This part of the project demonstrates how to do authentication and authorization in Quarkus applications and web applications. Keycloak is used as OpenID Connect provider.
There are blog entries and a workshop that describe how this project has been implemented:
- Setting up Keycloak in OpenShift
- Security in Quarkus Applications via Keycloak
- Securing Vue.js Applications with Keycloak
- Application Security from a Platform Perspective
- Hands on Workshop (GitBook)
The workshop linked above is a description on how to use the code.
In order to demonstrate the security features, a sample application is used which displays links to articles in a web application only when a user is logged in and has the role 'user'.
The web application invokes the web-api service and then invokes the articles service. The web-api service also provides an endpoint to read the current user name.
This diagram shows the architecture:
This is a gif of the web application:
At this point the code is run locally which means you need a JVM and Maven. For the web application you also need yarn. In this setup, Keycloak is installed on a Red Hat OpenShift cluster on IBM Cloud.
$ git clone https://github.com/IBM/cloud-native-starter.git
$ cd securityhttps://cloud.ibm.com/kubernetes/catalog/create?platformType=openshift
Get the login command from the OpenShift Web Console, e.g.
$ oc login --token=OnMwHZ4FLgZnWdcxxxxxxxxxxxxxxx --server=https://c107-e.us-south.containers.cloud.ibm.com:30058Follow these steps to install the operator via the OpenShift Web Console: documentation.
Alternatively you can install it programmatically:
$ oc new-project keycloak
$ oc create -f keycloak-operator.yamlYou can create the Keycloak cluster either in the OpenShift Web Console or programmatically:
$ oc create -f keycloak.yaml
$ oc get keycloak/example-keycloak -o jsonpath='{.status.ready}'- Get admin password:
$ oc get secret credential-example-keycloak -o go-template='{{range $k,$v := .data}}{{printf "%s: " $k}}{{if not $v}}{{$v}}{{else}}{{$v | base64decode}}{{end}}{{"\n"}}{{end}}'- Get Keycloak URLs:
$ KEYCLOAK_URL=https://$(oc get route keycloak --template='{{ .spec.host }}')/auth &&
echo "" &&
echo "Keycloak: $KEYCLOAK_URL" &&
echo "Keycloak Admin Console: $KEYCLOAK_URL/admin" &&
echo "Keycloak Account Console: $KEYCLOAK_URL/realms/myrealm/account" &&
echo "Keycloak [auth-server-url]: $KEYCLOAK_URL/realms/quarkus"Open the Keycloak console and log in as admin. Then import quarkus-realm.json. Check the setup Keycloak documentation for how to import the realm.
Insert your the auth-server-url URL of your Keycloak instance in application.properties. Therefore you use the Keycloak URL of the output in your terminal.
Keycloak [auth-server-url]: https://YOUR_URL/auth/realms/quarkusInsert your the auth-server-url URL you know from above in application.properties.
Now insert the Keycloak URL Keycloak URL/auth from the output of your terminal session in main.js.
urls = {
api: 'http://localhost:8081/',
login: 'https://YOUR_URL/auth' // insert your http or https://<KeycloakURL>/auth
}
}Run first terminal (on port 8080):
$ cd security/web-app
$ yarn install
$ yarn serveRun second terminal (on port 8081):
$ cd security/web-api-secure
$ mvn clean package quarkus:devRun third terminal (on port 8082):
$ cd security/articles-secure
$ mvn clean package quarkus:devLog in with the test user: alice, alice