Authorization Services

Configuration

Before proceeding with the next sections, we need to configure the realm, roles and users in our Red Hat build of Keycloak instance.

  • Open a browser window and log in to the Red Hat build of Keycloak administration web console.

  • Create the demo realm. Click on the master realm dropdown menu, click Create Realm.

create realm

  • Click Create.

create realm2

  • Create the staff group. Click on Groups.

groups

  • Then click Create group.

groups2

  • Set staff as the group name, and click Create.

groups3

  • Create the child group named Personal staff. Click on the kebab button of the staff group and click Create child group.

groups4

  • Set Personal staff as the name, and click Create.

groups5

  • Create the role vet. Click on Realm roles, then Create role.

roles
roles2

  • Set the Role name, and click Save.

roles3

  • Repeat the same steps for creating a role named assistant.

roles4

  • Create the user angel. Click on Users, then Add user.

users
users2

  • Set the username, and click Create.

users3

  • Open the Credentials tab and set the password for the user. Make sure to set Temporary to OFF before setting the password.

users4
users5

  • Open the Role Mappings tab and assign the vet role to the user.

users6
users7

  • Open the Groups tab and assign the user angel to the Personal staff group.

users8
users9
users10

  • Repeat the same steps for creating a user named elisabeth but assign the assistant role. Also, remember to incude the user in the Personal staff group.

Securing Web Applications

The sample application that we will use in this section is the Quarkus Petclinic project.

In this tutorial, we will work with a version that has been modified for the tutorial.

The repository for this modified version is:

https://github.com/atarazana/quarkus-petclinic

To get started, clone the repository and switch to the rhbk-base-22 branch:

git clone -b rhbk-base-22 https://github.com/atarazana/quarkus-petclinic.git

Test the application:

./mvnw clean quarkus:dev

  • Open a browser window and visit the application URL.

petclinic main

Before securing the application, let’s configure a new client in our Red Hat build of Keycloak realm.

  • Open a browser window and log in to the Red Hat build of Keycloak administration web console.

  • Select our demo realm and click Clients. Click Create client.

client

  • Set quarkus-petclinic as Client ID. Click Next until Save.

client2

  • On the quarkus-petclinic client configuration page:

    • Enable Client authentication.

    • Enable Authorization.

    • Set Valid Redirect URIs to include the root context of your application.

    • Click Save.

client3

At this point, we have the demo realm with the quarkus-petclinic client; additionally, we created two roles and two users: the user angel that has the vet role and the user elisabeth that has the role assistant.

  • The authorization granularity that we want to configure based on our application is the following:

    • Any user that belongs to the demo realm, like elisabeth, can browse the application except the VETERINARIANS resource.

    • Only the users with the role vet can view the VETERINARIANS resource (which has the /vets.html context).

    • Any other user access outside the realm will be rejected.

quarkus petclinic menu

Let’s configure our client authorization.

  • Open a browser window and log in to the Red Hat build of Keycloak administration web console. Browse to our quarkus-petclinic client and click the Authorization and then Policies tabs.

client4

  • Click Create policy, select Group.

client5

  • Set Default Group Policy as the Name. Add the staff group to the Groups list. Make sure that the Logic is set to Positive and Extend to Children is checked (to enable the checkbox, you may need to click Save first). Finally, click Save.

client6

  • Come back, select the Resources tab and click Create Permission for the Default Resource.

client7

  • Set Default Resource Permission as Name and select Default Resource as Resources. Add the recently created Default Group Policy policy. Click Save.

client8

  • Come back again, select the Resources tab and create a new resource by clicking on Create resource.

client9

  • Set Vets Resource as Name and Display name, and /vets.html as URI. Click Save.

client10

  • Browse to Authorization and Policies tabs. Click on Create Policy.

client11

  • Select Role

client12

  • Set Vet Role Policy as the Name, vet as Realm Roles, and check required. Click Save.

client13

  • Browse to the Authorization and Resources tabs.

  • Click on Create Permission for the Vets Resource.

client14

  • Set Vets Resource Permission as Name. And apply the Vet Role Policy. Click Save.

client16

At this point, the Red Hat build of Keycloak client is properly configured.

Let’s configure the application side.

  • Open a browser window and log in to the Red Hat build of Keycloak administration web console. Browse to our quarkus-petclinic client and click the Credentials tab. Write down the Secret value, we will need it soon.

client15

  • Export the client secret

export KEYCLOAK_CLIENT_SECRET=<the secret>

  • Add the following dependencies to the pom.xml file:

    <dependency>
      <groupId>io.quarkus</groupId>
      <artifactId>quarkus-oidc</artifactId>
    </dependency>
    <dependency>
      <groupId>io.quarkus</groupId>
      <artifactId>quarkus-keycloak-authorization</artifactId>
    </dependency>

  • Add the following configuration to the application.properties file of the application, as shown below:

quarkus.oidc.auth-server-url=http://${KEYCLOAK_HOST:localhost:8080}/realms/demo
quarkus.oidc.client-id=quarkus-petclinic
quarkus.oidc.credentials.secret=${KEYCLOAK_CLIENT_SECRET:secret}
quarkus.oidc.tls.verification=none
quarkus.oidc.roles.source=accesstoken

quarkus.oidc.application-type=web-app
quarkus.oidc.webapp.auth-server-url=${quarkus.oidc.auth-server-url}
quarkus.oidc.webapp.client-id=${quarkus.oidc.client-id}
quarkus.oidc.webapp.credentials.secret=${quarkus.oidc.credentials.secret}
quarkus.oidc.webapp.roles.source=${quarkus.oidc.roles.source}

quarkus.keycloak.policy-enforcer.enable=true

  • Redeploy and test the application accesses:

    • Open a new incognito browser session.

    • Browse to the context root of the Quarkus Petclinic application. The request will be redirected to the Red Hat Single Sign-On login page. Here, we checked that the anonymous access to the application is forbidden.

    • Log in as elisabeth. The request will be redirected to the application after a successful login.

    • Browse through the application, try to access the VETERINARIANS section. The access should be denied, as elisabeth has the assistant role and the access is restricted to the vet role. An error will be shown on the application page.

    • Close the browser and open a new one incognito session.

    • Visit the context root of the application again.

    • Login as angel.

    • Browse through the application, try to access the VETERINARIANS section. The access should be granted, as angel has the vet role.

A complete OIDC working Petclinic Quarkus application is available at rhbk-oidc-22 branch.