Ravi Yasas, profile picture
Uploaded byRavi Yasas
1,011 views

Keycloak Single Sign-On

The document provides a comprehensive guide on how to integrate Keycloak, an open-source identity and access management provider, with Spring Boot and Spring Security for secure applications. It covers setup instructions, client configurations, and examples of public and bearer-only access types through multiple Spring Boot applications. Additionally, it includes sample code and project structures for two applications using Keycloak as a Single Sign-On (SSO) solution.

Embed presentation

Downloaded 29 times
Ravi Yasas Keycloak SSO SINGLE SIGN ON WITH KEYCLOAK
Page 1 of 13 Content Get started with Keycloak.……………………………………….………..02 Integrate Keycloak with Spring Boot and Spring Security……………..02 Sample property file…………………………………………………………………….03 Sample Security configuration file………………………………………03 Using Public access type……………………………………………………………….04 Project structure – Application one………………………………………………04 Project structure – Application two………………………………………………07 Using bearer-only access type………………………………………………………10
Page 2 of 13 Get started with Keycloak • Apache Keycloak is an opensource identity and access management provider. Learn more • You can download the Keycloak server from here You can download the stable latest release. • Once you download just extract it. It may look like the above image. • You can change the server port and other configuration data by changing standalone.xml file which is in standalone -> configuration directory. • If you need to start the Keycloak server go to the bin directory. o Windows – run standalone.bat o Linux – run standalone.sh • Now Keycloak server will start on port 8080 if you did not change it. • You can go to Administration Console from here http://localhost:8080/auth/ • The very first time you may need to create an admin user. • Once you provide admin credentials you created, you can login to the admin panel. Integrate Keycloak with Spring Boot and Spring Security • Keycloak can be used with Spring Security. If you want, you can do it without integrating Spring Security. • Apache Keycloak can be very easily integrated with Spring Boot and Spring Security. You need to do a few things. o Create a new Security configuration file. o Add some properties to the property file. Here I am going to create two small Spring Boot applications which are running on port 8090 and port 8092. I am using another Spring Boot application which is running on port 8091 as a service for the application running on port 8090.
Page 3 of 13 Sample property file keycloak.auth-server-url=http://localhost:8080/auth keycloak.realm=api keycloak.resource=app1 keycloak.public-client=true Server.port= 8090 Sample Security configuration file package com.example.productapp.security; import org.keycloak.adapters.KeycloakConfigResolver; import org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver; import org.keycloak.adapters.springsecurity.KeycloakConfiguration; import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider; import org.keycloak.adapters.springsecurity.client.KeycloakClientRequestFactory; import org.keycloak.adapters.springsecurity.client.KeycloakRestTemplate; import org.keycloak.adapters.springsecurity.config.KeycloakWebSecurityConfigurerAdapter; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.config.ConfigurableBeanFactory; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Scope; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.core.authority.mapping.SimpleAuthorityMapper; import org.springframework.security.core.session.SessionRegistryImpl; import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy; import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy; @KeycloakConfiguration public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter { @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception{ KeycloakAuthenticationProvider keycloakAuthenticationProvider = keycloakAuthenticationProvider(); keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper()); auth.authenticationProvider(keycloakAuthenticationProvider); } @Bean @Override protected SessionAuthenticationStrategy sessionAuthenticationStrategy() { return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl()); } @Bean public KeycloakConfigResolver keycloakConfigResolver(){ return new KeycloakSpringBootConfigResolver(); } @Autowired public KeycloakClientRequestFactory keycloakClientRequestFactory; @Bean @Scope(ConfigurableBeanFactory.SCOPE_PROTOTYPE) public KeycloakRestTemplate keycloakRestTemplate(){ return new KeycloakRestTemplate(keycloakClientRequestFactory); } @Override protected void configure(HttpSecurity http) throws Exception{ super.configure(http); http.authorizeRequests() .antMatchers("/products*").hasRole("user") .anyRequest().permitAll(); } }
Page 4 of 13 In Keycloak client configuration, there are three types of Access types. 1. Public – This is used for clients who need a browser login. 2. Confidential – This is used for clients who need browser login with a client secret. 3. Bearer only – This access type means it only allows bearer token requests not browser login Using Public access type Here I described two applications with public access type. Both applications look same. Here are some details of those application. Configuration Application one Application two server.port 8090 8092 keycloak.auth-server-url http://localhost:8080/auth http://localhost:8080/auth keycloak.realm api api keycloak.resource client1 client2 keycloak.public-client true true As you can see each application uses same realm (api), but different keycloak resources (client1 and client2) Project structure – Application one
Page 5 of 13 ProductController.java package com.example.productapp.controller; import com.example.productapp.service.ProductService; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Controller; import org.springframework.ui.Model; import org.springframework.web.bind.annotation.GetMapping; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; @Controller public class ProductController { @Autowired private ProductService productService; @GetMapping(path = "/products") public String getProducts(Model model){ model.addAttribute("products", productService.getProducts()); return "products"; } @GetMapping(path = "/logout") public String logout(HttpServletRequest request) throws ServletException { request.logout(); return "/"; } } ProductService.java package com.example.productapp.service; import org.springframework.stereotype.Service; import java.util.Arrays; import java.util.List; @Service public class ProductService{ public List<String> getProducts(){ return Arrays.asList("Mazda","Toyota","Audi"); } } application.properties server.port=8090 keycloak.enabled=true keycloak.auth-server-url=http://localhost:8080/auth keycloak.realm=api keycloak.resource=client1 keycloak.public-client=true index.html <!doctype html> <html lang="en"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content=""> <meta name="author" content=""> <link rel="icon" href="../../../../favicon.ico"> <title>Home</title>
Page 6 of 13 <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.1.1/css/bootstrap.min.css" integrity="sha384- WskhaSGFgHYWDcbwN70/dfYBj47jz9qbsMId/iRN3ewGhXQFZCSftd1LZCfmhktB" crossorigin="anonymous"> </head> <body class="text-center"> <div class="cover-container d-flex w-100 h-100 p-3 mx-auto flex-column"> <main role="main" class="inner cover"> <h1 class="cover-heading">Apache Keycloak SSO demonstration</h1> <p class="lead"> </p> <p class="lead"> <a href="/products" class="btn btn-lg btn-secondary">Search products</a> </p> </main> </div> <script src="https://code.jquery.com/jquery-3.3.1.slim.min.js" integrity="sha384- q8i/X+965DzO0rT7abK41JStQIAqVgRVzpbzo5smXKp4YfRvH+8abtTE1Pi6jizo" crossorigin="anonymous"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.3/umd/popper.min.js" integrity="sha384- ZMP7rVo3mIykV+2+9J3UJ46jBk0WLaUAdn689aCwoqbBJiSnjAK/l8WvCWPIPm49" crossorigin="anonymous"></script> <script src="https://stackpath.bootstrapcdn.com/bootstrap/4.1.1/js/bootstrap.min.js" integrity="sha384- smHYKdLADwkXOn1EmN1qk/HfnUcbVRZyYmZ4qpPea6sjB/pTJ0euyQp0Mk8ck+5T" crossorigin="anonymous"></script> </body> </html> Products.ftl <#import "/spring.ftl" as spring> <!doctype html> <html lang="en"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content=""> <meta name="author" content=""> <link rel="icon" href="../../../../favicon.ico"> <title>Keycloak</title> <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.1.1/css/bootstrap.min.css" integrity="sha384-WskhaSGFgHYWDcbwN70/dfYBj47jz9qbsMId/iRN3ewGhXQFZCSftd1LZCfmhktB" crossorigin="anonymous"> </head> <body class="text-center"> <div class="cover-container d-flex w-100 h-100 p-3 mx-auto flex-column"> <main role="main" class="inner cover"> <h1 class="cover-heading">Apache Keycloak SSO demonstration</h1> <div style="width: 18rem; padding: 10px; display: block; margin-left: auto;margin-right: auto"> <ul class="list-group"> <#list products as product> <li class="list-group-item">${product}</li> </#list> </ul> </div> <p class="lead"> <a href="/logout" class="btn btn-lg btn-secondary">Logout</a> </p> </main> </div> <script src="https://code.jquery.com/jquery-3.3.1.slim.min.js" integrity="sha384-q8i/X+965DzO0rT7abK41JStQIAqVgRVzpbzo5smXKp4YfRvH+8abtTE1Pi6jizo" crossorigin="anonymous"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.3/umd/popper.min.js" integrity="sha384-ZMP7rVo3mIykV+2+9J3UJ46jBk0WLaUAdn689aCwoqbBJiSnjAK/l8WvCWPIPm49" crossorigin="anonymous"></script> <script src="https://stackpath.bootstrapcdn.com/bootstrap/4.1.1/js/bootstrap.min.js" integrity="sha384-smHYKdLADwkXOn1EmN1qk/HfnUcbVRZyYmZ4qpPea6sjB/pTJ0euyQp0Mk8ck+5T" crossorigin="anonymous"></script> </body> </html>
Page 7 of 13 SecurityConfig.java This is same as Sample security config file above mentioned. Project structure – Application two Everything is same except application.properties file and ProductService file. ProductService.java package com.example.productapp.service; import org.springframework.stereotype.Service; import java.util.Arrays; import java.util.List; @Service public class ProductService{ public List<String> getProducts(){ return Arrays.asList("Apple", "Sony","Nokia", "Mi"); } } application.properties server.port=8092 keycloak.auth-server-url=http://localhost:8080/auth keycloak.realm=api keycloak.public-client=true keycloak.resource=client2 I created two Keycloak clients called client1 and client2 for these applications in Realm called “api”. Both clients have same Access Type which is “public”
Page 8 of 13 Both clients are same but Client ID and Valid Redirect URLs are different. • Client1 - http://localhost:8090* • Client2 - http://localhost:8092* Now you can run both applications on port 8090 and 8092. Then you can try as follows. Just go to http://localhost:8090 Once you click on Search products button, you will be redirect to the Keycloak login page.
Page 9 of 13 Once you have logged in successfully, you will be redirected to secure page http://localhost:8090/products Same time you can check the second service which is running on port 8092. Go to http://localhost:8090/products Then it will not redirect you to Keycloak login page and directly it will redirect to the secure page. Because You already login the Keycloak secure service.
Page 10 of 13 Using confidential and bearer-only access type Here I’m going to create two REST web applications which are running on port 8090 and 8092. Please look at the project details. ProductController.java package com.example.productapp.controller; import com.example.productapp.service.ProductService; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.PostMapping; import org.springframework.web.bind.annotation.RestController; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import java.util.List; @RestController public class ProductController { @Autowired private ProductService productService; @PostMapping(path = "/products") public List<String> getProducts(){ return productService.getProducts(); } @GetMapping(path = "/logout") public String logout(HttpServletRequest request) throws ServletException { request.logout(); return "/"; } } ProductService.java package com.example.productapp.service; import org.springframework.stereotype.Service; import java.util.Arrays; import java.util.List; @Service public class ProductService{ public List<String> getProducts(){ return Arrays.asList("Nokia","Sony"); } } application.properties server.port=8090 keycloak.enabled=true keycloak.auth-server-url=http://localhost:8080/auth keycloak.realm=api keycloak.resource=client3 keycloak.bearer-only=true SecurityConfig.java SecurityConfig.java file is same as Sample Security configuration file which I mentioned above.
Page 11 of 13 Here are the details of Keycloak client. Since this is a REST web application I am going to use Postman to send the request.
Page 12 of 13 As you can see, you cannot access the source. Because it is secured by Keycloak and you need Authorization header and with a Bearer token. The bearer token can be received by following Keycloak API. http://localhost:8080/auth/realms/{realm_name}/protocol/openid-connect/token You must provide client_id, username, password, grant_type and client_secret to get the token. • client_id – client name • username – username of the user • password – password of the user • grant_type – this should be “password” • client_secret – this can be found from Keycloak admin panel related to client Once you provide related data, you will be able to get the token and some other details. Please check this screenshot.
Page 13 of 13 Then you can use this token in header to access the secured API. This token will be saved by the front-end client (React, Angular…etc.) and it can be used in future requests.

More Related Content

PDF
Keycloak SSO basics
byJuan Vicente Herrera Ruiz de Alejo
 
PDF
“How to Secure Your Applications With a Keycloak?
byGlobalLogic Ukraine
 
PPTX
Secure your app with keycloak
byGuy Marom
 
PPTX
Building secure applications with keycloak
byAbhishek Koserwal
 
PPTX
User Management Life Cycle with Keycloak
byMuhammad Edwin
 
PDF
Implementing security requirements for banking API system using Open Source ...
byYuichi Nakamura
 
PDF
Introduction to OpenID Connect
byNat Sakimura
 
PDF
OpenID Connect Explained
byVladimir Dzhuvinov
 
Keycloak SSO basics
byJuan Vicente Herrera Ruiz de Alejo
 
“How to Secure Your Applications With a Keycloak?
byGlobalLogic Ukraine
 
Secure your app with keycloak
byGuy Marom
 
Building secure applications with keycloak
byAbhishek Koserwal
 
User Management Life Cycle with Keycloak
byMuhammad Edwin
 
Implementing security requirements for banking API system using Open Source ...
byYuichi Nakamura
 
Introduction to OpenID Connect
byNat Sakimura
 
OpenID Connect Explained
byVladimir Dzhuvinov
 

What's hot

PPTX
Draft: building secure applications with keycloak (oidc/jwt)
byAbhishek Koserwal
 
PPTX
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
bymarcuschristie
 
PPTX
Rest API Security
byStormpath
 
PDF
Introducing Vault
byRamit Surana
 
PPTX
OpenId Connect Protocol
byMichael Furman
 
PPTX
Identity management and single sign on - how much flexibility
byRyan Dawson
 
PPTX
Hashicorp Vault ppt
byShrey Agarwal
 
PPTX
Azure key vault
byRahul Nath
 
PDF
Secure Spring Boot Microservices with Keycloak
byRed Hat Developers
 
PDF
Microservice With Spring Boot and Spring Cloud
byEberhard Wolff
 
PPTX
Prometheus and Grafana
byLhouceine OUHAMZA
 
PPTX
OAuth2 + API Security
byAmila Paranawithana
 
PPT
OAuth 2.0 and OpenId Connect
bySaran Doraiswamy
 
PPTX
An Introduction to OAuth2
byAaron Parecki
 
PPTX
Comprehensive Terraform Training
byYevgeniy Brikman
 
PPTX
Azure migration
byArnon Rotem-Gal-Oz
 
PDF
OAuth
byIván Fernández Perea
 
PPTX
SSO introduction
byAidy Tificate
 
PDF
Deep dive into Kubernetes Networking
bySreenivas Makam
 
PDF
Kubernetes - introduction
bySparkbit
 
Draft: building secure applications with keycloak (oidc/jwt)
byAbhishek Koserwal
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
bymarcuschristie
 
Rest API Security
byStormpath
 
Introducing Vault
byRamit Surana
 
OpenId Connect Protocol
byMichael Furman
 
Identity management and single sign on - how much flexibility
byRyan Dawson
 
Hashicorp Vault ppt
byShrey Agarwal
 
Azure key vault
byRahul Nath
 
Secure Spring Boot Microservices with Keycloak
byRed Hat Developers
 
Microservice With Spring Boot and Spring Cloud
byEberhard Wolff
 
Prometheus and Grafana
byLhouceine OUHAMZA
 
OAuth2 + API Security
byAmila Paranawithana
 
OAuth 2.0 and OpenId Connect
bySaran Doraiswamy
 
An Introduction to OAuth2
byAaron Parecki
 
Comprehensive Terraform Training
byYevgeniy Brikman
 
Azure migration
byArnon Rotem-Gal-Oz
 
OAuth
byIván Fernández Perea
 
SSO introduction
byAidy Tificate
 
Deep dive into Kubernetes Networking
bySreenivas Makam
 
Kubernetes - introduction
bySparkbit
 

Similar to Keycloak Single Sign-On

PPTX
Challenge to Implementing "Scalable" Authorization with Keycloak
byHitachi, Ltd. OSS Solution Center.
 
PPTX
How to implement Keycloak authentication in React.pptx
byKnoldus Inc.
 
PPTX
Restful api
byAnurag Srivastava
 
PDF
A Detailed Guide to Securing React applications with Keycloak - WalkingTree ...
byGanesh Kumar
 
PDF
Spring security jwt tutorial toptal
byjbsysatm
 
PDF
Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...
byIoan Eugen Stan
 
PDF
OSDC 2019 | Single Sign On with Keycloak: why and how by Julien Pivotto
byNETWAYS
 
PDF
spring-security-reference.pdf
byhorica9300
 
PPTX
Building Layers of Defense with Spring Security
byJoris Kuipers
 
PDF
Spring4 security
bySang Shin
 
PDF
Building an Effective Architecture for Identity and Access Management.pdf
byJorge Alvarez
 
PDF
App Security with Keycloak and Quarkus
byConSol Consulting & Solutions Software GmbH
 
PDF
Spring security4.x
byZeeshan Khan
 
PDF
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
bySouth Tyrol Free Software Conference
 
PDF
Javacro 2014 Spring Security 3 Speech
byFernando Redondo Ramírez
 
PPTX
Microservices security - jpmc tech fest 2018
byMOnCloud
 
PDF
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
byMatt Raible
 
PDF
Building layers of defense for your application
byVMware Tanzu
 
PDF
When and Why Would I use Oauth2?
byDave Syer
 
PDF
Secured REST Microservices with Spring Cloud
byOrkhan Gasimov
 
Challenge to Implementing "Scalable" Authorization with Keycloak
byHitachi, Ltd. OSS Solution Center.
 
How to implement Keycloak authentication in React.pptx
byKnoldus Inc.
 
Restful api
byAnurag Srivastava
 
A Detailed Guide to Securing React applications with Keycloak - WalkingTree ...
byGanesh Kumar
 
Spring security jwt tutorial toptal
byjbsysatm
 
Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...
byIoan Eugen Stan
 
OSDC 2019 | Single Sign On with Keycloak: why and how by Julien Pivotto
byNETWAYS
 
spring-security-reference.pdf
byhorica9300
 
Building Layers of Defense with Spring Security
byJoris Kuipers
 
Spring4 security
bySang Shin
 
Building an Effective Architecture for Identity and Access Management.pdf
byJorge Alvarez
 
App Security with Keycloak and Quarkus
byConSol Consulting & Solutions Software GmbH
 
Spring security4.x
byZeeshan Khan
 
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
bySouth Tyrol Free Software Conference
 
Javacro 2014 Spring Security 3 Speech
byFernando Redondo Ramírez
 
Microservices security - jpmc tech fest 2018
byMOnCloud
 
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
byMatt Raible
 
Building layers of defense for your application
byVMware Tanzu
 
When and Why Would I use Oauth2?
byDave Syer
 
Secured REST Microservices with Spring Cloud
byOrkhan Gasimov
 

More from Ravi Yasas

PDF
Keycloak theme customization
byRavi Yasas
 
PDF
Example for SDS document in Software engineering
byRavi Yasas
 
PDF
Software requirement specification
byRavi Yasas
 
PDF
NTFS file system
byRavi Yasas
 
PDF
Display types (LED, LCD, Plasma, Plotter, Virtual Reality)
byRavi Yasas
 
PPTX
Windows network administration Basic theories
byRavi Yasas
 
PPTX
CCNA Exam 640-802 Version 9.3
byRavi Yasas
 
PDF
Redis clustering
byRavi Yasas
 
PDF
Intel 8086 microprocessor
byRavi Yasas
 
PDF
Fiber optic cables
byRavi Yasas
 
PDF
Modern Management Thoughts
byRavi Yasas
 
PDF
Distributed systems
byRavi Yasas
 
PPTX
Android OS
byRavi Yasas
 
PPTX
Cubic robots
byRavi Yasas
 
Keycloak theme customization
byRavi Yasas
 
Example for SDS document in Software engineering
byRavi Yasas
 
Software requirement specification
byRavi Yasas
 
NTFS file system
byRavi Yasas
 
Display types (LED, LCD, Plasma, Plotter, Virtual Reality)
byRavi Yasas
 
Windows network administration Basic theories
byRavi Yasas
 
CCNA Exam 640-802 Version 9.3
byRavi Yasas
 
Redis clustering
byRavi Yasas
 
Intel 8086 microprocessor
byRavi Yasas
 
Fiber optic cables
byRavi Yasas
 
Modern Management Thoughts
byRavi Yasas
 
Distributed systems
byRavi Yasas
 
Android OS
byRavi Yasas
 
Cubic robots
byRavi Yasas
 

Recently uploaded

PPTX
Application Security – Static Application Security Testing (SAST)
byLalit Jagotra
 
PDF
First Semester BCA Fundamentals of Computers – Solved Question Paper (Kuvempu...
byKuvempu University
 
PDF
Integrating Risk Buffers Into Your Critical Path When & How
byOrangescrum
 
PDF
Step-by-Step Guide to Building Fast Flutter Web Sites
byShiv Technolabs Pvt. Ltd.
 
PDF
Code, Coins and Collaboration: How Open Source Shapes Modern Finance.
byDavid Okononfua
 
PDF
MGA Insurance Product Launch Acceleration
byOpenkoda
 
PPTX
application security presentation 2 by harman
byharmanideapad
 
PPTX
SAP SOD Management for Secure & Compliant Access | s4access
bydigitalbacklinks123
 
PPTX
Modern Claims Automation Solutions for Operational Agility
byInsurance Tech Services
 
PDF
nsfconvertersoftwaretoconvertNSFtoPST.pdf
byNSF Converter Software
 
PDF
Imed Eddine Bouchoucha | computer engineer | software Architect
byImed Bouchoucha
 
PDF
Navigating SEC Regulations for Crypto Exchanges Preparing for a Compliant Fut...
byzak jasper
 
PDF
Ch2 -ENG.pdf COMPUTER ARCHITECTURE L2 INFO
byrogase8895
 
PDF
How Does AI Improve Location-Based Mobile App Development for Businesses.pdf
byNet-Craft.com
 
PDF
Transforming Compliance Through Policy & Procedure Management
byInsurance Tech Services
 
PDF
Operating System (OS) :UNIT-I Introduction to Operating System BCA SEP SEM-II...
byKuvempu University
 
PPTX
Reimagining Service with AI Voice Agents | Webinar
byCEPTES Software
 
PDF
Cybersecurity Alert- What Organisations Must Watch Out For This Christmas Fes...
byCybernetic Global Intelligence
 
PDF
Data structure using C :UNIT-I Introduction to Data structures and Stacks BCA...
byKuvempu University
 
PDF
Josh Chu Boston - A Respected Technology Executive
byJosh Chu Boston
 
Application Security – Static Application Security Testing (SAST)
byLalit Jagotra
 
First Semester BCA Fundamentals of Computers – Solved Question Paper (Kuvempu...
byKuvempu University
 
Integrating Risk Buffers Into Your Critical Path When & How
byOrangescrum
 
Step-by-Step Guide to Building Fast Flutter Web Sites
byShiv Technolabs Pvt. Ltd.
 
Code, Coins and Collaboration: How Open Source Shapes Modern Finance.
byDavid Okononfua
 
MGA Insurance Product Launch Acceleration
byOpenkoda
 
application security presentation 2 by harman
byharmanideapad
 
SAP SOD Management for Secure & Compliant Access | s4access
bydigitalbacklinks123
 
Modern Claims Automation Solutions for Operational Agility
byInsurance Tech Services
 
nsfconvertersoftwaretoconvertNSFtoPST.pdf
byNSF Converter Software
 
Imed Eddine Bouchoucha | computer engineer | software Architect
byImed Bouchoucha
 
Navigating SEC Regulations for Crypto Exchanges Preparing for a Compliant Fut...
byzak jasper
 
Ch2 -ENG.pdf COMPUTER ARCHITECTURE L2 INFO
byrogase8895
 
How Does AI Improve Location-Based Mobile App Development for Businesses.pdf
byNet-Craft.com
 
Transforming Compliance Through Policy & Procedure Management
byInsurance Tech Services
 
Operating System (OS) :UNIT-I Introduction to Operating System BCA SEP SEM-II...
byKuvempu University
 
Reimagining Service with AI Voice Agents | Webinar
byCEPTES Software
 
Cybersecurity Alert- What Organisations Must Watch Out For This Christmas Fes...
byCybernetic Global Intelligence
 
Data structure using C :UNIT-I Introduction to Data structures and Stacks BCA...
byKuvempu University
 
Josh Chu Boston - A Respected Technology Executive
byJosh Chu Boston
 

Keycloak Single Sign-On

  • 1.
    Ravi Yasas Keycloak SSO SINGLESIGN ON WITH KEYCLOAK
  • 2.
    Page 1 of13 Content Get started with Keycloak.……………………………………….………..02 Integrate Keycloak with Spring Boot and Spring Security……………..02 Sample property file…………………………………………………………………….03 Sample Security configuration file………………………………………03 Using Public access type……………………………………………………………….04 Project structure – Application one………………………………………………04 Project structure – Application two………………………………………………07 Using bearer-only access type………………………………………………………10
  • 3.
    Page 2 of13 Get started with Keycloak • Apache Keycloak is an opensource identity and access management provider. Learn more • You can download the Keycloak server from here You can download the stable latest release. • Once you download just extract it. It may look like the above image. • You can change the server port and other configuration data by changing standalone.xml file which is in standalone -> configuration directory. • If you need to start the Keycloak server go to the bin directory. o Windows – run standalone.bat o Linux – run standalone.sh • Now Keycloak server will start on port 8080 if you did not change it. • You can go to Administration Console from here http://localhost:8080/auth/ • The very first time you may need to create an admin user. • Once you provide admin credentials you created, you can login to the admin panel. Integrate Keycloak with Spring Boot and Spring Security • Keycloak can be used with Spring Security. If you want, you can do it without integrating Spring Security. • Apache Keycloak can be very easily integrated with Spring Boot and Spring Security. You need to do a few things. o Create a new Security configuration file. o Add some properties to the property file. Here I am going to create two small Spring Boot applications which are running on port 8090 and port 8092. I am using another Spring Boot application which is running on port 8091 as a service for the application running on port 8090.
  • 4.
    Page 3 of13 Sample property file keycloak.auth-server-url=http://localhost:8080/auth keycloak.realm=api keycloak.resource=app1 keycloak.public-client=true Server.port= 8090 Sample Security configuration file package com.example.productapp.security; import org.keycloak.adapters.KeycloakConfigResolver; import org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver; import org.keycloak.adapters.springsecurity.KeycloakConfiguration; import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider; import org.keycloak.adapters.springsecurity.client.KeycloakClientRequestFactory; import org.keycloak.adapters.springsecurity.client.KeycloakRestTemplate; import org.keycloak.adapters.springsecurity.config.KeycloakWebSecurityConfigurerAdapter; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.config.ConfigurableBeanFactory; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Scope; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.core.authority.mapping.SimpleAuthorityMapper; import org.springframework.security.core.session.SessionRegistryImpl; import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy; import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy; @KeycloakConfiguration public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter { @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception{ KeycloakAuthenticationProvider keycloakAuthenticationProvider = keycloakAuthenticationProvider(); keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper()); auth.authenticationProvider(keycloakAuthenticationProvider); } @Bean @Override protected SessionAuthenticationStrategy sessionAuthenticationStrategy() { return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl()); } @Bean public KeycloakConfigResolver keycloakConfigResolver(){ return new KeycloakSpringBootConfigResolver(); } @Autowired public KeycloakClientRequestFactory keycloakClientRequestFactory; @Bean @Scope(ConfigurableBeanFactory.SCOPE_PROTOTYPE) public KeycloakRestTemplate keycloakRestTemplate(){ return new KeycloakRestTemplate(keycloakClientRequestFactory); } @Override protected void configure(HttpSecurity http) throws Exception{ super.configure(http); http.authorizeRequests() .antMatchers("/products*").hasRole("user") .anyRequest().permitAll(); } }
  • 5.
    Page 4 of13 In Keycloak client configuration, there are three types of Access types. 1. Public – This is used for clients who need a browser login. 2. Confidential – This is used for clients who need browser login with a client secret. 3. Bearer only – This access type means it only allows bearer token requests not browser login Using Public access type Here I described two applications with public access type. Both applications look same. Here are some details of those application. Configuration Application one Application two server.port 8090 8092 keycloak.auth-server-url http://localhost:8080/auth http://localhost:8080/auth keycloak.realm api api keycloak.resource client1 client2 keycloak.public-client true true As you can see each application uses same realm (api), but different keycloak resources (client1 and client2) Project structure – Application one
  • 6.
    Page 5 of13 ProductController.java package com.example.productapp.controller; import com.example.productapp.service.ProductService; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Controller; import org.springframework.ui.Model; import org.springframework.web.bind.annotation.GetMapping; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; @Controller public class ProductController { @Autowired private ProductService productService; @GetMapping(path = "/products") public String getProducts(Model model){ model.addAttribute("products", productService.getProducts()); return "products"; } @GetMapping(path = "/logout") public String logout(HttpServletRequest request) throws ServletException { request.logout(); return "/"; } } ProductService.java package com.example.productapp.service; import org.springframework.stereotype.Service; import java.util.Arrays; import java.util.List; @Service public class ProductService{ public List<String> getProducts(){ return Arrays.asList("Mazda","Toyota","Audi"); } } application.properties server.port=8090 keycloak.enabled=true keycloak.auth-server-url=http://localhost:8080/auth keycloak.realm=api keycloak.resource=client1 keycloak.public-client=true index.html <!doctype html> <html lang="en"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content=""> <meta name="author" content=""> <link rel="icon" href="../../../../favicon.ico"> <title>Home</title>
  • 7.
    Page 6 of13 <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.1.1/css/bootstrap.min.css" integrity="sha384- WskhaSGFgHYWDcbwN70/dfYBj47jz9qbsMId/iRN3ewGhXQFZCSftd1LZCfmhktB" crossorigin="anonymous"> </head> <body class="text-center"> <div class="cover-container d-flex w-100 h-100 p-3 mx-auto flex-column"> <main role="main" class="inner cover"> <h1 class="cover-heading">Apache Keycloak SSO demonstration</h1> <p class="lead"> </p> <p class="lead"> <a href="/products" class="btn btn-lg btn-secondary">Search products</a> </p> </main> </div> <script src="https://code.jquery.com/jquery-3.3.1.slim.min.js" integrity="sha384- q8i/X+965DzO0rT7abK41JStQIAqVgRVzpbzo5smXKp4YfRvH+8abtTE1Pi6jizo" crossorigin="anonymous"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.3/umd/popper.min.js" integrity="sha384- ZMP7rVo3mIykV+2+9J3UJ46jBk0WLaUAdn689aCwoqbBJiSnjAK/l8WvCWPIPm49" crossorigin="anonymous"></script> <script src="https://stackpath.bootstrapcdn.com/bootstrap/4.1.1/js/bootstrap.min.js" integrity="sha384- smHYKdLADwkXOn1EmN1qk/HfnUcbVRZyYmZ4qpPea6sjB/pTJ0euyQp0Mk8ck+5T" crossorigin="anonymous"></script> </body> </html> Products.ftl <#import "/spring.ftl" as spring> <!doctype html> <html lang="en"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content=""> <meta name="author" content=""> <link rel="icon" href="../../../../favicon.ico"> <title>Keycloak</title> <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.1.1/css/bootstrap.min.css" integrity="sha384-WskhaSGFgHYWDcbwN70/dfYBj47jz9qbsMId/iRN3ewGhXQFZCSftd1LZCfmhktB" crossorigin="anonymous"> </head> <body class="text-center"> <div class="cover-container d-flex w-100 h-100 p-3 mx-auto flex-column"> <main role="main" class="inner cover"> <h1 class="cover-heading">Apache Keycloak SSO demonstration</h1> <div style="width: 18rem; padding: 10px; display: block; margin-left: auto;margin-right: auto"> <ul class="list-group"> <#list products as product> <li class="list-group-item">${product}</li> </#list> </ul> </div> <p class="lead"> <a href="/logout" class="btn btn-lg btn-secondary">Logout</a> </p> </main> </div> <script src="https://code.jquery.com/jquery-3.3.1.slim.min.js" integrity="sha384-q8i/X+965DzO0rT7abK41JStQIAqVgRVzpbzo5smXKp4YfRvH+8abtTE1Pi6jizo" crossorigin="anonymous"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.3/umd/popper.min.js" integrity="sha384-ZMP7rVo3mIykV+2+9J3UJ46jBk0WLaUAdn689aCwoqbBJiSnjAK/l8WvCWPIPm49" crossorigin="anonymous"></script> <script src="https://stackpath.bootstrapcdn.com/bootstrap/4.1.1/js/bootstrap.min.js" integrity="sha384-smHYKdLADwkXOn1EmN1qk/HfnUcbVRZyYmZ4qpPea6sjB/pTJ0euyQp0Mk8ck+5T" crossorigin="anonymous"></script> </body> </html>
  • 8.
    Page 7 of13 SecurityConfig.java This is same as Sample security config file above mentioned. Project structure – Application two Everything is same except application.properties file and ProductService file. ProductService.java package com.example.productapp.service; import org.springframework.stereotype.Service; import java.util.Arrays; import java.util.List; @Service public class ProductService{ public List<String> getProducts(){ return Arrays.asList("Apple", "Sony","Nokia", "Mi"); } } application.properties server.port=8092 keycloak.auth-server-url=http://localhost:8080/auth keycloak.realm=api keycloak.public-client=true keycloak.resource=client2 I created two Keycloak clients called client1 and client2 for these applications in Realm called “api”. Both clients have same Access Type which is “public”
  • 9.
    Page 8 of13 Both clients are same but Client ID and Valid Redirect URLs are different. • Client1 - http://localhost:8090* • Client2 - http://localhost:8092* Now you can run both applications on port 8090 and 8092. Then you can try as follows. Just go to http://localhost:8090 Once you click on Search products button, you will be redirect to the Keycloak login page.
  • 10.
    Page 9 of13 Once you have logged in successfully, you will be redirected to secure page http://localhost:8090/products Same time you can check the second service which is running on port 8092. Go to http://localhost:8090/products Then it will not redirect you to Keycloak login page and directly it will redirect to the secure page. Because You already login the Keycloak secure service.
  • 11.
    Page 10 of13 Using confidential and bearer-only access type Here I’m going to create two REST web applications which are running on port 8090 and 8092. Please look at the project details. ProductController.java package com.example.productapp.controller; import com.example.productapp.service.ProductService; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.PostMapping; import org.springframework.web.bind.annotation.RestController; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import java.util.List; @RestController public class ProductController { @Autowired private ProductService productService; @PostMapping(path = "/products") public List<String> getProducts(){ return productService.getProducts(); } @GetMapping(path = "/logout") public String logout(HttpServletRequest request) throws ServletException { request.logout(); return "/"; } } ProductService.java package com.example.productapp.service; import org.springframework.stereotype.Service; import java.util.Arrays; import java.util.List; @Service public class ProductService{ public List<String> getProducts(){ return Arrays.asList("Nokia","Sony"); } } application.properties server.port=8090 keycloak.enabled=true keycloak.auth-server-url=http://localhost:8080/auth keycloak.realm=api keycloak.resource=client3 keycloak.bearer-only=true SecurityConfig.java SecurityConfig.java file is same as Sample Security configuration file which I mentioned above.
  • 12.
    Page 11 of13 Here are the details of Keycloak client. Since this is a REST web application I am going to use Postman to send the request.
  • 13.
    Page 12 of13 As you can see, you cannot access the source. Because it is secured by Keycloak and you need Authorization header and with a Bearer token. The bearer token can be received by following Keycloak API. http://localhost:8080/auth/realms/{realm_name}/protocol/openid-connect/token You must provide client_id, username, password, grant_type and client_secret to get the token. • client_id – client name • username – username of the user • password – password of the user • grant_type – this should be “password” • client_secret – this can be found from Keycloak admin panel related to client Once you provide related data, you will be able to get the token and some other details. Please check this screenshot.
  • 14.
    Page 13 of13 Then you can use this token in header to access the secured API. This token will be saved by the front-end client (React, Angular…etc.) and it can be used in future requests.