Keycloak

Keycloak server

Keycloak allows to add authentication to applications and secure services with minimum fuss. No need to deal with storing users or authenticating users. It's all available out of the box.

Useful functionalities for Shanoir NG

• Single-Sign On
• Centralized Management
• Identity Brokering
• Adapters for Spring Boot and Angular 2
• Standard Protocols
• Password Policies
• Themes

Presentation

Keycloak server docker is launched on docker network 'Shanoir NG'.

It is used as identity provider.

Keycloak server contains users list. It allows to log in with username or email address. This database should be updated on User MS data change.

Password policy and expiration dates are managed on Keycloak server.

Application login page is Keycloak realm login page. Login page style should be set on Keycloak server.

Process

Server administration

1. Login on Keycloak server as admin
2. Create a realm
3. Create roles
4. Create clients (1 for frontend application and 1 for each microservice)
5. Configure clients
6. Load users from Shanoir NG users MS

Application user

1. User goes to Shanoir NG "http://localhost:3000/home" (not "http://localhost:3000/login")
2. Redirection on realm login page
3. User enters its email/username and password
4. If login success, redirection to Shanoir NG home page
5. All requests to MS are caught by Keycloak server. If Keycloak agrees token, request redirection to MS
6. MS sends response and data is displayed on browser

Configure Keycloak for Shanoir NG

Angular 2

Define a service used to manage user authentication. This service:

• checks if user is logged in
• manages logout
• updates token This service is called on application load.

Spring Boot

Disable authentication management (JWT).

Load maven Keycloak dependencies:

	org.keycloak
	keycloak-tomcat8-adapter
	${keycloak.version}


	org.keycloak
	keycloak-spring-boot-adapter
	${keycloak.version}

Configure application properties file:

keycloak.realm = Demo-Realm
keycloak.realmKey = MI...
keycloak.auth-server-url = http://localhost:8080/auth
keycloak.ssl-required = external
keycloak.resource = tutorial-backend
keycloak.bearer-only = true
keycloak.credentials.secret = e12cdacf-0d79-4945-a57a-573a833c1acc
// Secure REST API endpoints
keycloak.securityConstraints[0].securityCollections[0].name = spring secured api
keycloak.securityConstraints[0].securityCollections[0].authRoles[0] = admin
keycloak.securityConstraints[0].securityCollections[0].authRoles[1] = manager
keycloak.securityConstraints[0].securityCollections[0].patterns[0] = /api/*

Use KeycloakPrincipal class to access to token:

@RequestMapping(method = RequestMethod.GET)
@ResponseBody
public void getUserInformation(KeycloakPrincipal principal) {
	AccessToken token = principal.getKeycloakSecurityContext().getToken();
	
	String id = token.getId();
	String firstName = token.getGivenName();
	String lastName = token.getFamilyName();
	
	// ...
}

User management

User list should be updated on User MS data change (create/update/delete).

Login page

Change login page style on Keycloak server.

Documentation

• http://www.keycloak.org/
• https://hub.docker.com/r/jboss/keycloak/
• http://slackspace.de/articles/authentication-with-spring-boot-angularjs-and-keycloak/
• http://paulbakker.io/java/jwt-keycloak-angular2/