Authenticate APIs with keycloak Quarkus distribution.
For modern applications and services, Keycloak is an open-source software package that enables single sign-on with Identity and Access Management. As of March 2018, Red Hat is in charge of this WildFly community project, which serves as the upstream project for their RH-SSO product.
So my main focus on keycloak is the ability to authenticate microservice endpoints and to do single sign-on to multiple of your applications without the need of signup forms and login forms. Lets get started.
Installing Keycloak server
To download the server , head to keycloak official site and download the zip folder. After downloading the zip file, extract the zip and move to the bin folder and cmd the folder to run this command.
kc.sh start-dev --http-port=8180Note that you can use any open port on your computer. For this tutorial we used port 8180.
Runnig the above command should give you this screen to create a new admin user.
Creating a realm
After creating the Admin user, you need to set the realm, A realm manages a set of users, credentials, roles, and groups. A user belongs to and logs into a realm. Realms are isolated from one another and can only manage and authenticate the users that they control. clients. Clients are entities that can request Keycloak to authenticate a user.
Creating a client
You now need to create a client who will host the app users,for this you require to fill in the client id as the name of the client.
Creating a user
After creating the client, you have to create a user who will have the admin role to the client we created above. For this, click the users link on the menu, fill in the users username and save. This should look similar to this.
Click on the credentials tab to create the users password. Please note that the password should not be temporary.
Role mappings
We need to assign this new user some roles. On the client roles, select realm management. Add all the roles in the available roles to assigned roles and thats it. Time to test the new server using some tools. This is fun part of it all 🎉🎉.
Its time to fireup some postman and do some majic. Open Postman and set an environment variable called base url, But do not worry, I will give you access to the Collection of requests.
{{base_url}}/realms/myrealm/protocol/openid-connect/token?This is the endpoint to get an access token. You’re supposed to get this data as response.
{"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJ1aUhaMF85RTBwZ3IxZU9zY0RqdjNrV2llZzU0ZWV6NEt3Y29JRkQ2aVFRIn0.eyJleHAiOjE2NTU3NjI1MzAsImlhdCI6MTY1NTc2MjIzMCwianRpIjoiNmQ4ZTA1MjEtMzVkZC00NmI1LWFjZTAtOTQyYjU4ODg2YmRhIiwiaXNzIjoiaHR0cDovLzEyNy4wLjAuMTo4MTgwL3JlYWxtcy90YW1idWEiLCJhdWQiOlsicmVhbG0tbWFuYWdlbWVudCIsImFjY291bnQiXSwic3ViIjoiN2IzZWMxNjQtYmM1MC00MDEyLTk1ZmQtYzkwMWQxNTM0YzE5IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoidGFtYnVhLWNsaWVudCIsInNlc3Npb25fc3RhdGUiOiJhMmI4ZmMzNi1hZDdmLTQ2YzMtYjYwZC01NTEzZDAxZjUyYWYiLCJhY3IiOiIxIiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbImRlZmF1bHQtcm9sZXMtdGFtYnVhIiwib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7InJlYWxtLW1hbmFnZW1lbnQiOnsicm9sZXMiOlsidmlldy1yZWFsbSIsInZpZXctaWRlbnRpdHktcHJvdmlkZXJzIiwibWFuYWdlLWlkZW50aXR5LXByb3ZpZGVycyIsImltcGVyc29uYXRpb24iLCJyZWFsbS1hZG1pbiIsImNyZWF0ZS1jbGllbnQiLCJtYW5hZ2UtdXNlcnMiLCJxdWVyeS1yZWFsbXMiLCJ2aWV3LWF1dGhvcml6YXRpb24iLCJxdWVyeS1jbGllbnRzIiwicXVlcnktdXNlcnMiLCJtYW5hZ2UtZXZlbnRzIiwibWFuYWdlLXJlYWxtIiwidmlldy1ldmVudHMiLCJ2aWV3LXVzZXJzIiwidmlldy1jbGllbnRzIiwibWFuYWdlLWF1dGhvcml6YXRpb24iLCJtYW5hZ2UtY2xpZW50cyIsInF1ZXJ5LWdyb3VwcyJdfSwiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJwcm9maWxlIGVtYWlsIiwic2lkIjoiYTJiOGZjMzYtYWQ3Zi00NmMzLWI2MGQtNTUxM2QwMWY1MmFmIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0YW1idWEtdXNlciJ9.j1bzhcKoZTScRx3aQLd_SOwxTW9Nuv3oAEtfkPwohHXLx5GCPHUoSk1aYEWE-jLwFCrg5abZuQb1GDxRKB_lBEOopRAh7YNQyzRWDzQtKzHW5JLsZi5VVQlm9B-4PhGzqPFEdSLyYWcXjjJUwwea_UNRIHAm4TrXNxOQ-7RP4dYDuL-IH8481Vi6jD6yIqjWbERlsTtu_2ALVNqwHkhnxwfQRiyeJsWaIlLAO5PeVTssroyTNaV1DKNcc0zLLv_ptUJf_v0NXluwryWx4JSC321p-xOI-JEIh_Z0R65i0uVBPaWLDmX8t_My4C-OFz9L7VWycObRG4c-DXb-pSUesQ","expires_in": 300,"refresh_expires_in": 1800,"refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI3OWM3Nzc2NC03MmUxLTRmYzUtYTliZC04MzY5ZWE5YjAyNmQifQ.eyJleHAiOjE2NTU3NjQwMzAsImlhdCI6MTY1NTc2MjIzMCwianRpIjoiMTFjNmM4YzctY2U4NC00MzIzLWFjODgtMzA2MGVmNDQ0YjE0IiwiaXNzIjoiaHR0cDovLzEyNy4wLjAuMTo4MTgwL3JlYWxtcy90YW1idWEiLCJhdWQiOiJodHRwOi8vMTI3LjAuMC4xOjgxODAvcmVhbG1zL3RhbWJ1YSIsInN1YiI6IjdiM2VjMTY0LWJjNTAtNDAxMi05NWZkLWM5MDFkMTUzNGMxOSIsInR5cCI6IlJlZnJlc2giLCJhenAiOiJ0YW1idWEtY2xpZW50Iiwic2Vzc2lvbl9zdGF0ZSI6ImEyYjhmYzM2LWFkN2YtNDZjMy1iNjBkLTU1MTNkMDFmNTJhZiIsInNjb3BlIjoicHJvZmlsZSBlbWFpbCIsInNpZCI6ImEyYjhmYzM2LWFkN2YtNDZjMy1iNjBkLTU1MTNkMDFmNTJhZiJ9.iKKFm5u5p0LSC8AQefFN49SwdNo0LuCXDd9Rz-0cAyg","token_type": "Bearer","not-before-policy": 0,"session_state": "a2b8fc36-ad7f-46c3-b60d-5513d01f52af","scope": "profile email"}
You may have noticed that this is a bearer token type so we will use it to get info related to the token.
To get users in a specific realm is prety simple, you can use the request below
{{base_url}}/admin/realms/myrealm/users
Attack detection
We may want to clear all login fails periodically to allow the temporary disabled users to authenticate again. This is possible via the request below.
{{base_url}}/admin/realms/myrealm/attack-detection/brute-force/usersThis will result to the deletion of this attempts to login.The server should return a 204 no content result which means the request was processed but no results. A list of all available Rest API endpoints is availble at the main documentation page.
To view my postman collection click this link here and setup your own environment variables.
Conclusion.
When Keycloak is well configured, your organization saves alot of time in setting up secure microservices and also monolith applications.
For more on this, you can reach out to me via admin@lifegeegs.com and i’ll get back as soon as possible.
