Authorization Services

Configuration

Before proceeding with the next sections, we need to configure the realm, roles, and users in our Red Hat build of Keycloak instance.

  • Open a browser window and log in to the Red Hat build of Keycloak administration console.

  • Create the demo realm. Click the master realm dropdown menu and select Create Realm.

create realm

  • Click Create.

create realm2

  • Create the staff group. Click on Groups.

groups

  • Then click Create group.

groups2

  • Set staff as the group name and click Create.

groups3

  • Create the child group named Personal staff. Click on the kebab menu (⋮) of the staff group and select Create child group.

groups4

  • Set Personal staff as the name and click Create.

groups5

  • Create the vet role. Click on Realm roles, then Create role.

roles
roles2

  • Set the role name and click Save.

roles3

  • Repeat the same steps to create a role named assistant.

roles4

  • Create the user angel. Click on Users, then Add user.

users
users2

  • Set the username and click Create.

users3

  • Open the Credentials tab and set a password for the user. Ensure that Temporary is set to OFF before setting the password.

users4
users5

  • Open the Role Mappings tab and assign the vet role to the user.

users6
users7

  • Open the Groups tab and assign the user angel to the Personal staff group.

users8
users9
users10

  • Repeat the same steps to create a user named elisabeth, assigning the assistant role and adding the user to the Personal staff group.

Securing Web Applications

The sample application used in this section is the Quarkus Petclinic project.

In this tutorial, we will work with a version that has been modified for demonstration purposes.

The repository for this modified version is:

https://github.com/atarazana/quarkus-petclinic

To get started, clone the repository and switch to the rhbk-base-22 branch:

git clone -b rhbk-base-22 https://github.com/atarazana/quarkus-petclinic.git

Test the application:

./mvnw clean quarkus:dev

  • Open a browser window and visit the application URL.

petclinic main

Before securing the application, let’s configure a new client in our Red Hat build of Keycloak realm.

  • Open a browser window and log in to the Red Hat build of Keycloak administration console.

  • Select the demo realm and click Clients. Click Create client.

client

  • Set quarkus-petclinic as the Client ID. Click Next until Save.

client2

  • On the quarkus-petclinic client configuration page:

    • Enable Client authentication.

    • Enable Authorization.

    • Set Valid Redirect URIs to include the root context of your application.

    • Click Save.

client3

At this point, we have the demo realm with the quarkus-petclinic client. We also created two roles and two users: the user angel with the vet role, and the user elisabeth with the assistant role.

  • The authorization granularity we want to configure in our application is as follows:

    • Any user that belongs to the demo realm, like elisabeth, can browse the application except for the VETERINARIANS resource.

    • Only users with the vet role can view the VETERINARIANS resource (which corresponds to the /vets.html path).

    • Any user outside the realm will be denied access.

quarkus petclinic menu

Let’s configure our client authorization.

  • Open a browser window and log in to the Red Hat build of Keycloak administration console. Browse to the quarkus-petclinic client and click the Authorization tab, then the Policies tab.

client4

  • Click Create policy and select Group.

client5

  • Set Default Group Policy as the Name. Add the staff group to the Groups list. Ensure that the Logic is set to Positive and that Extend to Children is checked (to enable it, you may need to click Save first). Finally, click Save.

client6

  • Go back, select the Resources tab, and click Create permission for the Default Resource.

client7

  • Set Default Resource Permission as the Name and select Default Resource as the Resource. Add the previously created Default Group Policy and click Save.

client8

  • Go back again, select the Resources tab, and click Create resource.

client9

  • Set Vets Resource as both the Name and Display name, and /vets.html as the URI. Click Save.

client10

  • Navigate to the AuthorizationPolicies tab and click Create policy.

client11

  • Select Role.

client12

  • Set Vet Role Policy as the Name, select vet under Realm Roles, check Required, and click Save.

client13

  • Navigate to the AuthorizationResources tab.

  • Click Create permission for the Vets Resource.

client14

  • Set Vets Resource Permission as the Name and apply the Vet Role Policy. Click Save.

client16

At this point, the Red Hat build of Keycloak client is properly configured.

Let’s configure the application side.

  • In the Keycloak administration console, browse to the quarkus-petclinic client and click the Credentials tab. Write down the Secret value — you will need it soon.

client15

  • Export the client secret:

export KEYCLOAK_CLIENT_SECRET=<the secret>

  • Add the following dependencies to the pom.xml file:

<dependency>
  <groupId>io.quarkus</groupId>
  <artifactId>quarkus-oidc</artifactId>
</dependency>
<dependency>
  <groupId>io.quarkus</groupId>
  <artifactId>quarkus-keycloak-authorization</artifactId>
</dependency>

  • Add the following configuration to the application’s application.properties file:

quarkus.oidc.auth-server-url=http://${KEYCLOAK_HOST:localhost:8080}/realms/demo
quarkus.oidc.client-id=quarkus-petclinic
quarkus.oidc.credentials.secret=${KEYCLOAK_CLIENT_SECRET:secret}
quarkus.oidc.tls.verification=none
quarkus.oidc.roles.source=accesstoken

quarkus.oidc.application-type=web-app
quarkus.oidc.webapp.auth-server-url=${quarkus.oidc.auth-server-url}
quarkus.oidc.webapp.client-id=${quarkus.oidc.client-id}
quarkus.oidc.webapp.credentials.secret=${quarkus.oidc.credentials.secret}
quarkus.oidc.webapp.roles.source=${quarkus.oidc.roles.source}

quarkus.keycloak.policy-enforcer.enable=true

  • Redeploy and test the application access:

    • Open a new incognito browser session.

    • Browse to the context root of the Quarkus Petclinic application. The request should be redirected to the Red Hat Single Sign-On login page — confirming that anonymous access is blocked.

    • Log in as elisabeth. The request will be redirected to the application after a successful login.

    • Browse the application and try to access the VETERINARIANS section. Access should be denied since elisabeth has the assistant role and this resource is restricted to users with the vet role.

    • Close the browser and open a new incognito session.

    • Visit the context root again.

    • Log in as angel.

    • Browse the application and try to access the VETERINARIANS section. This time, access should be granted since angel has the vet role.

A complete OIDC-enabled Quarkus Petclinic application is available in the rhbk-oidc-22 branch.