Skip to content

Commit

Permalink
[fixes #4495] - Quarkus Keycloak Authorization Extension
Browse files Browse the repository at this point in the history
  • Loading branch information
pedroigor committed Oct 23, 2019
1 parent b12dfe2 commit db85151
Show file tree
Hide file tree
Showing 29 changed files with 1,977 additions and 38 deletions.
28 changes: 28 additions & 0 deletions bom/runtime/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -166,6 +166,7 @@
<antlr.version>4.7.2</antlr.version>
<quarkus-security.version>1.0.0.Alpha2</quarkus-security.version>
<javax.interceptor-api.version>1.2</javax.interceptor-api.version>
<keycloak.version>7.0.1</keycloak.version>
</properties>

<dependencyManagement>
Expand Down Expand Up @@ -330,6 +331,11 @@
<artifactId>quarkus-oidc</artifactId>
<version>${project.version}</version>
</dependency>
<dependency>
<groupId>io.quarkus</groupId>
<artifactId>quarkus-keycloak-authorization</artifactId>
<version>${project.version}</version>
</dependency>
<dependency>
<groupId>io.quarkus</groupId>
<artifactId>quarkus-flyway</artifactId>
Expand Down Expand Up @@ -2430,6 +2436,28 @@
</exclusion>
</exclusions>
</dependency>

<!-- Keycloak -->
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-adapter-core</artifactId>
<version>${keycloak.version}</version>
</dependency>
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-core</artifactId>
<version>${keycloak.version}</version>
</dependency>
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-adapter-spi</artifactId>
<version>${keycloak.version}</version>
</dependency>
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-authz-client</artifactId>
<version>${keycloak.version}</version>
</dependency>
</dependencies>
</dependencyManagement>
</project>
Original file line number Diff line number Diff line change
Expand Up @@ -300,6 +300,21 @@
"version": "${project.version}",
"guide": "https://quarkus.io/guides/oidc-guide"
},
{
"name": "Keycloak Authorization",
"labels": [
"oauth2",
"openid-connect",
"keycloak",
"authorization-services",
"policy-enforcer",
"fine-grained-permission",
"resource-based-authorization"
],
"groupId": "io.quarkus",
"artifactId": "quarkus-keycloak-authorization",
"guide": "https://quarkus.io/guides/keycloak-authorization-guide"
},
{
"name": "Kogito",
"labels": [
Expand Down
1 change: 1 addition & 0 deletions docs/src/main/asciidoc/index.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ include::quarkus-intro.adoc[tag=intro]
* link:performance-measure.html[Measuring Performance] _(advanced)_
* link:cdi-reference.html[Contexts and Dependency Injection] _(advanced)_
* link:oidc-guide.html[Using OpenID Connect Adapter]
* link:keycloak-authorization-guide.html[Keycloak Authorization]
* link:kogito-guide.html[Using Kogito (business automation with processes and rules)]
* link:oauth2-guide.html[Using OAuth2 RBAC]
* link:tika-guide.html[Using Apache Tika]
Expand Down
268 changes: 268 additions & 0 deletions docs/src/main/asciidoc/keycloak-authorization-guide.adoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,268 @@
////
This guide is maintained in the main Quarkus repository
and pull requests should be submitted there:
https://github.com/quarkusio/quarkus/tree/master/docs/src/main/asciidoc
////
= Quarkus - Using Keycloak Authorization Services and Policy Enforcer to Protect JAX-RS Applications

include::./attributes.adoc[]

This guide demonstrates how your Quarkus application can authorize access to protected resources using https://www.keycloak.org/docs/latest/authorization_services/index.html[Keycloak Authorization Services].

The `quarkus-keycloak-authorization` extension provides a policy enforcer that enforces access to protected resources based
on permissions managed by Keycloak. It provides a flexible and dynamic authorization capability based on Resource-Based Access Control. In other words, instead of explicitly enforce access based on some specific access control mechanism (e.g.: RBAC), you just check whether or not a request is allowed to access a resource based on its name, identifier or URI.

By externalizing authorization from your application, you are allowed to protect your applications using different access control mechanisms as well as avoid re-deploying your application every time your security requirements change, where Keycloak will be acting as a centralized authorization service from where your protected resources and their associated permissions are managed.

If you are already familiar with Keycloak, you’ll notice that the extension is basically another adapter implementation but specific for Quarkus applications. Otherwise, you can find more information in the Keycloak https://www.keycloak.org/docs/latest/authorization_services/index.html#_enforcer_overview[documentation].
== Prerequisites
To complete this guide, you need:
* less than 15 minutes
* an IDE
* JDK 1.8+ installed with `JAVA_HOME` configured appropriately
* Apache Maven 3.5.3+
* https://stedolan.github.io/jq/[jq tool]
* Docker
== Architecture
In this example, we build a very simple microservice which offers two endpoints:
* `/api/users/me`
* `/api/admin`
These endpoints are protected and can only be accessed if a client is sending a bearer token along with the request, which must be valid (e.g.: signature, expiration and audience) and trusted by the microservice.
The bearer token is issued by a Keycloak Server and represents the subject to which the token was issued for. For being an OAuth 2.0 Authorization Server, the token also references the client acting on behalf of the user.
The `/api/users/me` endpoint can be accessed by any user with a valid token. As a response, it returns a JSON document with details about the user where these details are obtained from the information carried on the token. This endpoint is protected with RBAC (Role-Based Access Control) and only users granted with the `user` role can access this endpoint.
The `/api/admin` endpoint is protected with RBAC (Role-Based Access Control) and only users granted with the `admin` role can access it.
This is a very simple example using RBAC policies to govern access to your resources. However, Keycloak supports other types of
policies that you can use to perform even more fine-grained access control. By using this example, you'll see that your application is completely decoupled from your authorization policies with enforcement being purely based on the accessed resource.
== Solution
We recommend that you follow the instructions in the next sections and create the application step by step.
However, you can go right to the completed example.
Clone the Git repository: `git clone {quickstarts-clone-url}`, or download an {quickstarts-archive-url}[archive].
The solution is located in the `keycloak-authorization` {quickstarts-tree-url}/keycloak-authorization[directory].
== Creating the Maven Project
First, we need a new project. Create a new project with the following command:
[source, subs=attributes+]
----
mvn io.quarkus:quarkus-maven-plugin:{quarkus-version}:create \
-DprojectGroupId=org.acme \
-DprojectArtifactId=keycloak-authorization \
-Dextensions="oidc, keycloak-authorization, resteasy-jsonb"
----
This command generates a Maven project, importing the `keycloak-authorization` extension
which is an implementation of a Keycloak Adapter for Quarkus applications and provides all the necessary capabilities to integrate with a Keycloak Server and perform bearer token authorization.
== Writing the application
Let's start by implementing the `/api/users/me` endpoint. As you can see from the source code below it is just a regular JAX-RS resource:
[source,java]
----
package org.acme.keycloak;
import javax.inject.Inject;
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.MediaType;
import org.jboss.resteasy.annotations.cache.NoCache;
import io.quarkus.security.identity.SecurityIdentity;
@Path("/api/users")
public class UsersResource {
@Inject
SecurityIdentity identity;
@GET
@Path("/me")
@Produces(MediaType.APPLICATION_JSON)
@NoCache
public User me() {
return new User(identity);
}
public class User {
private final String userName;
User(SecurityIdentity identity) {
this.userName = identity.getPrincipal().getName();
}
public String getUserName() {
return userName;
}
}
}
----
The source code for the `/api/admin` endpoint is also very simple:
[source,java]
----
package org.acme.keycloak;
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.MediaType;
import io.quarkus.security.Authenticated;
@Path("/api/admin")
@Authenticated
public class AdminResource {
@GET
@Produces(MediaType.TEXT_PLAIN)
public String admin() {
return "granted";
}
}
----
Note that we did not define any annotation such as `@RoleAllowed` to explicitly enforce access to a resource. The extension will
be responsible to map the URIs of the protected resources you have in Keycloak and evaluate the permissions accordingly, granting or denying access depending on the permissions that will be granted by Keycloak.
== Configuring the application
The OpenID Connect extension allows you to define the adapter configuration using the `application.properties` file which should be located at the `src/main/resources` directory.
=== Configuring using the application.properties file
[source,properties]
----
# OIDC Configuration
quarkus.oidc.auth-server-url=http://localhost:8180/auth/realms/quarkus
quarkus.oidc.client-id=backend-service
quarkus.oidc.credentials.secret=secret
# Enable Policy Enforcement
quarkus.keycloak.policy-enforcer.enable=true
----
=== Configuring CORS
If you plan to consume this application from another application running on a different domain, you will need to configure CORS (Cross-Origin Resource Sharing). Please read the link:http-reference.html#cors-filter[HTTP CORS documentation] for more details.
== Starting and Configuring the Keycloak Server
To start a Keycloak Server you can use Docker and just run the following command:
[source,bash]
----
docker run --name keycloak -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin -p 8180:8080 quay.io/keycloak/keycloak
----
You should be able to access your Keycloak Server at http://localhost:8180/auth[localhost:8180/auth].
Log in as the `admin` user to access the Keycloak Administration Console. Username should be `admin` and password `admin`.
Import the {quickstarts-tree-url}/keycloak-authorization/config/quarkus-realm.json[realm configuration file] to create a new realm. For more details, see the Keycloak documentation about how to https://www.keycloak.org/docs/latest/server_admin/index.html#_create-realm[create a new realm].
== Running and Using the Application
=== Running in Developer Mode
To run the microservice in dev mode, use `./mvnw clean compile quarkus:dev`.
=== Running in JVM Mode
When you're done playing with "dev-mode" you can run it as a standard Java application.
First compile it:
[source,bash]
----
./mvnw package
----
Then run it:
[source,bash]
----
java -jar ./target/keycloak-authorization-runner.jar
----
=== Running in Native Mode
Not yet supported.
== Testing the Application
The application is using bearer token authorization and the first
thing to do is obtain an access token from the Keycloak Server in
order to access the application resources:
[source,bash]
----
export access_token=$(\
curl -X POST http://localhost:8180/auth/realms/quarkus/protocol/openid-connect/token \
--user backend-service:secret \
-H 'content-type: application/x-www-form-urlencoded' \
-d 'username=alice&password=alice&grant_type=password' | jq --raw-output '.access_token' \
)
----
The example above obtains an access token for user `alice`.
Any user is allowed to access the
`http://localhost:8080/api/users/me` endpoint
which basically returns a JSON payload with details about the user.
[source,bash]
----
curl -v -X GET \
http://localhost:8080/api/users/me \
-H "Authorization: Bearer "$access_token
----
The `http://localhost:8080/api/admin` endpoint can only be accessed by users with the `admin` role. If you try to access this endpoint with the
previously issued access token, you should get a `403` response
from the server.
[source,bash]
----
curl -v -X GET \
http://localhost:8080/api/admin \
-H "Authorization: Bearer "$access_token
----
In order to access the admin endpoint you should obtain a token for the `admin` user:
[source,bash]
----
export access_token=$(\
curl -X POST http://localhost:8180/auth/realms/quarkus/protocol/openid-connect/token \
--user backend-service:secret \
-H 'content-type: application/x-www-form-urlencoded' \
-d 'username=admin&password=admin&grant_type=password' | jq --raw-output '.access_token' \
)
----
== References
* https://www.keycloak.org/documentation.html[Keycloak Documentation]
* https://www.keycloak.org/docs/latest/authorization_services/index.html[Keycloak Authorization Services Documentation]
* https://openid.net/connect/[OpenID Connect]
* https://tools.ietf.org/html/rfc7519[JSON Web Token]
4 changes: 4 additions & 0 deletions docs/src/main/asciidoc/security-guide.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,10 @@ very much a work in progress, so this list will be expanded over the coming week
|link:oidc-guide.html[quarkus-oidc]
|Provides support for authenticating via an OpenID Connect provider such as Keycloak.

|link:keycloak-authorization-guide.html[quarkus-keycloak-authorization]
|Provides support for a policy enforcer using Keycloak Authorization Services.


|===

Please see the linked documents above for details on how to setup the various extensions.
Expand Down
Loading

0 comments on commit db85151

Please sign in to comment.