Secure Your Microservices with Keycloak | OAuth2 & JWT | Spring Cloud Gateway
Summary
TLDRThis video introduces Keycloak, an open-source identity and access management tool, highlighting its advantages for securing microservices. It explains how Keycloak simplifies authentication and user management by handling user storage, authentication, and authorization without requiring coding. Keycloak offers features like user federation, customizable login pages, social login, and fine-grained authorization. The video also demonstrates Keycloak integration with a Spring Boot microservices application using Docker. A step-by-step guide explains setting up security configurations, JWT token management, and API integration with Keycloak, showcasing its ease of use and scalability.
Takeaways
- 🔑 Keycloak is an open-source identity and access management tool that simplifies adding authentication to applications and securing microservices.
- 🔒 Keycloak handles authentication and authorization, eliminating the need for applications to store or authenticate users themselves.
- 📱 Keycloak offers features like user federation, strong authentication, user management, and fine-grained authorization, which are all customizable.
- 🔐 Keycloak enables easy integration of login forms, recovery passwords, and two-factor authentication without any coding changes.
- 🧑🤝🧑 Single Sign-On (SSO) with Keycloak allows users to access multiple applications after a single authentication.
- 💡 Keycloak supports identity brokering and social login integration, making it easy to authenticate users using social networks.
- 🗄️ User Federation allows Keycloak to integrate with external identity stores like Active Directory and relational databases.
- ⚙️ Keycloak supports standard authentication protocols like OAuth 2.0, OpenID Connect, and SAML 2.0.
- 🔄 The script explains how to integrate Keycloak with Spring Boot applications, including necessary configurations and settings.
- 🧩 A detailed walkthrough is provided on configuring Keycloak clients, client scopes, and roles, and integrating it with a Spring Cloud API Gateway for secure service access.
Q & A
What is Keycloak?
-Keycloak is an open-source identity and access management tool that adds authentication to applications and secures microservices with minimal effort. It provides features like user federation, strong authentication, user management, and fine-grained authorization.
What are the advantages of using Keycloak for authentication?
-Keycloak simplifies the authentication process by handling user storage and authentication, eliminating the need to manage these in the application. It supports user federation, customizable login pages, password recovery, and two-factor authentication, along with single sign-on and strong session management.
How does Keycloak help with Single Sign-On (SSO)?
-Keycloak allows users to authenticate once and access multiple applications without needing to log in again. It manages sessions across applications, providing strong session management capabilities and reducing the need for individual login forms in applications.
What is user federation in Keycloak?
-User federation in Keycloak refers to the capability of integrating with external identity stores, such as LDAP or Active Directory, to manage user authentication and storage externally. Keycloak has built-in support for these services.
What protocols does Keycloak support?
-Keycloak builds on industry-standard protocols, supporting OAuth 2.0, OpenID Connect, and SAML 2.0 for secure authentication and authorization.
How does Keycloak handle authorization?
-Keycloak provides fine-grained authorization services, allowing you to manage permissions for services through the admin console. It also supports role-based and policy-based access controls to meet different authorization needs.
What are some of the main features provided by Keycloak?
-Keycloak offers features like single sign-on (SSO), user federation, social login, identity brokering, customizable login pages, password recovery, strong session management, and clustering capabilities for scalability.
How can Keycloak be installed using Docker?
-Keycloak can be installed with Docker by running a simple Docker command. The command includes specifying a username, password, Keycloak version, and optionally changing the default port. After running the command, Keycloak will be accessible via the provided port.
What is a Realm in Keycloak?
-A Realm in Keycloak is a tenant that isolates different applications and users from each other. Each Realm can have its own clients, users, and configurations. You can create realms for specific applications, employees, or customers.
How does Keycloak integrate with a Spring Boot application?
-To integrate Keycloak with a Spring Boot application, dependencies like 'Spring Security' and 'Resource Server' are added. The Keycloak server handles user authentication, and the Spring Boot application uses the JWT token for authorization. Configuration steps involve setting up the security filter chain, enabling JWT decoding, and defining access rules.
Outlines
🔑 Introduction to Keycloak and Its Benefits
The speaker introduces Keycloak, an open-source identity and access management tool that simplifies authentication and user management in applications. Keycloak secures microservices with minimal effort by handling user storage and authentication. It offers features like customizable login pages, two-factor authentication, password recovery, and user federation, integrating easily without modifying the application's code. Keycloak also provides single sign-on (SSO) and strong session management, allowing users to access multiple applications with one login.
🛠️ Installing Keycloak Using Docker
The speaker explains how to install Keycloak using Docker. A command is provided to run Keycloak locally, specifying the port number and setting an admin username and password. Once installed, Keycloak can be accessed using a web interface where users can manage clients, client scopes, realms, roles, users, and sessions. The concept of realms is introduced, with realms serving as isolated tenants for different applications or user groups.
🏢 Configuring Realms and Clients in Keycloak
This section delves into configuring realms and clients in Keycloak. The speaker explains that a realm represents an isolated tenant, and each application can have its own realm. Clients, such as web, mobile, or native applications, interact with Keycloak for authentication. The speaker walks through creating a client within a realm, configuring client authentication, setting up roles, and defining client scopes, which allow adding reusable groups of claims to tokens issued to clients.
🔑 Keycloak Authentication Flow and Integration with Spring API Gateway
The speaker describes the authentication flow when using Keycloak with an API. When a user attempts to access a protected resource, they are redirected to the Keycloak login page. After successful authentication, the user receives an authorization code and access token, which are used for API requests. The API verifies the token and grants access. This process is demonstrated through the integration of Keycloak with a Spring API Gateway, providing seamless authentication for microservices.
🚀 Setting Up JWT-Based Authentication for API Gateway
In this final section, the speaker explains how to configure JWT-based authentication for an API Gateway using Keycloak. They walk through the process of adding Spring Security and Resource Server dependencies to a project, configuring JWT decoding, and setting up a security filter chain in the Spring application. The steps to disable cross-site request forgery (CSRF) and permit specific requests like those to the Eureka server are also outlined. The speaker demonstrates testing the setup by obtaining an access token and using it to authenticate API requests.
Mindmap
Keywords
💡Keycloak
💡Authentication
💡Authorization
💡Spring Boot
💡Single Sign-On (SSO)
💡Identity Federation
💡Social Login
💡Client
💡Realm
💡OAuth 2.0
Highlights
Keycloak is an open-source identity and access management tool that simplifies authentication for applications and microservices.
Keycloak manages authentication, eliminating the need for applications to store and authenticate users.
Keycloak supports features such as user federation, strong authentication, user management, and fine-grained authorization.
Keycloak offers fully customizable login pages, password recovery, and multi-factor authentication, without requiring code changes in applications.
Single sign-on (SSO) is supported by Keycloak, allowing users to access multiple applications with a single login.
Keycloak can integrate with social login services, making it easier to add social network authentication to applications.
User federation in Keycloak allows integration with external identity stores like LDAP or Active Directory.
Keycloak supports industry-standard protocols such as OAuth 2.0, OpenID Connect, and SAML 2.0.
Fine-grained authorization services are available in Keycloak, offering more control over permissions and policies.
Keycloak is lightweight, easily scalable, and supports clustering for high performance.
Keycloak provides a master realm by default and allows creating additional realms to isolate applications or user groups.
Clients in Keycloak are entities such as web or mobile applications that request Keycloak for user authentication.
Client scopes in Keycloak allow creating reusable groups of claims that can be added to tokens issued to clients.
Keycloak provides a detailed admin console, which enables the management of clients, roles, users, and sessions.
Keycloak can be installed using Docker, allowing for quick setup and local deployment.
Transcripts
I hope everyone is doing good okay so
today I would like to discuss about key
clock here okay so what is the key clock
and what are the advantages of using
like key clock here so why exactly this
key clock is came to the picture and
after that I'm going to discuss about um
spring boot with key clock integration
as well okay so now so what is a key
clock key clock is nothing but it's a
open source identity and access
management tool here okay so basically
it will add the authentication to
applications and secure your
microservices with minimum effort okay
so let's say that you have a spring boot
application like microservices
application so if you want to add like
authentication or authorization so if
you want to provide the security then
you have to be store the users and
authenticating the users so all those
information you have to be taken care at
your application right so that is the
main advantage of using key clocks let's
say that if you are using key clocks no
need to deal with the storing the users
or authenticating the users at your
application so these two things will
taken care by this key clock okay so
apart from this key clock provides user
Federation and strong authentication and
user management and F and fine grind
authorization and much more capabilities
okay so K loock provides like fully
customizable login pages and Recovery
passwords and accepting the terms and
lot more okay so all of these Futures
provided by a ke clock can easily
integrate your application without any
coding at all okay so by delegating the
authentication of user to the key clocks
you don't worry about the authentication
mechanism so safely store the passwords
right so you can enable like two Factor
authentication without having to make
changes to the application okay so uh
this is the added advantage of using the
key clock
and sorry key clock also provides like
single sign up so with storing session
management okay so
session K clock also provides like
single sign on with like strong Mission
uh strong session management
capabilities okay so apart from this it
will provide like single sign on option
as well so key clock also provides like
single sign on with strong session
management capabilities it means that
allowing the users to access the
multiple applications while only having
to authentication once okay so that's
what it is saying so authenticate with
KCK loock rather than individual
application so this means that your
application don't have to deal with
login forms so authenticating the users
and storing the users so once you log
into K clock user don't have to be
loging again to access the different
applications okay and apart from this it
will provide like identity brokering and
social login as well okay so let's say
that if you want to integrate with the
social login in your application so then
what you have to do what you have to do
is it just matter of like selecting The
Social Network you want to add it so no
code changes is required to your
application okay so that is the added
advant advantage of this key CLA and
apart from this user Federation so if we
talking about the user Federation here
right so what is the user Federation U
user Federation means in key clocks the
term user Federation refers to the
capability of integrating with external
identity stores okay so you can think of
Lop is an example of candidate for
integrating via the user Federation men
so that's what it is saying so key clock
has a built-in support to connecting
with existing L like active directory
servers we can also Implement your own
provider so if you have users in other
stores such as a relational database
okay so apart from this uh it has like
couple of consoles as well so so they
can enable and disable couple of Futures
here so you can go through this consoles
as well and apart from this standard
protocols okay ke clock provides like
some uh standard protocols okay so uh
KCK loock Builds on industry standard
protocol supporting like w 2.0 open ID
connect and S 2 okay and apart from this
authorization Services okay so it's uh
if role based authorization does not
cover your needs then K clock provides
fine Grand authorization Services as
well okay so this allows you to manage
the permissions for for all your
services from the key clock admin
console and give you the power of to
exact what the policies that you
required here okay so key clock is a
lightweight and easily uh to install
okay that that's required for your
application okay so you can easily scale
where clustering capabilities as well so
apart from this key clock will Prov like
couple of features so here they have
listed out like couple of features
single sign on some standard protocols
centralized management adopters okay L
up and active directory social login
identity brokering high performance okay
clustering so you can just go through
this key clock official documentation so
that like you'll get good idea here okay
so uh apart from this so let's say that
if you want to be install um key clock
here so there is one option so so you
can go you can install with Docker as
well okay so what you have to do is
um okay so this is the docker command so
you can run Docker command with this
okay Ed Z Ed Z so which will run on Ed
Zer so if you want to change the port
number you can change here and apart
from this KY call here you need to
provide the KY clock username of the
password so I have provided like admin
and admin here and apart from this this
is the click clock key clock version and
apart from this you can provide like the
profile here okay so that's it once you
entered this it will start like
downloading this key clock in your local
system
okay so once it is successfully started
then what you have to do is so you can
just check it out by using this code
number okay and you have to log in with
admin and admin here okay so here you
can see like couple of options here you
can see the clients client Scopes realm
roles and users groups and sessions and
events all the stuff okay so by default
so there there is one opt that is cck
clock real alarm here okay what is a
master real alarm here okay by default
it will has like master real alarm so
and apart from this you have to be
create like one real here okay I will
explain one by one here okay so what is
the real alarm here so the real alarm is
nothing but you can think of the real
alarm as a tenant okay so the first
thing you will want to do is create a
realm for your application and your
users okay so realm is a fully isolated
from the other realm so because so you
can create one realm for your enter
application and another realm for your
uh your employees uh and another realm
for like external applications and the
customers okay so here I'm going to
create one realm for my application okay
so what I will do is uh I will take like
um
my um yeah my key
clock application
okay so that's it you can just create it
and once you create it right so it will
by default here my key clock application
realm has been selected under this so
there are like couple of options we have
a clients client Scopes realm roles okay
we have to create this all those stuff
here so before that what is the client
here the clients are entities okay so
that request key clock to authenticate a
user okay so most often the clients are
a web or mobile or like native
applications that want to use a key
Cloud to secure themselves and provide a
single sign on Solutions okay so uh
apart from this we have a client scope
as well so what is a client scope so if
we talking about client scope U that
client scope will allows to creating a
reusable groups of CLS that are added to
token issued to the client okay so you
can also Define an optional client
Scopes here so in this way so you should
specify the optional client with the
scope parameter here okay apart from
this we have a roles as well okay so we
have we have a roles so usually like if
you're talking about the roles usually
represented role a user that has in the
either your organization or like in the
context of of your application so if
we're talking about the role like for
example user can be granted a
administrator role therefore so they can
access and perform like any action on
any resource in your application okay
and apart from this we have like some
you can create the users and groups and
sessions here okay and apart from this
you can see like uh realm settings here
as well okay and uh what I will do is I
will create the client first okay so
just create client
so
my key
clock client okay so let me copy this
and provide the name and description
also I'm providing the same Okay click
on the next so here you can see the
capability configuration so if you want
to enable the client authentication you
can just enable here and apart from this
so there is a authorization okay option
as option also is available here here
the authentication flow is there so here
you need to select a couple of options
so if you want to um go with like
standard flow okay direct access crun
you can just go through this and so if
you don't want this so here we have
enable the client authentication right
so I just want to be go through service
account roles here okay just check this
and apart from this we have what 2.0
device authorization grind and YDC okay
couple of options is there so you can
just go through this and click on the
next so here root URL so you need to
Define the root URL here okay so my
spring Cloud API Gateway is running on
9090 so I'm just defining here so home
you also same and just save this okay so
that's it and once you save this you can
see the credentials here there is a
client secret will be generated so you
have to use this client secret okay so
if you want to create any roles you can
just create the roles and map to this
clients here okay so apart from this we
have a some other Advanced options as
well you can just go through for time
being I'm not going to create any
advanced options here okay so that's it
and
so uh I would like to discuss one more
thing here okay um yeah clock
architecture so whenever like user um
sends like authentication requests okay
so then so the user tries to access a
protected resources and it is redirect
to the key clock login page right so the
key clock verifies the users credentials
if it is successful then redirects them
back to the okay authorization code okay
and ACC token okay so uh then user sends
uh then the user sends are like AP
request of the access token here so the
application included the application
will be included the access token in the
authorization header when when making
the API requests here right so then so
the W metadata will be extracted here
and apart from this it will validate the
token here okay so the API verifies the
uh token and grants the access if it is
required then then it it will be written
the response to user here okay so this
is how the overall key clock
architecture will look like when you are
integrated key clock with the
API okay okay so now let's integrate
this key clock with our API here okay so
let's open our code so uh before that so
here actually we already go through this
how this spring Cloud API gateaway is
integrated with Ura server and your
product Service as well well okay so if
you not uh went through this videos
please go through so I already have this
videos in my playlist in microservices
3.0 playlist please go through that and
now so what I'm going to do is I already
started this um urea server okay and
product service okay and so this product
service is straightforward so we have a
uh some Endo which will return like
products here okay and apart from this
we have a spring Cloud AP Gateway Okay
so this spring Cloud API Gateway will
routes okay that product service through
this API Gateway okay
and now let's open this
um urea server here okay so now
let's let's hit this
okay so yeah now it's returning the
product Okay so this product service
actually coming through this AP Gateway
AP Gateway is running at 9090 okay this
is products okay so this is ring like
list of products here okay so this is
working fine now what I'm going to do is
to integrate this key clock basically
like two dependencies are required right
so uh let's open this spring initializer
here okay so here I need like um Spring
Security okay dependency and apart from
this I need a
resource server okay so just explore
this here you will see this two
dependencies right so this two
dependences just copy this two
dependencies here and let's open the
pom.xml file here so in the pom.xml file
just include these two
dependencies okay that's it and apart
from this what we have to do is uh in
application. ml file basically we need
to add this um our is your url uh
application. properties so what I'm so
here so basically we have a security
okay so what to Resource server and
after that we have to add like JWT JWT
issuer Ur here okay so the issue URI so
what we need to do is just open our key
clock here okay so in
the itm settings okay so here you can
see this open a open ID endpoint
configuration just click on this okay so
there are like couple of options are
available here I mean like couple of
endpoints okay so here we have like
issuer authorization endpoint token
endpoint okay apart from this we have a
grand types supported we have a couple
of grand points uh Grand types so so it
depends on your requirement so you can
choose like this Grand types here okay
so first like we need this issue
endpoint okay so let's copy this and
going back to our code and just add this
here okay and now so we are ready to use
this isure urri here right now what we
have to do is uh we need to add like one
configuration here okay so that is our
security configuration so now I'm going
to create one configuration class okay
so just um inside this config package
I'm going to create like a
web security okay so configuration here
okay so what I will do is I will add
like the of configuration okay and after
that I will create one of the bean here
okay so this Bean basically will have a
security filter so let's take uh public
okay so let's remove this space here so
here what I will do is I will take a
security security filter chain Okay so
so this will have like HTTP security
okay let's take HTTP security as a
parameter here and after that so here so
what I will do is I will take HTTP so
first like I need to disable this uh
csrf that is like cross site request
forgery okay so I will disable this so
to disable this basically I need like
some HTTP security related filter okay
configure okay and so let's take this
and let's disable this okay so once you
disable this uh uh what we have to do is
we have to like um allow like this urea
server here okay so urea server should
not be authenticated here so to do this
basically I will take um authorized HTTP
request here okay inside this authorized
like HTTP request what I will do
is so
requests so this requests okay so here
what I will do is I will take uh request
matchers so inside this request matcher
we can provide like
urea okay matcher here and
so what I will do is I will move to the
next line okay so here we have option
like permit all so this will permit like
eura server here and apart from this we
have like any other request so let's say
that we have any request so that will
authenticate okay so apart from Thea
server any other request has to be
authenticated here okay and so
authenticated and after that so what we
have to do is uh we have like other
option like w um sorry so w here we have
W resource server okay let's take that
this W resource server and we have like
um what here okay so this
what okay so inside this what we have
like JWT okay so here here what we need
to do is we have to be configur like JWT
based configuration okay so let's take
customizer so this customizer will have
a with defaults option okay so that's it
can build
this okay so here you can just return
this and add
exception to this method signature okay
so this is straightforward right so what
we did is first like we have disabled
this um cross site request forgery and
after that we have all like euroka
server and apart from this eura server
like other services we are
authenticating here okay
and what server we have Pro like JWT
based like configuration okay and after
that we have to provide like one more
Bean Okay so that being
basically
okay uh JWT decoder okay so JWT decoder
so this JWT decoder basically will take
what um okay what resource server
properties so let's take properties as
par name here and so let's return return
um JWT decoders okay so we have another
class called like JWT decoders okay
let's take this and uh this JWT decoders
basically from is location so if you
want to provide like isure location so
you can provide the isure location here
so properties from the properties we
have to fetch that get JWT okay get ISS
URI okay so that's it so now so you can
just start this uh
application okay so here we can see some
error HTTP Security in our
configuration okay let's see this okay
so we forgot to enable uh web security
okay just add this annotation and let's
start
this okay so this time it started uh
without any errors okay um I will take
one new endpoint here okay and so HTTP
9090 product so this is my API Gateway
end point just hit this so you will see
like 401 unauthorized here okay so uh in
the authorization tab so there is a
option called okay what 2.0 we have to
select this so here actually we have a
couple of options configure new token
here okay so here we have to be add like
uh some token names okay so this is my U
my app token okay and apart from this
here we have a grand type so you have to
take like uh depends on your requirement
you can choose like what kind of grand
type you required here so I need like
client credentials here okay so as we
discussed like in like in open ID
configurations we have a couple of grand
types right so there also we have to
choose different depends on your
requirement and apart from this we have
a access token uh URL here okay so that
access token URL so you have to get it
from that open ID configuration so
access token this one so just copy this
this is token in find so go back here
and let's paste here okay and after that
we have a client ID so what is our
client ID so the client ID is your
client so this is my client my key clock
client here okay just provide here and
after that there is a credential tab so
here you can see the client secret okay
just copy this and coming back here and
just paste okay and we have a Scopes and
scope is optional here so depends on
your requirement go for this code and
after that we have a client
authentication so what is the client
authentication here so now here we have
a two options send as a basic Au header
or like send client credentials in body
okay so I'm just taking as like send as
a basic o header okay so once you
selected this get new access token
button is there just click on this and
it will take like couple of seconds here
okay to generate this
token so it's generated the token so so
this is my access token so if I want to
use this token access token in my API
header then click on this used token
okay and now it's has been added to okay
here the token section and just click on
send so then you are getting the
response right so this is how this SK
clock will be work okay so that's it so
if you like this video please go ahead
and like if you haven't subscribed my
YouTube Channel please please go ahead
and subscribe YouTube channel thanks
thanks for watching
تصفح المزيد من مقاطع الفيديو ذات الصلة
IDM Europe 2018: WSO2 Identity Server vs. Keycloak (Dmitry Kann)
JWT Authentication with Node.js, React, MySQL | Node JS Authentication With JSON Web Token
NestJs REST API with MongoDB #4 - Authentication, Login/Sign Up, assign JWT and more
#36 Spring Security Project Setup for JWT
ASP.NET CORE Authentication & Authorization Flow | ASP.NET Core Identity Series | Episode #2
MERN quiz creator app Part 2: Creating a database, Creating a basic api, adding JWT authentication.
5.0 / 5 (0 votes)