Sample AngularJS / Spring Boot app using Keycloak Authorization services.
Few months ago, I've played with Authorization services in Keycloak (was using the 4.0.0.Final) and I’d like to share some feedbacks and thoughts about using it on my Spring Boot application. Disclaimer: I’m not a security guru and may have misunderstood some concepts.
The goal of this repository is to light up some parts that seems a little weird to me. And eventually work onto a better approach.
Basically, my need was the following : to associate a role to particular resource instances (and not resource types). For example, in my app I wanted to declare a user has being able to manage the services « ABC » and « DEF » but not the « XYZ ». Some actions on this resource instances (update / delete) are denied to other users and roles.
In practical, this implies to :
- Being able to have the information (resource instances manageable by user) on the client side in order to adapt the GUI (adding some buttons, displaying some admin infos, …)
- Being able to get this information on server side to filter out REST APIs
- Having some complete APIs allowing :
- To get list of candidate users,
- To associate resource instances to users,
- To get resource instances manageable by any user (when being a super-admin)
At first, I thought it was a good pick for Keycloak Authorization services and that it will solve all my problems. The application within its repository highlights that:
- All issues/requirements are not solved by AuthZ services only but with a mix of different Keycloak APIs,
- UMA and AuthZ Services may not be the best fit as the problem they solved is much more related to protect private resources and not easily allow management of shared ones.
So start by cloning this repository to get a fresh local copy:
$ git clone https://github.com/lbroudoux/spring-boot-keycloak-authz.git
Download a Keycloak distribution (I have used 4.0.0-Final
release) and start the server locally.
You'll just have to go to ${KEYCLOAK_HOME}/bin
directory and execute the following command.
$ ./standalone.sh -Djboss.socket.binding.port-offset=100
That way, you should have a running instance at http://localhost:8180
. This is the default URL
used by application and cannot be changed easily yet.
Use that URL in your browser to access the administration console of Keycloak.
It is located at http://localhost:8180/auth
. Connect using the Keycloak default administration user
admin/123
if it's the first time you login. Keycloak requires changing this passwork at first login.
Create a new Keycloak realm by importing the /src/main/resources/sbauthz-realm-config.json
file.
This should a realm called simply sbauthz
.
Before launching everything, you need to retrieve some frontend compoents. For that, we'll use bower
.
So just execute bower install
within your clone directory.
Now just launch the mvn spring-boot:run
command:
. ____ _ __ _ _
/\\ / ___'_ __ _ _(_)_ __ __ _ \ \ \ \
( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
\\/ ___)| |_)| | | | | || (_| | ) ) ) )
' |____| .__|_| |_|_| |_\__, | / / / /
=========|_|==============|___/=/_/_/_/
:: Spring Boot :: (v1.5.10.RELEASE)
[INFO] com.github.lbroudoux.springbootkeycloakauthz.SpringBootKeycloakAuthzApplication - Starting SpringBootKeycloakAuthzApplication on lbroudoux-OSX with PID 5607 (/Users/lbroudou/Development/github/spring-boot-keycloak-authz/target/classes started by lbroudou in /Users/lbroudou/Development/github/spring-boot-keycloak-authz)
[DEBUG] com.github.lbroudoux.springbootkeycloakauthz.SpringBootKeycloakAuthzApplication - Running with Spring Boot v1.5.10.RELEASE, Spring v4.3.14.RELEASE
[INFO] com.github.lbroudoux.springbootkeycloakauthz.SpringBootKeycloakAuthzApplication - No active profile set, falling back to default profiles: default
[DEBUG] org.jboss.logging - Logging Provider: org.jboss.logging.Slf4jLoggerProvider found via system property
[DEBUG] org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve - Using org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver to resolve Keycloak configuration on a per-request basis.
[INFO] com.github.lbroudoux.springbootkeycloakauthz.SpringBootKeycloakAuthzApplication - Started SpringBootKeycloakAuthzApplication in 1.783 seconds (JVM running for 4.451)
The application has started after you just see those lines. The application is deployed on http://localhost:8080
.
Default configuration comes with 3 users:
- admin (
admin/<new_password>
) is administrator and is able to administrate realm - jdoe (
jdoe/jdoe
) is simple user - alice (
alice/alice
) is user and manager of resources
All users have extra role uma_authorization
so that they can respond to UMA Challenge.
The main page for tests is http://localhost:8080/#/authz
. It is reachable via the User Mgt
entry menu that
is only visible for the admin
role.
Get Users
allows to retrieve all users from realm,
Once users have been loaded, you should have access to extra links in order to get user roles, attach resource to users or get resources managed/owned by user. See below for more on resources.
Create Resource
illustrates the declaration of a Resource on Keycloak side,
This should be done in the same time you create resources into your application database.
Clean Resource
illustrates how to destroy a Resource on Keycloak side,Check Identity
illustrates the invocation of a protected Resource with resolution of the UMA challenge on the client side,Attach Resource
near to user illustrates the attachment of the previously created Resource to a user on the server side,
This should be done when you're assigning the
manager
role to a Resource within your application. Target user is declared asowner
on the Keycloak side.
Get Owned Resources
near to user illustrates how to retrieve Resources owned by user on the server side,