Lab#36 Setup AUTH server with KeyCloak

Step#1 You can run Keyclock as a docker container or just directly on jdk17

https://www.keycloak.org/.

To run without docker, see https://www.keycloak.org/getting-started/getting-started-zip

If running as application then.

Figure 1. Download Keycloak

Figure 2. Start Keycloak

Start the keycloak server and open the keycloak dashboard.

Keycloak Dashboard:

Figure 3. Keycloak Dashboard

A realm is a boundary where you can create a set of client or user credentials.

Figure 4. Keycloak Realm

Minimum Java version is 17.

---

Step#2 Register client details with KeyCloak. Select “Clients” option and “Create Client”

Figure 5. Clients > Create Client

Figure 6. Create Client 1

Figure 7. Create Client 2

Leave Root URL and Home URL empty and select “Save”

Figure 8. Create Client 3

Credentials have been generated by KeyCloak and can be seen here.

Figure 9. Client Secret

---

Step#3 Getting an access token using the client details. In the keycloak, click on the realm settings

Figure 10. Realm Settings

Figure 11. OpenID Endpoint Configuration

Find the token endpoint

openid-configuration: http://localhost:8080/realms/master/.well-known/openid-configuration

Figure 12. Token Endpoint

Figure 13. Postman x-www-form-urlencoded

Figure 14. Access Token

Token can be decoded. Examine the contents.

JWT.io

Figure 15. JWT Decoded

---

Step#4 Convert our gateway server to a resource server. Then we should send the access token to the resource server. First three new dependencies are need in the gatewayserver.

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-oauth2-jose</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-oauth2-resource-server</artifactId>
        </dependency>

Add a new class in the gateway server

Figure 16. SecurityConfig Class

package com.tus.gatewayserver.config;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.web.server.SecurityWebFilterChain;

@Configuration
@EnableWebFluxSecurity
public class SecurityConfig {

    @Bean
    SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity serverHttpSecurity) {
        serverHttpSecurity.authorizeExchange(exchanges -> exchanges.pathMatchers(HttpMethod.GET).permitAll()
            .pathMatchers("/tusbank/accounts/**").authenticated()
            .pathMatchers("/tusbank/cards/**").authenticated()
            .pathMatchers("/tusbank/loans/**").authenticated())
            .oauth2ResourceServer(oAuth2ResourceServerSpec -> oAuth2ResourceServerSpec
                .jwt(Customizer.withDefaults()));

        serverHttpSecurity.csrf(csrfSpec -> csrfSpec.disable());
        return serverHttpSecurity.build();
    }
}

And in application.yml add the url for the KeyCloak server.

  security:
    oauth2:
      resourceserver:
        jwt:
          jwk-set-uri: "http://localhost:8080/realms/master/protocol/openid-connect/certs"

Restart the gateway server. Now try a "GET" request and it should be successful. No security expected.

GET localhost:8072/tusbank/accounts/api/contact-info

Figure 17. Postman Accounts Contact Info Endpoint

GET localhost:8072/tusbank/cards/api/cards/java-version

Figure 18. Postman Cards Java Version Endpoint

GET localhost:8072/tusbank/loans/api/build-info

Figure 19. Postman Loans Build Info Endpoint

Now try a method other than GET – 401 – Unauthorized is returned.

POST localhost:8072/tusbank/accounts/api/accounts

Request body

{
    "name": "Joe Security",
    "email": "joe@gamil.com",
    "mobileNumber": "5432154321"
}

Figure 20. Postman Post New Account

To allow POST etc. ,we need to fetch the access token. The fetching of the token can be done as part of the Postman request.

We could copy in the token into the request header or use the feature of postman to get an access token as part of the request by setting authorization information in the Postman request..

Figure 21. Postman OAuth 2.0 Token

Scroll down to “Configure New token”

Figure 22. Configure New Token

Figure 23. Get New Access Token

Figure 24. Authentication Complete

Figure 25. Use Token

Figure 26. Postman Post New Account

Figure 27. Postman Authorisation

Adding authorization. Configure roles based authorization
Update the gateway SecurityConfig class

@Configuration
@EnableWebFluxSecurity
public class SecurityConfig {

    @Bean
    SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity serverHttpSecurity) {
        serverHttpSecurity.authorizeExchange(exchanges -> exchanges.pathMatchers(HttpMethod.GET).permitAll()
            .pathMatchers("/tusbank/accounts/**").hasRole("ACCOUNTS")
            .pathMatchers("/tusbank/cards/**").hasRole("CARDS")
            .pathMatchers("/tusbank/loans/**").hasRole("LOANS"))
            .oauth2ResourceServer(oAuth2ResourceServerSpec -> oAuth2ResourceServerSpec
                .jwt(Customizer.withDefaults()));

        serverHttpSecurity.csrf(csrfSpec -> csrfSpec.disable());
        return serverHttpSecurity.build();
    }
}

Create roles using Keycloak

Figure 28. Keycloak Realm Roles

Figure 29. Keycloak Create Roles

Figure 30. Keycloak Clients

Figure 31. Service Accounts Roles

Figure 32. Assign Roles

Now try to get an access token

Figure 33. Postman Get Access Token

Put it into the jwt.io

Figure 34. Decode Access Token

You can find the custom role information now included in the token.

Create a new class in the config package

Figure 35. KecloakRoleConvertor Class

package com.tus.gatewayserver.config;

import org.springframework.core.convert.converter.Converter;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.oauth2.jwt.Jwt;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import java.util.Map;
import java.util.stream.Collectors;

public class KeycloakRoleConverter implements Converter<Jwt, Collection<GrantedAuthority>> {
    @Override
    public Collection<GrantedAuthority> convert(Jwt source) {
        Map<String, Object> realmAccess = (Map<String, Object>) source.getClaims().get("realm_access");
        if (realmAccess == null || realmAccess.isEmpty()) {
            return new ArrayList<>();
        }
        Collection<GrantedAuthority> returnValue = ((List<String>) realmAccess.get("roles"))
                .stream().map(roleName -> "ROLE_" + roleName)
                .map(SimpleGrantedAuthority::new)
                .collect(Collectors.toList());
        return returnValue;
    }
}

Code provided.

In the SecurityConfig.java add a new method

    private Converter<Jwt, Mono<AbstractAuthenticationToken>> grantedAuthoritiesExtractor() {
            JwtAuthenticationConverter jwtAuthenticationConverter = new JwtAuthenticationConverter();
            jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(new KeycloakRoleConverter());
            return new ReactiveJwtAuthenticationConverterAdapter(jwtAuthenticationConverter);
    }

Update a line in the springSecurityFilterChain method to remove the default handling.

@Bean
    SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity serverHttpSecurity) {
        serverHttpSecurity.authorizeExchange(exchanges -> exchanges.pathMatchers(HttpMethod.GET).permitAll()
            .pathMatchers("/tusbank/accounts/**").hasRole("ACCOUNTS")
            .pathMatchers("/tusbank/cards/**").hasRole("CARDS")
            .pathMatchers("/tusbank/loans/**").hasRole("LOANS"))
            .oauth2ResourceServer(oAuth2ResourceServerSpec -> oAuth2ResourceServerSpec
                        .jwt(jwtSpec -> jwtSpec.jwtAuthenticationConverter(grantedAuthoritiesExtractor()))); 

        serverHttpSecurity.csrf(csrfSpec -> csrfSpec.disable());
        return serverHttpSecurity.build();
    }

Got to Postman and create a new account. Generate a new access token as before.

POST localhost:8072/tusbank/accounts/api/accounts

Figure 36. Postman Create New Account

POST localhost:8072/tusbank/cards/api/cards

Figure 37. 403 Forbidden

This is now 403 (not 401) because I am authorized but I do not have enough privileges.
In KeyCloak, create a new role for CARDS

Figure 38. KeyCloak New Cards Role

Figure 39. Service Accounts Roles

Figure 40. Assign Roles to tusbank-callcenter-cc

Test in Postman

POST localhost:8072/tusbank/cards/api/cards?mobileNumber=5432154355

Figure 41. Test in Postman

Now also add a role for LOANS

Figure 42. Create Loans Role

Figure 43. Assign Role

POST localhost:8072/tusbank/loans/api/loans?mobileNumber=5432154355

Figure 44. Authorisation