Keycloak
Keycloak is an open source identity and access management for modern applications and services, no need to deal with storing users or authenticating users. it's all available out of the box.
The Documentation keycloak mentioned the following with respect LDAP and Active Directory: Keycloak comes with a built-in LDAP/AD provider. It is possible to federate multiple different LDAP servers in the same Keycloak realm. You can map LDAP user attributes into the Keycloak common user model. By default, it maps username, email, first name, and last name, but you are free to configure additional mappings.
OpenID Connect
OpenID Connect additional is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.
[Image]. https://developers.redhat.com
Downloading and installing docker-test-openldap by Docker
For Install docker-test-openldap you just need the next command: it will check the users available on GitHub repository.
docker run --rm -p 10389:10389 -p 10636:10636 rroemhild/test-openldap
Test connection to LDAP on Apache Directory Studio
Downloading and installing keycloack by Docker
For Install keycloak by docker you just need the next command: I used version 17.0.1
docker run -p 8080:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:17.0.1 start-dev
This will start Keycloak exposed on the local port 8080. It will also create an initial admin user with username admin and password admin.
Setting Up a keycloack server.
Open a browser http://localhost:8080 or http://127.0.0.1:8080 result this.
Creating a Realm
For default the console opens up Master realm, Let's navigate left corner Add realm button.
For this example I created realm demo. we'll click the button create.
Add a new client with the name spring-boot-keycloak with openid-connect. click button save.
Add Valid Redirect URIs.
Add LDAP
Click on User Federation -> ldap:
Ldap Parameters:
Edit Mode: READ_ONLY
Vendor: Active Directory
LDAP attribute name for username: uid
RDN LDAP attribute: cn
UUID LDAP attribute: cn
User Object Classes: top, person, organizationalPerson, inetOrgPerson
Connection URL: ldap://YOUR_IP:10389
Users DN: ou=people,dc=planetexpress,dc=com
Search Scope: One level
Bind Type: none
Click and Save and Synchronize all user.
Go to Manage -> Users and check all users:
Creating a Spring Boot Application
In this examples we're integration Spring Boot, keycloack and Ldap user federation.
- Configuration Spring boot, Spring Security and keycloack.
- Spring Controllers
Spring Boot Rest API
This is API
Methods | URLs |
---|---|
GET | /users |
Technology
- Java 17 (Zulu)
- Spring Boot 2.7.1
- Maven
- IntelliJ IDEA
- Docker
- Test-openldap
Project Structure
Configuration Spring Boot Keycloak project
- Spring Initializr or Spring Suite Tool (STS).
- Maven
pom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.7.1</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>com.henry</groupId>
<artifactId>demo</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>demo</name>
<description>Demo project for Spring Boot Keycloak, ldap</description>
<properties>
<java.version>17</java.version>
<keycloak-adapter-bom.version>17.0.1</keycloak-adapter-bom.version>
</properties>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.keycloak.bom</groupId>
<artifactId>keycloak-adapter-bom</artifactId>
<version>${keycloak-adapter-bom.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter</artifactId>
</dependency>
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-spring-boot-starter</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<exclusions>
<!-- Exclude the Tomcat dependency -->
<exclusion>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-tomcat</artifactId>
</exclusion>
</exclusions>
</dependency>
<!-- Use Jetty instead -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-jetty</artifactId>
</dependency>
<dependency>
<groupId>org.hsqldb</groupId>
<artifactId>hsqldb</artifactId>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
<version>${project.parent.version}</version>
</plugin>
</plugins>
</build>
</project>
application.yml
server:
port: 8081
keycloak:
auth-server-url: http://127.0.0.1:8080
realm: demo
resource: spring-boot-keycloak
public-client: true
bearer-only: true
principal-attribute: preferred_username
Class Security configuration
I suggest to you, we 'll be reading Spring Boot Adapters, I got from Spring Boot Adapters the configuration class.
import org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver;
import org.keycloak.adapters.springsecurity.KeycloakConfiguration;
import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider;
import org.keycloak.adapters.springsecurity.config.KeycloakWebSecurityConfigurerAdapter;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Import;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.core.authority.mapping.SimpleAuthorityMapper;
import org.springframework.security.core.session.SessionRegistryImpl;
import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy;
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
@KeycloakConfiguration
@Import(KeycloakSpringBootConfigResolver.class)
@EnableGlobalMethodSecurity(jsr250Enabled = true)//so i need the roles exist environment, @RolesAllowed
public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter
{
/**
* Registers the KeycloakAuthenticationProvider with the authentication manager.
*/
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
KeycloakAuthenticationProvider keycloakAuthenticationProvider = new KeycloakAuthenticationProvider();
keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper());
auth.authenticationProvider(keycloakAuthenticationProvider);
}
/**
* Defines the session authentication strategy.
*/
@Bean
@Override
protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl());
}
@Override
protected void configure(HttpSecurity http) throws Exception
{
super.configure(http);
http.cors().and()
.authorizeRequests()
.anyRequest().fullyAuthenticated();
http.csrf().disable();
}
@Bean
CorsConfigurationSource corsConfigurationSource() {
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", new CorsConfiguration().applyPermitDefaultValues());
return source;
}
}
Spring Rest APIs Controller
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
import java.util.Collections;
import java.util.Map;
@RestController
public class HelloWorldController {
@GetMapping("/users")
public Map<String, String> hello(){
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
String currentPrincipalName = authentication.getName();
return Collections.singletonMap("response", "Hello "+currentPrincipalName);
}
}
Run & Test
Run Spring Boot application with command: mvn spring-boot:run. by console, IntelliJ etc.
Keycloak provides a REST API for generating and refreshing access tokens.
1. We need to acquire an access token from Keycloak from this url.
- 127.0.0.1 or localhost .
- Port: 8080 .
- realms Url defined by keycloak.
- demo The name of realm.
- protocol/openid-connect/token The url defined by keycloak.
http://127.0.0.1:8080/realms/demo/protocol/openid-connect/token
2. Configurate on Postman.
Without token:
GET: http://127.0.0.1:8081/users
With token:
Parameters:
GET: http://127.0.0.1:8081/users
Tab Authorizacion: for more users it will check of Test-openldap on GitHub.
Type: OAuth 2.0
Grant Type: Password Credentials
Access Token URL: http://127.0.0.1:8080/realms/demo/protocol/openid-connect/token
Client ID: spring-boot-keycloak
Username: zoidberg
Password: zoidberg
Client Authentication: Send client credentials in body
Click on Get New Acces token.
Click Proceed and next to Use Token.
Creating Angular Application
In this examples we're integration Angular, keycloack, Ldap user federation and Spring Boot.
- Configuration Angular and keycloack.
- Components
- Services
Angular Rest API
This is API
Methods | URLs |
---|---|
GET | /users |
Technology
- Visual Studio Code 1.68.1
- Node 16
- Npm
- Angular Cli 14
- Angular Material 14
- sweetalert2
Project Structure
Configuration Angular Keycloak project
Folder:
redirect: When the app is up always start in this component.
login: provided ts, scss and html file.
pages: provided title header in all pages and all components to configure routing file.
services: provided services, interceptors, guards, consuming web services etc.
environments: (environment.ts) provided the endpoints for keycloak and spring boot.
// This file can be replaced during build by using the `fileReplacements` array.
// `ng build` replaces `environment.ts` with `environment.prod.ts`.
// The list of file replacements can be found in `angular.json`.
export const environment = {
production: false,
keycloakEndpoint: "http://127.0.0.1:8080/realms/demo/protocol/openid-connect/token",
wsEndpoint: "http://127.0.0.1:8081"
};
/*
* For easier debugging in development mode, you can import the following file
* to ignore zone related error stack frames such as `zone.run`, `zoneDelegate.invokeTask`.
*
* This import should be commented out in production mode because it will have a negative impact
* on performance if an error is thrown.
*/
// import 'zone.js/plugins/zone-error'; // Included with Angular CLI.
Run & Test
Run Angular application with command: ng serve
Go to http://localhost:4200/
Set credentials for users from LDAP User federation from Keycloak.
username: zoidberg
password: zoidberg
Click on Login
If login is ok. Show the name from Keycloak and username from Spring Boot project.
Get and set values from login html (login.component.ts).
const body = new HttpParams()
.set("username", this.loginForm.value.username!)
.set("password", this.loginForm.value.password!)
.set("grant_type", "password")
.set("client_id", "spring-boot-keycloak")
.set("client_secret", "")
.set("scope", "openid");
Call WS KeycloakEndopoint (auth.service.ts).
async currentloginid(payMod: any) {
//changes this url by your realms
try {
const response = await fetch(environment.keycloakEndpoint, {
method: 'post',
headers: {
'Content-Type': 'application/x-www-form-urlencoded; charset=utf-8'
},
body: payMod
});
const data = await response.json();
return data;
} catch (error) {
console.log('Request failed', error);
}
}
Call WS Endpoint Spring Boot Project (content.component.ts).
ngOnInit(): void {
this.name = this.authService.getUser();
let url = `${environment.wsEndpoint}/users`;
this._client.getUserFromBackend(url).subscribe((data) => {
this.username = data.response;
});
}
Tab -> Application -> Storage ->Session Storage
Show the token.
For will check if token is valid go to jwt.io and copy and paste token.
Source Code
Here on GitHub:
References.
https://github.com/rroemhild/docker-test-openldap
https://jwt.io/
https://www.keycloak.org/getting-started/getting-started-docker
https://www.keycloak.org/
https://material.angular.io/guide/schematics
https://angular.io/
Great Work !!!!
ReplyDelete