Secure Your Microservices with Keycloak | OAuth2 & JWT | Spring Cloud Gateway

00:03

I hope everyone is doing good okay so

00:05

today I would like to discuss about key

00:07

clock here okay so what is the key clock

00:09

and what are the advantages of using

00:11

like key clock here so why exactly this

00:13

key clock is came to the picture and

00:14

after that I'm going to discuss about um

00:17

spring boot with key clock integration

00:19

as well okay so now so what is a key

00:23

clock key clock is nothing but it's a

00:24

open source identity and access

00:26

management tool here okay so basically

00:29

it will add the authentication to

00:31

applications and secure your

00:33

microservices with minimum effort okay

00:36

so let's say that you have a spring boot

00:37

application like microservices

00:39

application so if you want to add like

00:41

authentication or authorization so if

00:43

you want to provide the security then

00:44

you have to be store the users and

00:47

authenticating the users so all those

00:49

information you have to be taken care at

00:51

your application right so that is the

00:54

main advantage of using key clocks let's

00:56

say that if you are using key clocks no

00:58

need to deal with the storing the users

00:59

or authenticating the users at your

01:01

application so these two things will

01:04

taken care by this key clock okay so

01:06

apart from this key clock provides user

01:08

Federation and strong authentication and

01:10

user management and F and fine grind

01:14

authorization and much more capabilities

01:17

okay so K loock provides like fully

01:19

customizable login pages and Recovery

01:23

passwords and accepting the terms and

01:25

lot more okay so all of these Futures

01:28

provided by a ke clock can easily

01:29

integrate your application without any

01:32

coding at all okay so by delegating the

01:35

authentication of user to the key clocks

01:37

you don't worry about the authentication

01:39

mechanism so safely store the passwords

01:42

right so you can enable like two Factor

01:44

authentication without having to make

01:46

changes to the application okay so uh

01:50

this is the added advantage of using the

01:52

key clock

01:55

and sorry key clock also provides like

01:59

single sign up so with storing session

02:01

management okay so

02:05

session K clock also provides like

02:07

single sign on with like strong Mission

02:09

uh strong session management

02:11

capabilities okay so apart from this it

02:14

will provide like single sign on option

02:16

as well so key clock also provides like

02:18

single sign on with strong session

02:20

management capabilities it means that

02:21

allowing the users to access the

02:23

multiple applications while only having

02:25

to authentication once okay so that's

02:29

what it is saying so authenticate with

02:30

KCK loock rather than individual

02:32

application so this means that your

02:33

application don't have to deal with

02:35

login forms so authenticating the users

02:36

and storing the users so once you log

02:39

into K clock user don't have to be

02:41

loging again to access the different

02:43

applications okay and apart from this it

02:45

will provide like identity brokering and

02:47

social login as well okay so let's say

02:49

that if you want to integrate with the

02:50

social login in your application so then

02:52

what you have to do what you have to do

02:54

is it just matter of like selecting The

02:56

Social Network you want to add it so no

02:59

code changes is required to your

03:01

application okay so that is the added

03:04

advant advantage of this key CLA and

03:07

apart from this user Federation so if we

03:09

talking about the user Federation here

03:11

right so what is the user Federation U

03:14

user Federation means in key clocks the

03:15

term user Federation refers to the

03:18

capability of integrating with external

03:20

identity stores okay so you can think of

03:23

Lop is an example of candidate for

03:26

integrating via the user Federation men

03:28

so that's what it is saying so key clock

03:30

has a built-in support to connecting

03:32

with existing L like active directory

03:34

servers we can also Implement your own

03:36

provider so if you have users in other

03:39

stores such as a relational database

03:41

okay so apart from this uh it has like

03:44

couple of consoles as well so so they

03:47

can enable and disable couple of Futures

03:49

here so you can go through this consoles

03:51

as well and apart from this standard

03:53

protocols okay ke clock provides like

03:57

some uh standard protocols okay so uh

04:01

KCK loock Builds on industry standard

04:04

protocol supporting like w 2.0 open ID

04:07

connect and S 2 okay and apart from this

04:11

authorization Services okay so it's uh

04:14

if role based authorization does not

04:16

cover your needs then K clock provides

04:18

fine Grand authorization Services as

04:19

well okay so this allows you to manage

04:22

the permissions for for all your

04:24

services from the key clock admin

04:25

console and give you the power of to

04:29

exact what the policies that you

04:31

required here okay so key clock is a

04:34

lightweight and easily uh to install

04:37

okay that that's required for your

04:39

application okay so you can easily scale

04:42

where clustering capabilities as well so

04:44

apart from this key clock will Prov like

04:46

couple of features so here they have

04:47

listed out like couple of features

04:48

single sign on some standard protocols

04:51

centralized management adopters okay L

04:53

up and active directory social login

04:55

identity brokering high performance okay

04:58

clustering so you can just go through

05:00

this key clock official documentation so

05:02

that like you'll get good idea here okay

05:05

so uh apart from this so let's say that

05:08

if you want to be install um key clock

05:12

here so there is one option so so you

05:14

can go you can install with Docker as

05:16

well okay so what you have to do is

05:20

um okay so this is the docker command so

05:23

you can run Docker command with this

05:26

okay Ed Z Ed Z so which will run on Ed

05:29

Zer so if you want to change the port

05:30

number you can change here and apart

05:32

from this KY call here you need to

05:34

provide the KY clock username of the

05:36

password so I have provided like admin

05:38

and admin here and apart from this this

05:40

is the click clock key clock version and

05:42

apart from this you can provide like the

05:44

profile here okay so that's it once you

05:48

entered this it will start like

05:50

downloading this key clock in your local

05:52

system

06:00

okay so once it is successfully started

06:03

then what you have to do is so you can

06:06

just check it out by using this code

06:11

number okay and you have to log in with

06:15

admin and admin here okay so here you

06:19

can see like couple of options here you

06:21

can see the clients client Scopes realm

06:23

roles and users groups and sessions and

06:25

events all the stuff okay so by default

06:28

so there there is one opt that is cck

06:30

clock real alarm here okay what is a

06:33

master real alarm here okay by default

06:35

it will has like master real alarm so

06:38

and apart from this you have to be

06:40

create like one real here okay I will

06:43

explain one by one here okay so what is

06:46

the real alarm here so the real alarm is

06:48

nothing but you can think of the real

06:49

alarm as a tenant okay so the first

06:51

thing you will want to do is create a

06:54

realm for your application and your

06:56

users okay so realm is a fully isolated

06:59

from the other realm so because so you

07:02

can create one realm for your enter

07:04

application and another realm for your

07:07

uh your employees uh and another realm

07:10

for like external applications and the

07:11

customers okay so here I'm going to

07:14

create one realm for my application okay

07:17

so what I will do is uh I will take like

07:21

um

07:23

my um yeah my key

07:28

clock application

07:31

okay so that's it you can just create it

07:34

and once you create it right so it will

07:36

by default here my key clock application

07:39

realm has been selected under this so

07:41

there are like couple of options we have

07:43

a clients client Scopes realm roles okay

07:45

we have to create this all those stuff

07:48

here so before that what is the client

07:49

here the clients are entities okay so

07:52

that request key clock to authenticate a

07:55

user okay so most often the clients are

07:57

a web or mobile or like native

08:00

applications that want to use a key

08:01

Cloud to secure themselves and provide a

08:04

single sign on Solutions okay so uh

08:08

apart from this we have a client scope

08:10

as well so what is a client scope so if

08:12

we talking about client scope U that

08:14

client scope will allows to creating a

08:17

reusable groups of CLS that are added to

08:21

token issued to the client okay so you

08:23

can also Define an optional client

08:25

Scopes here so in this way so you should

08:27

specify the optional client with the

08:29

scope parameter here okay apart from

08:33

this we have a roles as well okay so we

08:35

have we have a roles so usually like if

08:37

you're talking about the roles usually

08:39

represented role a user that has in the

08:42

either your organization or like in the

08:44

context of of your application so if

08:47

we're talking about the role like for

08:48

example user can be granted a

08:50

administrator role therefore so they can

08:53

access and perform like any action on

08:55

any resource in your application okay

08:58

and apart from this we have like some

09:01

you can create the users and groups and

09:03

sessions here okay and apart from this

09:06

you can see like uh realm settings here

09:09

as well okay and uh what I will do is I

09:13

will create the client first okay so

09:16

just create client

09:18

so

09:21

my key

09:23

clock client okay so let me copy this

09:27

and provide the name and description

09:29

also I'm providing the same Okay click

09:31

on the next so here you can see the

09:34

capability configuration so if you want

09:36

to enable the client authentication you

09:38

can just enable here and apart from this

09:41

so there is a authorization okay option

09:44

as option also is available here here

09:46

the authentication flow is there so here

09:48

you need to select a couple of options

09:50

so if you want to um go with like

09:52

standard flow okay direct access crun

09:55

you can just go through this and so if

09:57

you don't want this so here we have

09:59

enable the client authentication right

10:00

so I just want to be go through service

10:03

account roles here okay just check this

10:07

and apart from this we have what 2.0

10:09

device authorization grind and YDC okay

10:12

couple of options is there so you can

10:13

just go through this and click on the

10:15

next so here root URL so you need to

10:18

Define the root URL here okay so my

10:22

spring Cloud API Gateway is running on

10:25

9090 so I'm just defining here so home

10:28

you also same and just save this okay so

10:33

that's it and once you save this you can

10:35

see the credentials here there is a

10:37

client secret will be generated so you

10:39

have to use this client secret okay so

10:42

if you want to create any roles you can

10:43

just create the roles and map to this

10:46

clients here okay so apart from this we

10:48

have a some other Advanced options as

10:50

well you can just go through for time

10:53

being I'm not going to create any

10:55

advanced options here okay so that's it

10:58

and

11:00

so uh I would like to discuss one more

11:03

thing here okay um yeah clock

11:07

architecture so whenever like user um

11:10

sends like authentication requests okay

11:13

so then so the user tries to access a

11:16

protected resources and it is redirect

11:18

to the key clock login page right so the

11:21

key clock verifies the users credentials

11:23

if it is successful then redirects them

11:25

back to the okay authorization code okay

11:28

and ACC token okay so uh then user sends

11:34

uh then the user sends are like AP

11:36

request of the access token here so the

11:38

application included the application

11:40

will be included the access token in the

11:42

authorization header when when making

11:44

the API requests here right so then so

11:47

the W metadata will be extracted here

11:49

and apart from this it will validate the

11:51

token here okay so the API verifies the

11:55

uh token and grants the access if it is

11:57

required then then it it will be written

12:00

the response to user here okay so this

12:02

is how the overall key clock

12:04

architecture will look like when you are

12:06

integrated key clock with the

12:08

API okay okay so now let's integrate

12:12

this key clock with our API here okay so

12:15

let's open our code so uh before that so

12:19

here actually we already go through this

12:22

how this spring Cloud API gateaway is

12:25

integrated with Ura server and your

12:28

product Service as well well okay so if

12:30

you not uh went through this videos

12:32

please go through so I already have this

12:35

videos in my playlist in microservices

12:36

3.0 playlist please go through that and

12:39

now so what I'm going to do is I already

12:42

started this um urea server okay and

12:45

product service okay and so this product

12:49

service is straightforward so we have a

12:51

uh some Endo which will return like

12:53

products here okay and apart from this

12:56

we have a spring Cloud AP Gateway Okay

12:58

so this spring Cloud API Gateway will

13:01

routes okay that product service through

13:03

this API Gateway okay

13:06

and now let's open this

13:10

um urea server here okay so now

13:19

let's let's hit this

13:23

okay so yeah now it's returning the

13:27

product Okay so this product service

13:30

actually coming through this AP Gateway

13:33

AP Gateway is running at 9090 okay this

13:35

is products okay so this is ring like

13:38

list of products here okay so this is

13:39

working fine now what I'm going to do is

13:42

to integrate this key clock basically

13:43

like two dependencies are required right

13:46

so uh let's open this spring initializer

13:49

here okay so here I need like um Spring

13:54

Security okay dependency and apart from

13:57

this I need a

14:00

resource server okay so just explore

14:02

this here you will see this two

14:04

dependencies right so this two

14:06

dependences just copy this two

14:08

dependencies here and let's open the

14:11

pom.xml file here so in the pom.xml file

14:14

just include these two

14:17

dependencies okay that's it and apart

14:21

from this what we have to do is uh in

14:24

application. ml file basically we need

14:26

to add this um our is your url uh

14:30

application. properties so what I'm so

14:33

here so basically we have a security

14:36

okay so what to Resource server and

14:40

after that we have to add like JWT JWT

14:43

issuer Ur here okay so the issue URI so

14:46

what we need to do is just open our key

14:49

clock here okay so in

14:53

the itm settings okay so here you can

14:57

see this open a open ID endpoint

15:00

configuration just click on this okay so

15:03

there are like couple of options are

15:05

available here I mean like couple of

15:06

endpoints okay so here we have like

15:09

issuer authorization endpoint token

15:11

endpoint okay apart from this we have a

15:13

grand types supported we have a couple

15:15

of grand points uh Grand types so so it

15:19

depends on your requirement so you can

15:20

choose like this Grand types here okay

15:23

so first like we need this issue

15:25

endpoint okay so let's copy this and

15:28

going back to our code and just add this

15:31

here okay and now so we are ready to use

15:35

this isure urri here right now what we

15:38

have to do is uh we need to add like one

15:42

configuration here okay so that is our

15:45

security configuration so now I'm going

15:48

to create one configuration class okay

15:50

so just um inside this config package

15:55

I'm going to create like a

15:57

web security okay so configuration here

16:02

okay so what I will do is I will add

16:05

like the of configuration okay and after

16:09

that I will create one of the bean here

16:11

okay so this Bean basically will have a

16:15

security filter so let's take uh public

16:19

okay so let's remove this space here so

16:22

here what I will do is I will take a

16:25

security security filter chain Okay so

16:28

so this will have like HTTP security

16:31

okay let's take HTTP security as a

16:34

parameter here and after that so here so

16:38

what I will do is I will take HTTP so

16:41

first like I need to disable this uh

16:43

csrf that is like cross site request

16:46

forgery okay so I will disable this so

16:49

to disable this basically I need like

16:52

some HTTP security related filter okay

16:55

configure okay and so let's take this

16:59

and let's disable this okay so once you

17:03

disable this uh uh what we have to do is

17:06

we have to like um allow like this urea

17:09

server here okay so urea server should

17:12

not be authenticated here so to do this

17:15

basically I will take um authorized HTTP

17:19

request here okay inside this authorized

17:21

like HTTP request what I will do

17:27

is so

17:30

requests so this requests okay so here

17:35

what I will do is I will take uh request

17:38

matchers so inside this request matcher

17:40

we can provide like

17:41

urea okay matcher here and

17:46

so what I will do is I will move to the

17:49

next line okay so here we have option

17:51

like permit all so this will permit like

17:53

eura server here and apart from this we

17:57

have like any other request so let's say

17:59

that we have any request so that will

18:02

authenticate okay so apart from Thea

18:04

server any other request has to be

18:06

authenticated here okay and so

18:10

authenticated and after that so what we

18:13

have to do is uh we have like other

18:16

option like w um sorry so w here we have

18:23

W resource server okay let's take that

18:25

this W resource server and we have like

18:30

um what here okay so this

18:35

what okay so inside this what we have

18:39

like JWT okay so here here what we need

18:42

to do is we have to be configur like JWT

18:44

based configuration okay so let's take

18:46

customizer so this customizer will have

18:49

a with defaults option okay so that's it

18:52

can build

18:53

this okay so here you can just return

18:57

this and add

18:59

exception to this method signature okay

19:02

so this is straightforward right so what

19:04

we did is first like we have disabled

19:06

this um cross site request forgery and

19:09

after that we have all like euroka

19:11

server and apart from this eura server

19:13

like other services we are

19:14

authenticating here okay

19:18

and what server we have Pro like JWT

19:21

based like configuration okay and after

19:24

that we have to provide like one more

19:26

Bean Okay so that being

19:30

basically

19:31

okay uh JWT decoder okay so JWT decoder

19:38

so this JWT decoder basically will take

19:40

what um okay what resource server

19:44

properties so let's take properties as

19:48

par name here and so let's return return

19:52

um JWT decoders okay so we have another

19:57

class called like JWT decoders okay

20:00

let's take this and uh this JWT decoders

20:04

basically from is location so if you

20:06

want to provide like isure location so

20:08

you can provide the isure location here

20:10

so properties from the properties we

20:13

have to fetch that get JWT okay get ISS

20:18

URI okay so that's it so now so you can

20:22

just start this uh

20:24

application okay so here we can see some

20:28

error HTTP Security in our

20:32

configuration okay let's see this okay

20:35

so we forgot to enable uh web security

20:38

okay just add this annotation and let's

20:40

start

20:42

this okay so this time it started uh

20:45

without any errors okay um I will take

20:49

one new endpoint here okay and so HTTP

20:54

9090 product so this is my API Gateway

20:58

end point just hit this so you will see

21:00

like 401 unauthorized here okay so uh in

21:04

the authorization tab so there is a

21:05

option called okay what 2.0 we have to

21:09

select this so here actually we have a

21:11

couple of options configure new token

21:13

here okay so here we have to be add like

21:17

uh some token names okay so this is my U

21:20

my app token okay and apart from this

21:23

here we have a grand type so you have to

21:25

take like uh depends on your requirement

21:28

you can choose like what kind of grand

21:30

type you required here so I need like

21:31

client credentials here okay so as we

21:34

discussed like in like in open ID

21:37

configurations we have a couple of grand

21:38

types right so there also we have to

21:40

choose different depends on your

21:42

requirement and apart from this we have

21:44

a access token uh URL here okay so that

21:47

access token URL so you have to get it

21:50

from that open ID configuration so

21:52

access token this one so just copy this

21:55

this is token in find so go back here

21:59

and let's paste here okay and after that

22:03

we have a client ID so what is our

22:04

client ID so the client ID is your

22:08

client so this is my client my key clock

22:12

client here okay just provide here and

22:15

after that there is a credential tab so

22:17

here you can see the client secret okay

22:19

just copy this and coming back here and

22:22

just paste okay and we have a Scopes and

22:26

scope is optional here so depends on

22:28

your requirement go for this code and

22:30

after that we have a client

22:31

authentication so what is the client

22:33

authentication here so now here we have

22:36

a two options send as a basic Au header

22:38

or like send client credentials in body

22:41

okay so I'm just taking as like send as

22:43

a basic o header okay so once you

22:46

selected this get new access token

22:48

button is there just click on this and

22:51

it will take like couple of seconds here

22:54

okay to generate this

22:55

token so it's generated the token so so

22:58

this is my access token so if I want to

23:00

use this token access token in my API

23:05

header then click on this used token

23:08

okay and now it's has been added to okay

23:12

here the token section and just click on

23:15

send so then you are getting the

23:18

response right so this is how this SK

23:21

clock will be work okay so that's it so

23:25

if you like this video please go ahead

23:26

and like if you haven't subscribed my

23:27

YouTube Channel please please go ahead

23:28

and subscribe YouTube channel thanks

23:30

thanks for watching