Secure Spring Rest API using OpenId Connect And KeyCloak - Part 3
Overview
In Part 1 of this series, we covered registering our Student API with Keycloak as a OAuth 2.0 client application.
In Part 2 of this series, we covered the source code of the Student Service which uses Spring Security's OAuth 2.0 support to implement security. We then used Postman to verify that the service is secured against unauthorized requests
Any users of this service will now have to contact us and request access to the service. We grant them access by registering them as authorized clients in KeyCloak. In this post, we'll return back to KeyCloak to configure authorized clients and give them access to the service. This involves registering a client and assigning the correct scopes (or roles) to the client. We then get a client id and client secret from KeyCloak and pass them on to our authorized users.
We can also use this client id and client secret in Postman to generate a token and verify that our authorized users can invoke the service. The token that Postman generates is sent in every request that Postman makes to the service. The service will verify the token with Keycloak, extract the user's scope and compare it with the permitted scope. If everything check outs, the user is allowed access to the service's API.
We start by registering an authorized client in KeyCloak
Register an authorized OAuth 2.0 client in KeyCloak
Login to KeyCloak's admin console. If you installed KeyCloak as per the instructions in Part 1 of this series, you should be able to access KeyCloak using the information below:
Admin console URL: http://localhost:9080
user: admin
password: pa55w0rd
Select the "Clients" menu item from the left navigation and click on "Create"
Enter the below values and then click Save
Client ID : StudentService-Client1
Client Protocol : openid-connect
KeyCloak will now present a window to add some additional properties for this client. Enter the below values and click "Save"
Access Type: confidential
Valid redirect URIs: http://localhost:3000
Note: Valid redirect URIs is needed if you are attempting to access the API though a front end application like Angular. Since we'll be accessing the API through Postman, this url can be any url and need not be an active url.
Your screen should match the screenshot shown below:
Add the Student API's client scope to this authorized client.
We can now specify what access we want to give this client when it attempt to access the Student API. Lets give it the StudentService-write scope i.e. this client should be able to access both the read as well as modify operations.
Click on the Client Scopes tab and choose the StudentService-write scope from the Optional Client Scope section. Then click on the Add Selected button to move it over to the Assigned Optional Client Scope section.
Retrieve the Client Secret
Click on the Credentials tab and copy the secret.This will be the Client Secret we'll use to authenticate with KeyCloak
We also need to get the Keycloak token url to generate an authorization code for our client. We can get this from the Micoservices realm. Click on Realm setting and then click on Endpoints
We should now see a list of endpoints. Copy the token endpoint
We now have the 4 settings that we need to authenticate with KeyCloak and create an authorization code
Client id : StudentService-Client1
Client Secret : <We got this from the earlier step>
Client Scope : StudentService-write
Keycloak Token Endpoint : http://localhost:9080/auth/realms/MicroServices/protocol/openid-connect/token
We can now use these settings in Postman to create an authorization code. This authorization code will then be sent in each call to the Student service's API. We should then be able to invoke all the operations without getting any authorization error
Create an authorization code in Postman
Open up Postman and click on the Authorization tab. Choose OAuth 2.0 as the Type and then click on the "Get New Access Token"
In the next step:
Choose Client Credentials as the Grant Type.
Name the token 'Keycloak Token'
Enter the Access Token Url, Client ID, Client Secret and Scope
Click on Request Token
Postman should now be able to create an authorization code. Click on the "Use Token" Button
We can now see the token included as part of the request. Click on the Send button. We should now see the status of 200 OK and the list of students displayed
You can also copy the authorization code and decode it in https://jwt.io/
As you can see, the authorization code specifies that the client has the correct scope of StudentService-write. We have used Postman and KeyCloak to create an authorization code and invoked the Student service's API. Success!!
Lets do a quick recap. To add clients that are authorized to use the Student service API, we had to first:
Create a client in KeyCloak with the openid-connect protocol
The client was then configured with grant-type of confidential
Next, the client was given the ClientScope of StudentService-write. The scope will be used by the Student Service to determine if the client has read access or read/write access
KeyCloak then provided the Client Id and Client Secret which can then be shared with the authorized application seeking to use our service
KeyCloak also provided the Access Token Url which can then be used to create an authorization code
We then used the Client Id, Client Secret, Access Token Url and the Client Scope in Postman to generate the authorization code
Finally, we were able to successfully invoke the protected operations in the Student Service API with the authorization code
While Postman is a convenient tool to test our APIs, in the real world we'll be using either a front end application like Angular or a back-end application like SpringBoot to access these APIs. The next post we will discuss how to create a SpringBoot application to access an OAuth secured REST API