Skip to content
/ keycloak-gatekeeper Public

Demo project for the configuration of keycloak and gatekeeper

2 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

drosowski/keycloak-gatekeeper

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

19 Commits
.mvn/wrapper
.mvn/wrapper
 
 
frontend
frontend
 
 
keycloak
keycloak
 
 
rest
rest
 
 
reverse
reverse
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
tokeninspect.sh
tokeninspect.sh
 
 

Repository files navigation

Keycloak and Gatekeeper and Spring Boot Demo

ℹ️ The aim of this demo project is to give the reader a blueprint for using Keycloak-based authentication and authorisation in a Spring Boot app.

There are three different ways to protect a Spring Boot app using Keycloak that we are going to investigate.

  1. Use the Spring Boot adapter
  2. Use the Spring Security adapter
  3. Use Gatekeeper

Prerequisites

You need a running kubernetes cluster. It should work on both minikube or k3s.

  1. kubectl apply -f keycloak
  2. sudo echo "127.0.0.1 keycloak.keycloak.svc" >> /etc/hosts
  3. kubectl port-forward <KEYCLOAK_POD_NAME> 8180:8180 -n keycloak

Test

If you're using IntelliJ (as you should ;-) you will find some *.http files in src/test/resources that you can use to test whether authentication works as expected.

  1. Run greet.http and you should get a polite but resolute 401 (Unauthorized).
  2. Run authenticate.http and copy the contents of access_token
  3. Put the token after Bearer in the greet.http and run it again.
  4. 🎉

setgreeting.http requires the role 'edit', so we have to login with the gsadmin user. Otherwise you will get a passive aggressive but expressive 403 (Forbidden).

This way you can test the different integrations of Keycloak. Have fun and stay safe!

Spring Boot Adapter

https://www.keycloak.org/docs/latest/securing_apps/index.html#_spring_boot_adapter

The configuration for the Spring Boot adapter can be found in the branch springboot-adapter. Just start the app with the main class (RestServiceApplication) from your IDE.

Spring Security Adapter

https://www.keycloak.org/docs/latest/securing_apps/index.html#_spring_security_adapter

The configuration for the Spring Boot adapter can be found in the branch springsecurity-adapter. Just start the app with the main class (RestServiceApplication) from your IDE.

Frontend

https://www.keycloak.org/docs/latest/securing_apps/index.html#_javascript_adapter

The frontend consists of a VueJs application which uses the keycloak-js adapter. The application forwards to keycloak for the user to authenticate. It then uses the acquired access_token to call the greeting service.

Gatekeeper

The configuration for gatekeeper is in the master branch. As gatekeeper runs as a sidecar container along the greetingservice, you have to run the service in the kubernetes cluster.

In the rest directory:

  1. mvn compile jib:dockerBuild
  2. kubectl apply -f k8s

The service is then available at http://localhost:30080 (see greet.http and setgreeting.http).

Forward-Signing Requests

Let's explore another great feature of gatekeeper, namely forward-signing requests. You can attach gatekeeper to any service that you wish to grant authentication to a given service.

Ok, slowly. We have our greeting service that is guarded by gatekeeper. Now we have another service, called reverse that needs access to the greetingservice. We could either

  1. build authentication in the reverse service or
  2. Use gatekeeper.

In this usecase gatekeeper acts as a proxy that automatically fetches the access_token from keycloak and fill the Authorization header.

About

Demo project for the configuration of keycloak and gatekeeper

Resources

Readme
Activity

Stars

2 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages