Secure Spring Rest API using OpenId Connect And KeyCloak - Part 3

Overview


In Part 1 of this series, we covered registering our Student API with Keycloak as a OAuth 2.0 client application.

In Part 2 of this series, we covered the source code of the Student Service which uses Spring Security's OAuth 2.0 support to implement security. We then used Postman to verify that the service is secured against unauthorized requests


Any users of this service will now have to contact us and request access to the service. We grant them access by registering them as authorized clients in KeyCloak. In this post, we'll return back to KeyCloak to configure authorized clients and give them access to the service. This involves registering a client and assigning the correct scopes (or roles) to the client. We then get a client id and client secret from KeyCloak and pass them on to our authorized users.


We can also use this client id and client secret in Postman to generate a token and verify that our authorized users can invoke the service. The token that Postman generates is sent in every request that Postman makes to the service. The service will verify the token with Keycloak, extract the user's scope and compare it with the permitted scope. If everything check outs, the user is allowed access to the service's API.


We start by registering an authorized client in KeyCloak


Register an authorized OAuth 2.0 client in KeyCloak


Login to KeyCloak's admin console. If you installed KeyCloak as per the instructions in Part 1 of this series, you should be able to access KeyCloak using the information below:

  1. Admin console URL: http://localhost:9080

  2. user: admin

  3. password: pa55w0rd

Select the "Clients" menu item from the left navigation and click on "Create"




Enter the below values and then click Save

  1. Client ID : StudentService-Client1

  2. Client Protocol : openid-connect

KeyCloak will now present a window to add some additional properties for this client. Enter the below values and click "Save"

  1. Access Type: confidential

  2. Valid redirect URIs: http://localhost:3000

Note: Valid redirect URIs is needed if you are attempting to access the API though a front end application like Angular. Since we'll be accessing the API through Postman, this url can be any url and need not be an active url.


Your screen should match the screenshot shown below:



Add the Student API's client scope to this authorized client.


We can now specify what access we want to give this client when it attempt to access the Student API. Lets give it the StudentService-write scope i.e. this client should be able to access both the read as well as modify operations.


Click on the Client Scopes tab and choose the StudentService-write scope from the Optional Client Scope section. Then click on the Add Selected button to move it over to the Assigned Optional Client Scope section.




Retrieve the Client Secret


Click on the Credentials tab and copy the secret.This will be the Client Secret we'll use to authenticate with KeyCloak



We also need to get the Keycloak token url to generate an authorization code for our client. We can get this from the Micoservices realm. Click on Realm setting and then click on Endpoints


We should now see a list of endpoints. Copy the token endpoint




We now have the 4 settings that we need to authenticate with KeyCloak and create an authorization code

  1. Client id : StudentService-Client1

  2. Client Secret : <We got this from the earlier step>

  3. Client Scope : StudentService-write

  4. Keycloak Token Endpoint : http://localhost:9080/auth/realms/MicroServices/protocol/openid-connect/token

We can now use these settings in Postman to create an authorization code. This authorization code will then be sent in each call to the Student service's API. We should then be able to invoke all the operations without getting any authorization error


Create an authorization code in Postman


Open up Postman and click on the Authorization tab. Choose OAuth 2.0 as the Type and then click on the "Get New Access Token"




In the next step:

  1. Choose Client Credentials as the Grant Type.

  2. Name the token 'Keycloak Token'

  3. Enter the Access Token Url, Client ID, Client Secret and Scope

  4. Click on Request Token



Postman should now be able to create an authorization code. Click on the "Use Token" Button




We can now see the token included as part of the request. Click on the Send button. We should now see the status of 200 OK and the list of students displayed




You can also copy the authorization code and decode it in https://jwt.io/



As you can see, the authorization code specifies that the client has the correct scope of StudentService-write. We have used Postman and KeyCloak to create an authorization code and invoked the Student service's API. Success!!


Lets do a quick recap. To add clients that are authorized to use the Student service API, we had to first:

  1. Create a client in KeyCloak with the openid-connect protocol

  2. The client was then configured with grant-type of confidential

  3. Next, the client was given the ClientScope of StudentService-write. The scope will be used by the Student Service to determine if the client has read access or read/write access

  4. KeyCloak then provided the Client Id and Client Secret which can then be shared with the authorized application seeking to use our service

  5. KeyCloak also provided the Access Token Url which can then be used to create an authorization code

  6. We then used the Client Id, Client Secret, Access Token Url and the Client Scope in Postman to generate the authorization code

  7. Finally, we were able to successfully invoke the protected operations in the Student Service API with the authorization code

While Postman is a convenient tool to test our APIs, in the real world we'll be using either a front end application like Angular or a back-end application like SpringBoot to access these APIs. The next post we will discuss how to create a SpringBoot application to access an OAuth secured REST API


References

  1. Secure Spring Rest API using OpenId Connect And KeyCloak - Part 1

  2. Secure Spring Rest API using OpenId Connect And KeyCloak - Part 2

  3. Spring Security OAuth2 support

  4. OAuth 2.0 Client Credentials Grant

22 views0 comments

Recent Posts

See All