Download Keycloak from https://www.keycloak.org/downloads.html (N.B. Version 4.6.0.Final has been used when writing this guide, on Ubuntu 18.04.1 LTS). Run a Keycloak instance with
~/keycloak-4.6.0.Final/bin/standalone.sh
The admin interface is running (by default) at http://127.0.0.1:8080
On the first access, create admin user:
Admin credentials:
usr: admin
pwd: adminKtest15$
A configuration file for keycloak (with realms, clients and users used in the following) is available in /keycloak-app-configs as realm-export.json. In order to use it:
- Download /keycloak-app-configs/realm-export.json
- In the keycloak welcome page hoover over master, then choose Add realm
- Import the realm from the downloaded file
The environment should be up and running, with the proper configurations. In the following sections (Realm, Client, Users) more details can be found about how the setup has been performed.
Create realm testRealm
- Copy realm RS256 public key in config-authorization.ini
Create client:
- ClientID: testClientAPI
- Client protocol: OpenID Connect
- Access type: bearer-only
- Authorization enabled: ON
- Client Authenticator: Client ID and Secret
- Regenerate Secret:
-
- Secret: d438d34e-3a86-4026-bb05-b3e3c4966e10 (To be copied in ./config/config-authorization.ini)
Create client:
- CLientID: testGetTokenClient
- Client protocol: OpenID Connect
- Access type: public
- Authorization enabled: OFF
- Valid redirect URIs: http://localhost
Create a simple user testuser
testUser credentials:
usr: testuser
pwd: user123
The application has been developed using Python 2.7.15rc1 In order to fulfill the requirements, open a shell and run
cd src
pip install -r requirements.txt
The app exposing the endpoints can be easily run with
python ./src/services.py
Note: flask is being used just for demonstration purposes. DO NOT use flask alone in a production environment. Visit Flask deployment options.
This class provides some utilities to handle token exchanged between the app and keycloak.
In order to get the access token for the user 'testuser', one might use cUrl to perform a POST request:
curl -v --data "grant_type=password&client_id=testGetTokenClient&username=testuser&password=user123" http://localhost:8080/auth/realms/testRealm/protocol/openid-connect/token
- grant_type 'password' corresponds to the public access type for the client
- client_id is the id of the client providing the access_token
- username and password are the credentials for the user requesting the access token
The very same access token can be retrieved using (properly setup) AuthorizationHelper.get_user_token() (See test.py for having an example)
At the moment, a basic set of test cases are available. They can be run with
python ./src/test.py