Securing a Spring Boot Application with Keycloak

Last Update: 3 March 2019

In this article, we’re going to secure a Spring Boot application using Keycloak.

Securing Spring Boot with Keycloak - ThomasVitale.com

Before doing that, let’s briefly recall what we have done so far.

First, we talked about the main features of Keycloak used in this series and learned how to install and boot the Keycloak server.

Then, we set Keycloak with some basic configurations to use it for securing a web application (providing it with authentication and authorization).

In this article, we’re going to learn how to:

    1. Create a client in Keycloak;
    2. Set up the Spring Boot application;
    3. Define the application resources;
    4. Add access policies based on user roles.

You can check out the full source code of the demo project we’re going to build on GitHub.

Let’s get started! Continue reading “Securing a Spring Boot Application with Keycloak”

Keycloak Basic Configuration for Authentication and Authorization

Last Update: 20 January 2019

In the previous article, we got to know Keycloak, an open source project for identity and access management developed by the RedHat Community. We went through how to install it, boot it and how to access the Keycloak Admin Console for the first time.

Continuing from where we left, in this new article I’d like to talk about how to configure Keycloak so that we can later use it for managing authentication and authorization for web applications and services. We’ll learn how to create a new realm, define roles and add users.

Throughout this series, we’re going to see more features and details about Keycloak, but I suggest you check the helpful and detailed official documentation for any doubt or curiosity.

1. Access Control, Authentication and Authorization

Managing authentication and authorization is an essential task in every good-designed web application or service. Keycloak makes it very easy and practical, letting us focus on the application business logic rather than on the implementation of security features.

Before going on, it is worth briefly recalling the definition of some fundamental security properties (from NIST glossary):

  • Access Control: “The process of granting or denying specific requests to: 1) obtain and use information and related information processing services; and 2) enter specific physical facilities (e.g., federal buildings, military establishments, border crossing entrances)”.
  • Authentication: “Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system”.
  • Authorization: “Access privileges granted to a user, program, or process or the act of granting those privileges”.

A typical error is considering authorization and access control as synonyms when the second one is included in the first one. If you are interested in exploring this difference, there’s an interesting article by ICANN about it. Continue reading “Keycloak Basic Configuration for Authentication and Authorization”

Introducing Keycloak for Identity and Access Management

Last Update: 20 January 2019

Lately, I’ve been working with Keycloak, so I decided to better delve into it and write about it.

This article is the first of a series where I’d like to introduce Keycloak as a solution to manage authentication and authorization, how to install it and which are the fundamental concepts and configurations.

Then I’d like to explain how to use it to secure Spring Boot, Spring Security and AngularJS applications and services, analyse the implementation when using a relational database to store users and finally how to manage users from Java thanks to the Admin REST API.

A preview of the Keycloak official website
Keycloak Website – Open Source Identity and Access Management

1. What is Keycloak?

Keycloak is an open source project developed and maintained by the RedHat Community.

“Keycloak is an open source Identity and Access Management solution aimed at modern applications and services. It makes it easy to secure applications and services with little to no code.”

It offers a broad set of features, like SSO, authentication and authorization, social login, multifactor authentication and centralised user management. I suggest you check the official documentation to get all the details.

Throughout this series we’ll make use of the following features:

  • Admin Console to configure the Keycloak server and create realms, roles, users and clients;
  • Single Sign-On (SSO) using the Open ID Connect (OIDC) authentication and authorization protocol;
  • Client Adapters to integrate Spring Boot, Spring Security and AngularJS with Keycloak;
  • Admin REST API for user management.

Continue reading “Introducing Keycloak for Identity and Access Management”