Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

The goal of this project is to create a simple Spring Boot REST API, called simple-service, and secure it with Keycloak. Furthermore, the API users will be loaded into Keycloak from OpenLDAP server.

NotificationsYou must be signed in to change notification settings

ivangfr/springboot-keycloak-openldap

Repository files navigation

The goal of this project is to create a simpleSpring Boot REST API, calledsimple-service, and secure it withKeycloak. Furthermore, the API users will be loaded intoKeycloak fromOpenLDAP server.

Note: In thespringboot-react-keycloak repository, we have implemented amovies-app usingKeycloak (withPKCE). This application consists of two services: the backend that was implemented usingSpring Boot and the frontend implemented withReactJS.

Proof-of-Concepts & Articles

Onivangfr.github.io, I have compiled my Proof-of-Concepts (PoCs) and articles. You can easily search for the technology you are interested in by using the filter. Who knows, perhaps I have already implemented a PoC or written an article about what you are looking for.

Additional Readings

Project Diagram

project-diagram

Application

  • simple-service

    Spring Boot Web Java application that exposes the following endpoints:

    • GET /api/public: it's a not secured endpoint, everybody can access it;
    • GET /api/private: it's a secured endpoint, only accessible by users that provide aJWT access token issued byKeycloak and the token must contain the roleUSER.

Prerequisites

Start Environment

  • Open a terminal and inside thespringboot-keycloak-openldap root folder run:

    docker compose up -d

  • Just wait for the Docker containers to start running. TheKeycloak Docker container usually takes longer. You can check its progress by running this command:

    docker logs -f keycloak

    PressCtrl+C to exit

    Once you see the following log,Keycloak has started:

    INFO  [io.quarkus] (main) Keycloak 26.4.1 on JVM (powered by Quarkus 3.27.0) started in 55.566s. Listening on: http://0.0.0.0:8080. Management interface listening on http://0.0.0.0:9000.

Import OpenLDAP Users

TheLDIF file that we will use,springboot-keycloak-openldap/ldap/ldap-mycompany-com.ldif, contains a predefined structure formycompany.com. Basically, it has 2 groups (developers andadmin) and 4 users (Bill Gates,Steve Jobs,Mark Cuban andIvan Franchin). Additionally, it is defined thatBill Gates,Steve Jobs andMark Cuban belong todevelopers group andIvan Franchin belongs toadmin group.

Bill Gates > username: bgates, password: 123Steve Jobs > username: sjobs, password: 123Mark Cuban > username: mcuban, password: 123Ivan Franchin > username: ifranchin, password: 123

There are two ways to import those users: by running a script or by usingphpLDAPadmin.

Running a script

  • In a terminal and inside thespringboot-keycloak-openldap root folder run:

    ./import-openldap-users.sh

  • The command below can be used to check the imported users:

    ldapsearch -x -D"cn=admin,dc=mycompany,dc=com" \  -w admin -H ldap://localhost:389 \  -b"ou=users,dc=mycompany,dc=com" \  -s sub"(uid=*)"

Using phpLDAPadmin website

  • Accesshttps://localhost:6443

  • Login with the credentials:

    Login DN: cn=admin,dc=mycompany,dc=comPassword: admin

  • Import the filespringboot-keycloak-openldap/ldap/ldap-mycompany-com.ldif.

  • You should see a tree like the one shown in the picture below:

    phpldapadmin

Configure Keycloak

There are two ways: running a script or usingKeycloak website.

Running a script

  • In a terminal, make sure you are inside thespringboot-keycloak-openldap root folder.

  • Run the script below to configureKeycloak forsimple-service application:

    ./init-keycloak.sh

    It createscompany-services realm,simple-service client,USER client role,ldap federation and the usersbgates andsjobs with the roleUSER assigned.

  • CopySIMPLE_SERVICE_CLIENT_SECRET value that is shown at the end of the script. It will be needed whenever we callKeycloak to get aJWT access token to accesssimple-service.

Using Keycloak website

Please have a look at thisMedium article,Setting Up OpenLDAP With Keycloak For User Federation

Run simple-service using Maven

  • Open a new terminal and make sure you are in thespringboot-keycloak-openldap root folder.

  • Start the application by running the following command:

    ./mvnw clean spring-boot:run --projects simple-service -Dspring-boot.run.jvmArguments="-Dserver.port=9080"

Test using curl

  1. Open a new terminal.

  2. Call the endpointGET /api/public:

    curl -i http://localhost:9080/api/public

    It should return:

    HTTP/1.1 200It is public.

  3. Try to call the endpointGET /api/private without authentication:

    curl -i http://localhost:9080/api/private

    It should return:

    HTTP/1.1 401

  4. Create an environment variable that contains theClient Secret generated byKeycloak tosimple-service atConfigure Keycloak step:

    SIMPLE_SERVICE_CLIENT_SECRET=...

  5. Run the command below to get an access token forbgates user:

    BGATES_ACCESS_TOKEN=$(curl -s -X POST \"http://localhost:8080/realms/company-services/protocol/openid-connect/token" \  -H"Content-Type: application/x-www-form-urlencoded" \  -d"username=bgates" \  -d"password=123" \  -d"grant_type=password" \  -d"client_secret=$SIMPLE_SERVICE_CLIENT_SECRET" \  -d"client_id=simple-service"| jq -r .access_token)echo$BGATES_ACCESS_TOKEN

    Note: Injwt.io, you can decode and verify theJWT access token

  6. Call the endpointGET /api/private:

    curl -i http://localhost:9080/api/private -H"Authorization: Bearer$BGATES_ACCESS_TOKEN"

    It should return:

    HTTP/1.1 200bgates, it is private.

  7. The access token default expiration period is5 minutes. So, wait for this time and, using the same access token, try to call the private endpoint.

    It should return:

    HTTP/1.1 401WWW-Authenticate: Bearer realm="company-services", error="invalid_token", error_description="Token is not active"

Test using Swagger

  1. Accesshttp://localhost:9080/swagger-ui.html

    simple-service-swagger

  2. ClickGET /api/public to open it. Then, clickTry it out button and, finally, clickExecute button.

    It should return:

    Code: 200Response Body: It is public.

  3. Now clickGET /api/private secured endpoint. Let's try it without authentication. Then, clickTry it out button and, finally, clickExecute button.

    It should return:

    Code: 401Details: Error: response status is 401

  4. In order to access the private endpoint, you need an access token. So, open a terminal.

  5. Create an environment variable that contains theClient Secret generated byKeycloak tosimple-service atConfigure Keycloak step:

    SIMPLE_SERVICE_CLIENT_SECRET=...

  6. Run the following commands:

    BGATES_ACCESS_TOKEN=$(curl -s -X POST \"http://localhost:8080/realms/company-services/protocol/openid-connect/token" \  -H"Content-Type: application/x-www-form-urlencoded" \  -d"username=bgates" \  -d"password=123" \  -d"grant_type=password" \  -d"client_secret=$SIMPLE_SERVICE_CLIENT_SECRET" \  -d"client_id=simple-service"| jq -r .access_token)echo$BGATES_ACCESS_TOKEN

  7. Copy the token generated and go back toSwagger.

  8. ClickAuthorize button and paste the access token in theValue field. Then, clickAuthorize button and, to finalize, clickClose.

  9. Go toGET /api/private and call this endpoint again, now with authentication.

    It should return:

    Code: 200Response Body: bgates, it is private.

Using client_id and client_secret to get access token

You can get an access token forsimple-service usingclient_id andclient_secret

Configuration

  • Accesshttp://localhost:8080;
  • Click the dropdown button that containsKeycloak and selectcompany-services;
  • On the left menu, clickClients;
  • Selectsimple-service client;
  • InSettings tab:
    • Go toCapability config and checkService accounts roles checkbox;
    • ClickSave button;
  • InService account roles tab:
    • Clickservice-account-simple-service link present in the info message;

      "To manage detail and group mappings, click on the username service-account-simple-service"

    • InRole mapping tab:
      • ClickAssign role button;
      • Make sure theFilter by clients is selected in the first dropdown button;
      • InSearch by role name, typesimple-service and pressEnter;
      • Select[simple-service] USER name and clickAssign button;
      • Now,service-account-simple-service has the roleUSER of thesimple-service assigned.

Test

  1. Open a terminal.

  2. Create an environment variable that contains theClient Secret generated byKeycloak tosimple-service atConfigure Keycloak step.

    SIMPLE_SERVICE_CLIENT_SECRET=...

  3. Run the following command:

    CLIENT_ACCESS_TOKEN=$(curl -s -X POST \"http://localhost:8080/realms/company-services/protocol/openid-connect/token" \  -H"Content-Type: application/x-www-form-urlencoded" \  -d"grant_type=client_credentials" \  -d"client_secret=$SIMPLE_SERVICE_CLIENT_SECRET" \  -d"client_id=simple-service"| jq -r .access_token)echo$CLIENT_ACCESS_TOKEN

  4. Try to call the endpointGET /api/private:

    curl -i http://localhost:9080/api/private -H"Authorization: Bearer$CLIENT_ACCESS_TOKEN"

    It should return:

    HTTP/1.1 200service-account-simple-service, it is private.

Running simple-service as a Docker container

  • In a terminal, make sure you are in thespringboot-keycloak-openldap root folder.

  • Build Docker Image:

    • JVM
      ./build-docker-images.sh
    • Native
      ./build-docker-images.sh native
    Environment VariableDescription
    KEYCLOAK_HOSTSpecify host of theKeycloak to use (defaultlocalhost)
    KEYCLOAK_PORTSpecify port of theKeycloak to use (default8080)

  • Run Docker Container:

    docker run --rm --name simple-service \  -p 9080:8080 \  -e KEYCLOAK_HOST=keycloak \  --network=springboot-keycloak-openldap_default \  ivanfranchin/simple-service:1.0.0

  • Open a new terminal.

  • Create an environment variable that contains theClient Secret generated byKeycloak tosimple-service atConfigure Keycloak step.

    SIMPLE_SERVICE_CLIENT_SECRET=...

  • Run the commands below to get an access token forbgates user:

    BGATES_TOKEN=$(  docker run -t --rm -e CLIENT_SECRET=$SIMPLE_SERVICE_CLIENT_SECRET --network springboot-keycloak-openldap_default alpine/curl:latest sh -c'    curl -s -X POST http://keycloak:8080/realms/company-services/protocol/openid-connect/token \      -H "Content-Type: application/x-www-form-urlencoded" \      -d "username=bgates" \      -d "password=123" \      -d "grant_type=password" \      -d "client_secret=$CLIENT_SECRET" \      -d "client_id=simple-service"')BGATES_ACCESS_TOKEN=$(echo$BGATES_TOKEN| jq -r .access_token)

  • Call the endpointGET /api/private:

    curl -i http://localhost:9080/api/private -H"Authorization: Bearer$BGATES_ACCESS_TOKEN"

    It should return:

    HTTP/1.1 200bgates, it is private.

Shutdown

  • To stop thesimple-service application, go to the terminal where it is running and pressCtrl+C;
  • To stop and remove Docker Compose containers, network, and volumes, go to a terminal and, inside thespringboot-keycloak-openldap root folder, run the following command:
    docker compose down -v

Cleanup

To remove the Docker image create by this project, go to a terminal and, inside thespringboot-keycloak-openldap root folder, run the following script:

./remove-docker-images.sh

References

About

The goal of this project is to create a simple Spring Boot REST API, called simple-service, and secure it with Keycloak. Furthermore, the API users will be loaded into Keycloak from OpenLDAP server.

Topics

Resources

Stars

Watchers

Forks

Sponsor this project

 

Packages

No packages published
[8]ページ先頭
©2009-2025 Movatter.jp