\nauthoring code.<\/li>\n
Some programming experience with Java or related technologies would be
\nmost beneficial.<\/p>\n
Setting up a Keycloak Server<\/h2>\n
There are different ways to set up a Keycloak server as described on the This will expose the Keycloak server to listen to HTTP on 8082 and HTTPS We will create a Keycloak Client called salutations-client:<\/p>\n We will create a Keycloak Client called salutations-client:<\/p>\n Now you are ready to create a Spring Boot resource server that will Go to Spring Initializr<\/a> to create a new Add the following dependencies to your classpath, which I have shown in Here is the application.properties file from the resources folder:<\/p>\n Here is the CustomKeycloakGrantedAuthoritiesConverter:<\/p>\n Here is an example controller with the special-user role enforced on one This section will demonstrate how to authenticate against the Keycloak The following code uses cURL to authenticate a user against the Be sure to make your script executable:<\/p>\n The best way to invoke this script and be able to read the results Now the useful datum that you need to include in any request to a Now is the time to run your Spring Boot application that you created Now test that your user has the role special-user and can access the Your application will reply with a large amount of information in JSON Spring Boot and Oauth2: Spring Security and Angular: Baeldung – Simple SSO with Spring Security Oauth2: Baeldung – Spring Oauth2 Angular (Legacy Stack): Keycloak Server: https:\/\/www.keycloak.org<\/a><\/p>\n Oauth2: https:\/\/oauth.net\/2\/<\/a><\/p>\n Spring Framework: https:\/\/spring.io\/<\/a><\/p>\n
\nproject website<\/a>. In this
\nexample we will use Docker, but for the purpose of this article it
\ndoesn\\’t really matter which way you do it. To create and start the
\nserver using Docker, run (in a Bash shell):<\/p>\n$ docker run --name keycloak -d -p 8082:8080 -p 8445:8443 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin quay.io\/keycloak\/keycloak:11.0.0<\/code><\/pre>\n
\non 8445. If you want to listen on other ports, just modify the command
\nabove. I chose these ports to minimise the chance of clashing with any
\nother servers running on my machine. If you are not familiar with
\nsetting up a realm on Keycloak, follow this
\ntutorial<\/a>
\non the Keycloak website to create a realm called myrealm, which is the
\nrealm we will use for the remainder of this article.<\/p>\nCreate a Keycloak Client for your Spring Boot Resource Server<\/h3>\n
\n
\n![\"MyRealm](\"\/wp-content\/uploads\/2023\/06\/Keycloak-myrealm-clients.png\")
<\/li>\n
\n![\"MyRealm](\"\/wp-content\/uploads\/2023\/06\/Keycloak-myrealm-add-Salutations-client.png\")
<\/li>\n
\nURL to https:\/\/localhost<\/a>, as shown:
\n![\"\"](\"\/wp-content\/uploads\/2023\/06\/Salutations-client-settings.png\")
<\/li>\n
\nspecial-user, and save it.
\n![\"\"](\"\/wp-content\/uploads\/2023\/06\/Salutations-client-roles.png\")
<\/li>\n<\/ol>\nCreate a Keycloak Client for User Authentication<\/h3>\n
\n
\n![\"\"](\"\/wp-content\/uploads\/2023\/06\/Keycloak-myrealm-add-session-client.png\")
<\/li>\n
\nto http:\/\/localhost<\/a>, the Valid Redirect URIs to http:\/\/localhost\/<\/a>*,
\nthe Admin URL to http:\/\/localhost<\/a>, the Web Origins to
\nhttp:\/\/localhost<\/a>, as shown:
\n![\"\"](\"\/wp-content\/uploads\/2023\/06\/sessions-client-settings.png\")
<\/li>\nAdd Users and Role Mappings<\/h3>\n
\n
\nuser. Feel free to choose a more interesting name here.
\n![\"\"](\"\/wp-content\/uploads\/2023\/06\/Salutations-users-details.png\")
<\/li>\n
\ndemo, a password of password will suffice.
\n![\"\"](\"\/wp-content\/uploads\/2023\/06\/Salutations-users-credentials.png\")
<\/li>\n
\nsalutations-client client that you created in the steps above. Under
\nAvailable Roles, click on the special-user role that you created in
\nthe steps above. Click Add selected, to shift the role into the
\nAssigned Roles box. Now the user user has the special-user role.
\n![\"\"](\"\/wp-content\/uploads\/2023\/06\/Salutations-users-role-mappings.png\")
<\/li>\n
\nassociate this user with any roles as for the user user.<\/li>\n<\/ol>\n
\ngrant access to REST endpoints only if the user requesting them is
\nauthenticated and has the correct role.<\/p>\nSpring Configuration<\/h2>\n
\nSpring project. Add the following Spring dependencies before generating
\nand downloading the project:<\/p>\n\n
\nGradle format:<\/p>\n\/\/ https:\/\/mvnrepository.com\/artifact\/com.nimbusds\/nimbus-jose-jwt\ncompile 'com.nimbusds:nimbus-jose-jwt:9.0.1'\nruntimeOnly 'com.h2database:h2'<\/code><\/pre>\n## Oauth2 Configuration (Keycloak Auth Server)\nspring.security.oauth2.resourceserver.jwt.issuer-uri=https:\/\/localhost:8445\/auth\/realms\/myrealm\nspring.security.oauth2.resourceserver.jwt.jwk-set-uri=http:\/\/localhost:8082\/auth\/realms\/myrealm\/protocol\/openid-connect\/certs\nspring.security.oauth2.resource.prefer-token-info=true<\/code><\/pre>\nSpring Security<\/h3>\n
package com.cheerfulprogramming.edwhiting.keycloakdemo.config;\n\nimport org.springframework.boot.autoconfigure.security.oauth2.client.EnableOAuth2Sso;\nimport org.springframework.context.annotation.Configuration;\nimport org.springframework.core.convert.converter.Converter;\nimport org.springframework.http.HttpMethod;\nimport org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;\nimport org.springframework.security.config.annotation.web.builders.HttpSecurity;\nimport org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;\nimport org.springframework.security.config.http.SessionCreationPolicy;\nimport org.springframework.security.core.GrantedAuthority;\nimport org.springframework.security.oauth2.jwt.Jwt;\nimport org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;\n\nimport java.util.Collection;\n\n@Configuration\n@EnableOAuth2Sso\n@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)\npublic class WebSecurity extends WebSecurityConfigurerAdapter {\n @Override\n public void configure(HttpSecurity http) throws Exception {\n http\n .httpBasic().disable()\n .formLogin().disable()\n .logout().disable()\n .cors().disable()\n .csrf().disable()\n .oauth2ResourceServer(oauth2ResourceServer ->\n oauth2ResourceServer.jwt(jwt ->\n jwt.jwtAuthenticationConverter(jwtAuthenticationConverter())))\n .sessionManagement(sessionManagement ->\n sessionManagement.sessionCreationPolicy(SessionCreationPolicy.STATELESS))\n .authorizeRequests()\n .antMatchers(HttpMethod.GET, "\/api\/salutations\/**").permitAll()\n .anyRequest().authenticated();\n }\n\n private JwtAuthenticationConverter jwtAuthenticationConverter() {\n JwtAuthenticationConverter j = new JwtAuthenticationConverter();\n j.setJwtGrantedAuthoritiesConverter(jwtGrantedAuthoritiesConverter());\n return j;\n }\n\n private Converter<Jwt, Collection<GrantedAuthority>> jwtGrantedAuthoritiesConverter() {\n CustomKeycloakGrantedAuthoritiesConverter c = new CustomKeycloakGrantedAuthoritiesConverter("salutations-client");\n c.setAuthorityPrefix("ROLE_");\n return c;\n }\n}<\/code><\/pre>\npackage com.cheerfulprogramming.edwhiting.keycloakdemo.config;\n\nimport com.nimbusds.jose.shaded.json.JSONArray;\nimport com.nimbusds.jose.shaded.json.JSONObject;\nimport org.springframework.core.convert.converter.Converter;\nimport org.springframework.security.core.GrantedAuthority;\nimport org.springframework.security.core.authority.SimpleGrantedAuthority;\nimport org.springframework.security.oauth2.jwt.Jwt;\n\nimport java.util.ArrayList;\nimport java.util.Collection;\nimport java.util.Optional;\nimport java.util.stream.Collectors;\n\npublic class CustomKeycloakGrantedAuthoritiesConverter implements Converter<Jwt, Collection<GrantedAuthority>> {\n\n public static final String RESOURCE_ACCESS = "resource_access";\n public static final String ROLES = "roles";\n\n private final String clientId;\n private String authorityPrefix = "ROLE_";\n\n public CustomKeycloakGrantedAuthoritiesConverter(final String clientId) {\n this.clientId = clientId;\n }\n\n \/**\n * This method extracts the elements of the "roles" array for the specified clientId, from the\n * JWT token supplied by Keycloak when a user authenticates. eg where clientId is "my-client-id",\n * and the resource request contains the token below, the roles will be ["user", "admin"].\n * {\n * ...,\n * "resource_access": {\n * "my-client-id": {\n * "roles": [\n * "user",\n * "admin"\n * ]\n * },\n * ...\n * },\n * ...\n * }\n * @param source\n * @return\n *\/\n @Override\n public Collection<GrantedAuthority> convert(final Jwt source) {\n return Optional.ofNullable(source.getClaim(RESOURCE_ACCESS)).stream()\n .map(JSONObject.class::cast)\n .flatMap(resourceAccessClaim -> Optional.ofNullable(resourceAccessClaim.get(clientId)).stream())\n .map(JSONObject.class::cast)\n .flatMap(clientClaim -> Optional.ofNullable(clientClaim.get(ROLES)).stream())\n .map(JSONArray.class::cast)\n .flatMap(roles -> roles.stream())\n .map(role-> new SimpleGrantedAuthority(this.authorityPrefix + role))\n .collect(Collectors.toCollection(ArrayList::new));\n }\n\n public CustomKeycloakGrantedAuthoritiesConverter setAuthorityPrefix(final String authorityPrefix) {\n this.authorityPrefix = authorityPrefix;\n return this;\n }\n}<\/code><\/pre>\n
\nof the endpoints.<\/p>\npackage com.cheerfulprogramming.edwhiting.keycloakdemo.controller.salutations;\n\nimport org.springframework.security.access.prepost.PreAuthorize;\nimport org.springframework.security.core.annotation.AuthenticationPrincipal;\nimport org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;\nimport org.springframework.web.bind.annotation.*;\n\nimport java.security.Principal;\n\n@RestController("salutationsRestController")\n@RequestMapping("\/api\/salutations")\npublic class Controller {\n\n \/**\n * This method is open to any authenticated user.\n *\/\n @GetMapping("\/greeting")\n public String greeting(@AuthenticationPrincipal JwtAuthenticationToken token) {\n \/* You can inject the token as shown above and work with it if you wish *\/\n return "Hello Dave";\n }\n\n \/** \n * This method is protected by Spring security so that only authenticated users \n * with the "special-user" role can execute it.\n *\/\n @PreAuthorize("hasRole('special-user')")\n @GetMapping("\/user")\n public Principal user(Principal user) {\n return user;\n }\n}<\/code><\/pre>\nTest Your New Application<\/h2>\n
\nserver and call the Spring application with an HTTP request. In the real
\nworld, this is something that a browser-based JavaScript application
\nwould do. There is a Keycloak JavaScript client
\nlibrary<\/a>
\navailable for front-end applications, and a wrapper has been produced
\nfor Angular<\/a>. For this
\nsection, however, we will not build a front-end, but we will invoke the
\nendpoints directly. You will need a tool that can send hand-crafted HTTP
\nmessages, such as cURL<\/a>,
\nwget<\/a> or
\nPostman<\/a>. You will also benefit from a JSON
\nformatter such as jq<\/a>. If you are
\nrunning a GNU\/Linux computing environment, your package manager (eg yum,
\napt, pacman) should have the ability to install at least some of these.
\nFor this example I use cURL and jq, in a Bash environment.<\/p>\n
\nsalutations-session-create Keycloak server and create a session token,
\nwhich I have put in a Bash script called keycloak-session-create.sh for
\nconvenience:<\/p>\n#!\/bin\/bash\n\nfunction frontendToken() {\ncurl --request POST https:\/\/localhost:8445\/auth\/realms\/myrealm\/protocol\/openid-connect\/token \\\n --header 'Content-Type: application\/x-www-form-urlencoded' \\\n --data-urlencode 'username=user' \\\n --data-urlencode 'password=password' \\\n --data-urlencode 'client_id=salutations-session-create' \\\n --data-urlencode 'grant_type=password' \\\n --insecure --silent --location \n}\n\nfrontendToken<\/code><\/pre>\n$ chmod 755 keycloak-session-create.sh<\/code><\/pre>\n
\neasily is to pipe the results through jq, as shown:<\/p>\n$ .\/keycloak-session-create.sh | jq<\/code><\/pre>\n
\nsecured end-point is stored in the access_token field. To be able to use
\nit in your next request easily, store it in a variable called TOKEN, as
\nshown (I have used tr to remove the quotes):<\/p>\n$ TOKEN=$(.\/keycloak-session-create.sh | jq .access_token | tr -d '"')<\/code><\/pre>\n
\nearlier. Assuming that it is listening on port 8080, once you have
\nauthenticated as shown above, you can make a request to a secured end
\npoint as shown below. Note that if your session has expired, then
\nenabling –verbose will show the HTTP 401 error message.<\/p>\n$ curl --verbose \\\n --header "Authorization: Bearer $TOKEN" \\\n --header "Content-Type: application\/json" \\\n http:\/\/localhost:8080\/api\/salutations\/greeting<\/code><\/pre>\n
\nrestricted API endpoint in your application:<\/p>\n$ curl --verbose \\\n --header "Authorization: Bearer $TOKEN" \\\n --header "Content-Type: application\/json" \\\n http:\/\/localhost:8080\/api\/salutations\/user \\\n | jq<\/code><\/pre>\n
\nformat about your user account. To test the other, non-special user
\nuser2, modify the keycloak-session-create.sh script to authenticate that
\nuser, create a session token for that user instead, and repeat the HTTP
\nrequests above for that user. You should get an HTTP 403 error for the
\nrequest to http:\/\/localhost:8080\/api\/salutations\/user<\/a>, with the message
\nbeing \\"The request requires higher privileges than provided by the
\naccess token.\\"<\/em>, demonstrating that your priviliges restrictions are
\nworking properly.<\/p>\nFurther Reading<\/h2>\n
\nhttps:\/\/spring.io\/guides\/tutorials\/spring-boot-oauth2\/<\/a><\/p>\n
\nhttps:\/\/spring.io\/guides\/tutorials\/spring-security-and-angular-js\/<\/a><\/p>\n
\nhttps:\/\/www.baeldung.com\/sso-spring-security-oauth2<\/a><\/p>\n
\nhttps:\/\/www.baeldung.com\/rest-api-spring-oauth2-angular-legacy<\/a><\/p>\n