Securing Microservices / APIs with identity management solution without managing user at application end.
Integrating Spring Boot with Keycloak and securing APIs
Use case: With changes in business model, these days enterprises are more people centric than age old product centric. That makes application developer to design applications with more ease for users. Classical solution is to let allow register for our site and we store user’s data (login, passcode, profile & preference etc) at our end and maintains its sanctity. Every application’s need is to authenticate and authorize user and they need to code this functionality every time, no matter the app.
Modern solution is to have one identity server separate and admin can config user & their roles there or get it linked with so many backend O-Auth servers or social accounts and for enterprise , it can connect with existing user federation i.e. LDAP , AD etc.
Solution offered: Keycloak is an open source Identity and Access Management solution aimed at modern applications and services.
Features :
· It allows us to secure our Api without making any change at code layer of our application. This means that our applications do not have to deal with login forms, authenticating users, and storing users.
· If same key cloak being used in multi-application in an enterprise, it is more secure as user need to single sign on / out from all apps.
· Login via social network is very easy. It is just a matter of selecting the social network you want to add. No code or changes to your application is required.
· Keycloak can also authenticate users with existing OpenID Connect or SAML 2.0 Identity Providers.
·Built in support to connect existing LDAP, AD etc.
Executive overview : Keycloak provides adapters for an application that needs to interact with a Keycloak instance. There are adapters for WildFly/EAP, NodeJS, JavaScript, and, of course, for Spring Boot. This blog is about integrating spring boot app with key cloak and provide step by step process of implementation of securing few apis of your spring boot micro service using authentication/authorization from key cloak where users are maintained in it.
To make it more realistic we will have them deployed separately. Key cloak server to deploy as container in cloud platform, RedHat Openshift and application to develop and deploy from local machine. We will cover it in two phases.
Phase 1 : Deploy Key cloak container in Openshift and configure it.
Phase 2 : Develop a spring boot microservice with two api .One to keep open and another to secure via keyCloak.
Setting Up a Keycloak Server :
- Access and looged in to openshift cluster. Create a namespace where we will install keycloak. $oc new-project keycloak
2. To spin up a Keycloak server in your project, execute the following command:
3. Next Click the route and it will open the login console of the keycloak server. Put your KEYCLOAK_USER & KEYCLOAK_PASSWORD what you have set in the installation command. In our case both are ‘admin’.
4. Post Login we will land in the admin console in Master realm . As per https://www.keycloak.org/ “A realm in Keycloak is the equivalent of a tenant. It allows creating isolated groups of applications and users. By default there is a single realm in Keycloak called master. This is dedicated to manage Keycloak and should not be used for your own applications.”
5. Let’s create our first realm. Mouse hover at Master realm will display dropdown menu . Click it .
6. Fill in the form with the realm name e.g. ‘abhiroop-keycloak-poc’:
7. Add client in same realm . Give it a name unique within realm . In our case we created a client ‘keycloak-integration’.
8. On the next screen, we can keep the default settings, but just need to enter a valid redirect URL that Keycloak will use once the user is authenticated. SInce we are developing spring boot app in my local machine and will run on default port i.e. 8080, thus the value put: http://localhost:8080/* and click save.
9. Create Role : Click Roles in left nav menu then click ‘AddRole’ . Fill the form and click save. We have added role ‘role_account_admin’.
10. Create User : Click User in left nav menu and then add user . Fill the form and save.
11. In next page click Credentials and set password for the user.
12. Click Role Mappings and add the role we created above.
At this stage, We are done for now with the Keycloak server configuration and we can start building our Spring Boot App , which we decided to create as account details app with two api ‘/’ & ‘/account-list’ .
Devlopment of spring boot app for keycloak integration:
- From https://start.spring.io/ generate a project with name ‘keycloak-integration’ with deps ‘Web’ , ‘actuator’ , ‘thymeleaf’ . Once downloaded, unzip and add keycloak-boot-starter dependency in maven pom.xml file.
2. Open the application.properties file to put configurable property to connect/integrate with keycloak server. As we aren’t using spring-security for this demo we do need to provide which patterns of api we need to secure and what role is authorized to pass that barrier.\
3. Create one Restcontroller AccountRestController with below request mappings
4. Create two plain html files corresponding to the above views and the app code structure looks like below.
5. With maven execute below command to run spring boot app
$mvn clean spring-boot:run
6. Now browse to “http://localhost:8080” and you should see the landing page i.e. /home.html
7. Clicking the Accounts link at top nav bar will redirect to keycloak auth url
8. Logged in with the user we created in keycloak side will redirect us to our desired page /account-list that displays list of accounts . Without login one can not see the account details page but home page is open for that user.
Summary:
Congratulations!! We have successfully learned to deploy keycloak server in openshift , basic configuration of it and then develop and integrate spring boot app to this server to secure our /account-list webpage.
Note: Though it is a very simple code , only for keycloak integration demo purpose , still in case some one need to access it can get it at git.
Connectivity/redirection issue varies in different environment . In case anyone faces incorrect redirect api creation error by keycloak should consider to visit this-page.