forked from quarkusio/quarkus
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[fixes quarkusio#4495] - Quarkus Keycloak Authorization Extension
- Loading branch information
Showing
32 changed files
with
2,092 additions
and
41 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
292 changes: 292 additions & 0 deletions
292
docs/src/main/asciidoc/keycloak-authorization-guide.adoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,292 @@ | ||
| //// | ||
| This guide is maintained in the main Quarkus repository | ||
| and pull requests should be submitted there: | ||
| https://github.com/quarkusio/quarkus/tree/master/docs/src/main/asciidoc | ||
| //// | ||
|
|
||
| = Quarkus - Using Keycloak Authorization Services and Policy Enforcer to Protect JAX-RS Applications | ||
|
|
||
| include::./attributes.adoc[] | ||
|
|
||
| This guide demonstrates how your Quarkus application can authorize access to protected resources using https://www.keycloak.org/docs/latest/authorization_services/index.html[Keycloak Authorization Services]. | ||
|
|
||
| The `quarkus-keycloak-authorization` extension provides a policy enforcer that enforces access to protected resources based on permissions managed by Keycloak. | ||
| It provides a flexible and dynamic authorization capability based on Resource-Based Access Control. | ||
| In other words, instead of explicitly enforce access based on some specific access control mechanism (e.g.: RBAC), you just check whether or not a request is allowed to access a resource based on its name, identifier or URI. | ||
|
|
||
| By externalizing authorization from your application, you are allowed to protect your applications using different access control mechanisms as well as avoid re-deploying your application every time your security requirements change, where Keycloak will be acting as a centralized authorization service from where your protected resources and their associated permissions are managed. | ||
|
|
||
| If you are already familiar with Keycloak, you’ll notice that the extension is basically another adapter implementation but specific for Quarkus applications. | ||
| Otherwise, you can find more information in the Keycloak https://www.keycloak.org/docs/latest/authorization_services/index.html#_enforcer_overview[documentation]. | ||
|
|
||
| == Prerequisites | ||
|
|
||
| To complete this guide, you need: | ||
|
|
||
| * less than 15 minutes | ||
| * an IDE | ||
| * JDK 1.8+ installed with `JAVA_HOME` configured appropriately | ||
| * Apache Maven 3.5.3+ | ||
| * https://stedolan.github.io/jq/[jq tool] | ||
| * Docker | ||
|
|
||
| == Architecture | ||
|
|
||
| In this example, we build a very simple microservice which offers two endpoints: | ||
|
|
||
| * `/api/users/me` | ||
| * `/api/admin` | ||
|
|
||
| These endpoints are protected and can only be accessed if a client is sending a bearer token along with the request, which must be valid (e.g.: signature, expiration and audience) and trusted by the microservice. | ||
|
|
||
| The bearer token is issued by a Keycloak Server and represents the subject to which the token was issued for. | ||
| For being an OAuth 2.0 Authorization Server, the token also references the client acting on behalf of the user. | ||
|
|
||
| The `/api/users/me` endpoint can be accessed by any user with a valid token. | ||
| As a response, it returns a JSON document with details about the user where these details are obtained from the information carried on the token. | ||
| This endpoint is protected with RBAC (Role-Based Access Control) and only users granted with the `user` role can access this endpoint. | ||
|
|
||
| The `/api/admin` endpoint is protected with RBAC (Role-Based Access Control) and only users granted with the `admin` role can access it. | ||
|
|
||
| This is a very simple example using RBAC policies to govern access to your resources. | ||
| However, Keycloak supports other types of policies that you can use to perform even more fine-grained access control. | ||
| By using this example, you'll see that your application is completely decoupled from your authorization policies with enforcement being purely based on the accessed resource. | ||
|
|
||
| == Solution | ||
|
|
||
| We recommend that you follow the instructions in the next sections and create the application step by step. | ||
| However, you can go right to the completed example. | ||
|
|
||
| Clone the Git repository: `git clone {quickstarts-clone-url}`, or download an {quickstarts-archive-url}[archive]. | ||
|
|
||
| The solution is located in the `keycloak-authorization` {quickstarts-tree-url}/keycloak-authorization[directory]. | ||
|
|
||
| == Creating the Maven Project | ||
|
|
||
| First, we need a new project. | ||
| Create a new project with the following command: | ||
|
|
||
| [source,subs=attributes+] | ||
| ---- | ||
| mvn io.quarkus:quarkus-maven-plugin:{quarkus-version}:create \ | ||
| -DprojectGroupId=org.acme \ | ||
| -DprojectArtifactId=keycloak-authorization \ | ||
| -Dextensions="oidc, keycloak-authorization, resteasy-jsonb" | ||
| ---- | ||
|
|
||
| This command generates a Maven project, importing the `keycloak-authorization` extension which is an implementation of a Keycloak Adapter for Quarkus applications and provides all the necessary capabilities to integrate with a Keycloak Server and perform bearer token authorization. | ||
|
|
||
| == Writing the application | ||
|
|
||
| Let's start by implementing the `/api/users/me` endpoint. | ||
| As you can see from the source code below it is just a regular JAX-RS resource: | ||
|
|
||
| [source,java] | ||
| ---- | ||
| package org.acme.keycloak; | ||
| import javax.inject.Inject; | ||
| import javax.ws.rs.GET; | ||
| import javax.ws.rs.Path; | ||
| import javax.ws.rs.Produces; | ||
| import javax.ws.rs.core.MediaType; | ||
| import org.jboss.resteasy.annotations.cache.NoCache; | ||
| import io.quarkus.security.identity.SecurityIdentity; | ||
| @Path("/api/users") | ||
| public class UsersResource { | ||
| @Inject | ||
| SecurityIdentity identity; | ||
| @GET | ||
| @Path("/me") | ||
| @Produces(MediaType.APPLICATION_JSON) | ||
| @NoCache | ||
| public User me() { | ||
| return new User(identity); | ||
| } | ||
| public class User { | ||
| private final String userName; | ||
| User(SecurityIdentity identity) { | ||
| this.userName = identity.getPrincipal().getName(); | ||
| } | ||
| public String getUserName() { | ||
| return userName; | ||
| } | ||
| } | ||
| } | ||
| ---- | ||
|
|
||
| The source code for the `/api/admin` endpoint is also very simple: | ||
|
|
||
| [source,java] | ||
| ---- | ||
| package org.acme.keycloak; | ||
| import javax.ws.rs.GET; | ||
| import javax.ws.rs.Path; | ||
| import javax.ws.rs.Produces; | ||
| import javax.ws.rs.core.MediaType; | ||
| import io.quarkus.security.Authenticated; | ||
| @Path("/api/admin") | ||
| @Authenticated | ||
| public class AdminResource { | ||
| @GET | ||
| @Produces(MediaType.TEXT_PLAIN) | ||
| public String admin() { | ||
| return "granted"; | ||
| } | ||
| } | ||
| ---- | ||
|
|
||
| Note that we did not define any annotation such as `@RoleAllowed` to explicitly enforce access to a resource. | ||
| The extension will be responsible to map the URIs of the protected resources you have in Keycloak and evaluate the permissions accordingly, granting or denying access depending on the permissions that will be granted by Keycloak. | ||
|
|
||
| == Configuring the application | ||
|
|
||
| The OpenID Connect extension allows you to define the adapter configuration using the `application.properties` file which should be located at the `src/main/resources` directory. | ||
|
|
||
| === Configuring using the application.properties file | ||
|
|
||
| [source,properties] | ||
| ---- | ||
| # OIDC Configuration | ||
| quarkus.oidc.auth-server-url=http://localhost:8180/auth/realms/quarkus | ||
| quarkus.oidc.client-id=backend-service | ||
| quarkus.oidc.credentials.secret=secret | ||
| # Enable Policy Enforcement | ||
| quarkus.keycloak.policy-enforcer.enable=true | ||
| ---- | ||
|
|
||
| === Configuring CORS | ||
|
|
||
| If you plan to consume this application from another application running on a different domain, you will need to configure CORS (Cross-Origin Resource Sharing). | ||
| Please read the link:http-reference.html#cors-filter[HTTP CORS documentation] for more details. | ||
|
|
||
| == Starting and Configuring the Keycloak Server | ||
|
|
||
| To start a Keycloak Server you can use Docker and just run the following command: | ||
|
|
||
| [source,bash] | ||
| ---- | ||
| docker run --name keycloak -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin -p 8180:8080 quay.io/keycloak/keycloak | ||
| ---- | ||
|
|
||
| You should be able to access your Keycloak Server at http://localhost:8180/auth[localhost:8180/auth]. | ||
|
|
||
| Log in as the `admin` user to access the Keycloak Administration Console. | ||
| Username should be `admin` and password `admin`. | ||
|
|
||
| Import the {quickstarts-tree-url}/keycloak-authorization/config/quarkus-realm.json[realm configuration file] to create a new realm. | ||
| For more details, see the Keycloak documentation about how to https://www.keycloak.org/docs/latest/server_admin/index.html#_create-realm[create a new realm]. | ||
|
|
||
| == Running and Using the Application | ||
|
|
||
| === Running in Developer Mode | ||
|
|
||
| To run the microservice in dev mode, use `./mvnw clean compile quarkus:dev`. | ||
|
|
||
| === Running in JVM Mode | ||
|
|
||
| When you're done playing with "dev-mode" you can run it as a standard Java application. | ||
|
|
||
| First compile it: | ||
|
|
||
| [source,bash] | ||
| ---- | ||
| ./mvnw package | ||
| ---- | ||
|
|
||
| Then run it: | ||
|
|
||
| [source,bash] | ||
| ---- | ||
| java -jar ./target/keycloak-authorization-runner.jar | ||
| ---- | ||
|
|
||
| === Running in Native Mode | ||
|
|
||
| This same demo can be compiled into native code: no modifications required. | ||
|
|
||
| This implies that you no longer need to install a JVM on your production environment, as the runtime technology is included in the produced binary, and optimized to run with minimal resource overhead. | ||
|
|
||
| Compilation will take a bit longer, so this step is disabled by default; let's build again by enabling the `native` profile: | ||
|
|
||
| [source,bash] | ||
| ---- | ||
| ./mvnw package -Pnative | ||
| ---- | ||
|
|
||
| After getting a cup of coffee, you'll be able to run this binary directly: | ||
|
|
||
| [source,bash] | ||
| ---- | ||
| ./target/keycloak-authorization-runner | ||
| ---- | ||
|
|
||
| == Testing the Application | ||
|
|
||
| The application is using bearer token authorization and the first thing to do is obtain an access token from the Keycloak Server in order to access the application resources: | ||
|
|
||
| [source,bash] | ||
| ---- | ||
| export access_token=$(\ | ||
| curl -X POST http://localhost:8180/auth/realms/quarkus/protocol/openid-connect/token \ | ||
| --user backend-service:secret \ | ||
| -H 'content-type: application/x-www-form-urlencoded' \ | ||
| -d 'username=alice&password=alice&grant_type=password' | jq --raw-output '.access_token' \ | ||
| ) | ||
| ---- | ||
|
|
||
| The example above obtains an access token for user `alice`. | ||
|
|
||
| Any user is allowed to access the | ||
| `http://localhost:8080/api/users/me` endpoint | ||
| which basically returns a JSON payload with details about the user. | ||
|
|
||
| [source,bash] | ||
| ---- | ||
| curl -v -X GET \ | ||
| http://localhost:8080/api/users/me \ | ||
| -H "Authorization: Bearer "$access_token | ||
| ---- | ||
|
|
||
| The `http://localhost:8080/api/admin` endpoint can only be accessed by users with the `admin` role. | ||
| If you try to access this endpoint with the previously issued access token, you should get a `403` response from the server. | ||
|
|
||
| [source,bash] | ||
| ---- | ||
| curl -v -X GET \ | ||
| http://localhost:8080/api/admin \ | ||
| -H "Authorization: Bearer "$access_token | ||
| ---- | ||
|
|
||
| In order to access the admin endpoint you should obtain a token for the `admin` user: | ||
|
|
||
| [source,bash] | ||
| ---- | ||
| export access_token=$(\ | ||
| curl -X POST http://localhost:8180/auth/realms/quarkus/protocol/openid-connect/token \ | ||
| --user backend-service:secret \ | ||
| -H 'content-type: application/x-www-form-urlencoded' \ | ||
| -d 'username=admin&password=admin&grant_type=password' | jq --raw-output '.access_token' \ | ||
| ) | ||
| ---- | ||
|
|
||
| == References | ||
|
|
||
| * https://www.keycloak.org/documentation.html[Keycloak Documentation] | ||
| * https://www.keycloak.org/docs/latest/authorization_services/index.html[Keycloak Authorization Services Documentation] | ||
| * https://openid.net/connect/[OpenID Connect] | ||
| * https://tools.ietf.org/html/rfc7519[JSON Web Token] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.