-
Notifications
You must be signed in to change notification settings - Fork 22
Keycloak
Keycloak allows to add authentication to applications and secure services with minimum fuss. No need to deal with storing users or authenticating users. It's all available out of the box.
- Single-Sign On
- Centralized Management
- Identity Brokering
- Adapters for Spring Boot and Angular 2
- Standard Protocols
- Password Policies
- Themes
Keycloak server docker is launched on docker network 'Shanoir NG'.
It is used as identity provider.
Keycloak server contains users list. It allows to log in with username or email address. This database should be updated on User MS data change.
Password policy and expiration dates are managed on Keycloak server.
Application login page is Keycloak realm login page. Login page style should be set on Keycloak server.
- Login on Keycloak server as admin
- Create a realm
- Create roles
- Create clients (1 for frontend application and 1 for each microservice)
- Configure clients
- Load users from Shanoir NG users MS
- User goes to Shanoir NG "http://localhost:3000/home" (not "http://localhost:3000/login")
- Redirection on realm login page
- User enters its email/username and password
- If login success, redirection to Shanoir NG home page
- All requests to MS are caught by Keycloak server. If Keycloak agrees token, request redirection to MS
- MS sends response and data is displayed on browser
Define a service used to manage user authentication. This service:
- checks if user is logged in
- manages logout
- updates token This service is called on application load.
Disable authentication management (JWT).
Load maven Keycloak dependencies:
org.keycloak keycloak-tomcat8-adapter ${keycloak.version} org.keycloak keycloak-spring-boot-adapter ${keycloak.version}
Configure application properties file:
keycloak.realm = Demo-Realm keycloak.realmKey = MI... keycloak.auth-server-url = http://localhost:8080/auth keycloak.ssl-required = external keycloak.resource = tutorial-backend keycloak.bearer-only = true keycloak.credentials.secret = e12cdacf-0d79-4945-a57a-573a833c1acc // Secure REST API endpoints keycloak.securityConstraints[0].securityCollections[0].name = spring secured api keycloak.securityConstraints[0].securityCollections[0].authRoles[0] = admin keycloak.securityConstraints[0].securityCollections[0].authRoles[1] = manager keycloak.securityConstraints[0].securityCollections[0].patterns[0] = /api/*
Use KeycloakPrincipal class to access to token:
@RequestMapping(method = RequestMethod.GET) @ResponseBody public void getUserInformation(KeycloakPrincipal principal) { AccessToken token = principal.getKeycloakSecurityContext().getToken(); String id = token.getId(); String firstName = token.getGivenName(); String lastName = token.getFamilyName(); // ... }
User list should be updated on User MS data change (create/update/delete).
Change login page style on Keycloak server.