Our Keycloak Experience at Paisley Digital

Overview

In this article, I’d like to introduce Keycloak as a solution to manage authentication and authorization that we have extensive experience using it at Paisley Digital.

Keycloak is an open-source project developed and maintained by the RedHat Community.

“Keycloak is an open-source Identity and Access Management solution aimed at modern applications and services. It makes it easy to secure applications and services with little to no code.”

Besides, it has many other attractive features, including User Federation, Identity Brokering and Social Login, and so on.

First, I’m going to set Keycloak up with basic configuration and will talk about main features. Finally, I will configure and develop a Spring Boot application secured by Keycloak.

You can check out the full source code of the demo project we’re going to build on GitHub.

Let’s get started!

Keycloak

1. What is Keycloak? IAM(Identity Access Managemet) or IdM(Identity Management) is a framework used to authenticate user identity and privileges. Keycloak is an identity and access management solution (IAM) for numerous applications and services, developed by RedHat, the world’s biggest Open Source software producer. The server comprises all important applications that an IAM solution needs to provide.

2. Advantage of Keycloak

   • Authorization & Authentication
     • Log in with one account to any of several related systems.
   • Identity Brokering
     • Intermediary service that connects multiple service providers with different identity providers via OpenID Connect or SAML 2.0 IdPs.
   • LDAP & Active Directory
     • Access to and query of servers and corporate data for authorized individuals.
   • Security
     • Completely isolated from applications and applications never see a user’s credentials.
   • Up-to-Date
     • Upgradable and regular releases and road map
   • Performance
     • Keycloak is a powerful solution for enterprise application
   • Active Community
     • Has a very active community.
   • Scalability
     • Can be adapted to your needs and there are some solutions to setup Keycloak cluster in various scenarios
   • Open Source
     • Apache License version 2.0: Keycloak Source Code

3. Keycloak Setup Process

   The installation process is based on its official manual.

   • Download and unzip the installation file

   • Open $keycloak_path/standalone/configuration/standalone.xml with an editor:

     • Find public interface tag and replace 127.0.0.1 with 0.0.0.0 if you want it to bind to all network interfaces

       <interface  name="public">  
          <inet-address  value="${jboss.bind.address:0.0.0.0}"/>
       </interface>
       

   • Run $keycloak_path/bin/standalone.sh to start Keycloak server

   • Run $keycloak_path/bin/jboss-cli.sh and type connect in the opened cli to ensure that server is up and running, you can exit the cli afterward.

   • Run$keycloak_path/bin/add-user-keycloak.sh -r master -u admin -p admin to add admin user to keycloak

   • Restart the server ** ** - Go to https://SERVER_ADDRESS:8443/auth/admin/master/console/

     You can set it up on a dev machine on AWS or GC

   • To add a Realm go to https://SERVER_ADDRESS:8443/auth/admin/master/console/#/realms/master and add a realm, in our case we will add paisley(your realm name) realm for the development environment.

   • You can customize the created realm in the redirected page with options provided.

     

   • Create a client named paisley-client(you can change to your name)

     

   • Go to the created client and change the access type to confidential and enable all those OAuth flows that are required for our scenarios just below the access type field.

     

   • Create a role in this case we created CUSTOMER role in paisley-client client.

     

• Go to the client, choose paisley-client, and select the Mappers tab to create a mapper for Username according to the attached recorded scree.

  • Enter Username in Name field

  • Choose User Property in Mapper Type field.

  • Enter username in Property field

  • Enter user_name in Token Claim Name

    

• Create a user

  

• Add a role to user

  

• Impersonate and set a password for user

  

  

• Get the client secret from client page/credentials tab

  

• Test getting a token from curl:

  curl --location 
     --request POST 'https://your-host:8443/auth/realms/your-realm/protocol/openid-connect/token' 
     --header 'Content-Type: application/x-www-form-urlencoded'  
     --data-urlencode 'client_id=properties-client' 
     --data-urlencode 'grant_type=password' 
     --data-urlencode 'username=username' 
     --data-urlencode 'password=****' 
     --data-urlencode 'client_secret=******'
  

• Output of above command should be similar to :

  {
    "access_token":"eyJhbGciOiJSUzI1…...",
    "token_type":"bearer",
    "not-before-policy":0,
    "session_state":"6e0a4f56-871c-4f68-bdf0-3e16d5b6ad27",
     "scope":"email profile"
  }
  

  • The above token can be decoded on jwt.io website

• Go to https://your-host:8443/auth/realms/your-realm/.well-known/openid-configuration to find the issuer URL. Issuer URL is https://your-hostl:8443/auth/realms/your-realm/.well-known/openid-configuration in this case, open it and copy public key, we need it for spring-boot configuration. Mind the format of public key string in application.yml, there are prefix and suffix stuff and a line break as \n which above string will be enclosed in between.