreAuthActionsFilterRegistrationBean are used
avoid re-registration of the filter.

Add security in rest controller SecuredResoureces
Running application

start the application using

mvn spring-boot:run


Call the admin api without security token.


Get access token for admin role


Access admin api with access token


 Access user api with access token will give error because user role required for access user service.


 Get access token for user role


Access user service
You can get the source code from Bitbucket
By at No comments:
Labels: , ,
Location: Bangkok, Thailand

Setup keycloak sercurity for spring boot application

Setup Realm and clients in keycloak
This blog is the second part of the series of security spring boot application with keycloak. In first part we install setup in keycloak with docker you can see first part here.
Version:
Keycloak: 4.5.0.Final
Pre-requisites
Keycloak should be installed in the

Create realm
A realm secures and manages security metadata for a set of users, applications, and registered oauth clients. Users can be created within a specific realm within the Administration console.
Click on Add realm button

Input the realm name

Once realm created you will see this screen


Create Client
We need 2 clients one is for bearer-only client for the application, and another one is public client to get the access token

Create Public client
Once public client is created you will see the below screen


Create Bearer only client and set the access type to beare-only
Add new Admin role for the application client

Create Admin Client

 Create User Client
Create User for the application
Create two user with role admin with and user.

 Create admin user

 Set password

Assign admin role to user vik-admin


Similarly create another user account vik-user with user role


Get access and refresh token
User below curl to get the access token

Response


In the next blog we will se how to secure spring boot application. You can see the blog here.
By at No comments:
Labels: , ,
Location: Bangkok, Thailand

Wednesday, November 28, 2018

Setup Keycloak with Docker


Introduction of Keycloak
Open Source Identity and Access Management For Modern Applications and Services. It add authentication to applications and secure services with minimum fuss. No need to deal with storing users or authenticating users. It's all available out of the box.

You'll even get advanced features such as User Federation, Identity Brokering and Social Login.
Prerequisites:
Docker:
Since we are using Docker to install Keycloak; it should be installed on your machine. If it is not you can download and install it from the link given below, it’s pretty straight forward.
Create docker compose file
  1. We use keycloak with mysql database to persist the user data.
  2. Use the below docker-compose.yml file to pull and start the docker server

docker-compose.yml


In docker compose file we povide default user name and password for the keycloak use and described in the docker hub for the keycloak image.
  • Our mysql and keycloak server are running on the docker network “Keycloak-network”.
Start keycloak and mysql server
  • Run “docker-compose up” command on the terminal, once the server up you can see the output as below -

  • Go the browser and type the url - http: //localhost:9001 Note: remember we expose the port in the docker-compose file ?

You can now login keycloak from the username and password you provided in docker-compose file. In our case we use username “admin” and password also ‘admin’



After login you will see the default realm ‘master’ as below -

Core concept and terms of keycloak -
Realms:
A realm manages a set of users, credentials, roles, and groups. A user belongs to and logs into a realm. Realms are isolated from one another and can only manage and authenticate the users that they control.

Groups:
Groups manage groups of users. Attributes can be defined for a group. You can map roles to a group as well. Users that become members of a group inherit the attributes and role mappings that group defines.

Clients:
Clients are entities that can request Keycloak to authenticate a user. Most often, clients are applications and services that want to use Keycloak to secure themselves and provide a single sign-on solution. Clients can also be entities that just want to request identity information or an access token so that they can securely invoke other services on the network that are secured by Keycloak.

Client scopes:
When a client is registered, you must define protocol mappers and role scope mappings for that client. It is often useful to store a client scope, to make creating new clients easier by sharing some common settings. This is also useful for requesting some claims or roles to be conditionally based on the value of scope parameter. Keycloak provides the concept of a client scope for this.

Client role:
Clients can define roles that are specific to them. This is basically a role namespace dedicated to the client.

Identity token:
A token that provides identity information about the user. Part of the OpenID Connect specification. You can get more details about this terms here !
Conclusion:
In this blog we learn how to setup keycloak using docker, in next blog we will create an application and secure it using keycloak.

Reference https:
By at No comments:
Labels: , , ,
Location: Bangkok, Thailand
Subscribe to: Posts (Atom)