Geek Answers Handbook

Creating a Java OAuth2.0 Authorization Server with Keycloak

TL; DR

  • Purpose: Java authorization server:
    • OAuth2.0 authorization code protocol with small-scale permissions (not just a single sign-on server)
    • User Management and Authentication: User Database
    • Customer Management and Authentication: Keycloak
  • Questions: What are the best practices for implementing a Java authorization server with additive permissions supported by Keycloak?
    • Which Keycloak adapter / API should I use in my development?
    • How should users manage / appear in Keycloak, if at all?

lead time

I am new to Keycloak and although I think I understand the basic principles, it seems to be a rich tool and I am afraid that I may still be mistaken in some aspects of the best ways to use it. Please feel free to correct me.

Context

We are considering introducing an API that requires our users (hereinafter โ€œusersโ€) to grant permissions to third-party applications (hereinafter โ€œclientsโ€).

Our users are stored in a database-based user management system. For our customers, we are thinking of using Keycloak .

User consent will be granted using the OAuth2.0 Authorization Code Submission Flow. They will log in, indicate which permissions they grant and which they deny, and then the client retrieves the access token that it will use to access the API.

I understand that Keycloak can process the authorization token, but it should not know anything applicative like our permissions. As a result, I thought about creating a custom authorization server that will use Keycloak for all identification / authentication problems, but it will handle the applicative permissions.

Then we will use Keycloak to authenticate the client and authorize the access / access code, and the applicative part checks the permissions.

Problem

In addition to my first experiments, I surfed the Internet for a week, and I am surprised, because I thought it would be a very standard case. However, I found that nothing happens, so maybe I'm not looking for it right.

I found a lot of Spring / Spring Boot tutorials 1 on how to create a "simple authorization server". These are mainly SSO servers, and few manage permissions, with the exception of those mentioned in this SO answer 2 . I think we can handle it.

The real problem that I encountered, and that none of the trainees I found, handles the following:

How to integrate Keycloak on this authorization server?

I looked at the available Java adapters . They look fine when it comes to authentication, but I have not seen any hints on how to manage clients from a custom authorization server (i.e. administer an area).

I therefore assume that I should use the admin API . Is it right and is it good practice? I have not seen an adapter for this, so I suppose I should use the REST API.

I also wonder how should we integrate our users into the design? Should they be duplicated inside Keycloak? In this case, should I use the Keycloak admin API to enter data from the authorization server, or is there a better way?

Finally, did I miss another obvious point?

Sorry for the long post and many questions, but it all comes down to one question at the end:

What are the best practices when creating an authorization server using Keycloak as a backbone?

<sub> 1. Some examples: Spring OAuth2 Download Tutorial - Blog Post - Another Blog Post

<sub> 2. I mainly focus on the sample application provided by Spring Security OAuth

+7
java keycloak
source share
1 answer

Creating a Java OAuth2.0 Authorization Server with Keycloak

It is possible, but a little complicated, and there are many things that need to be configured.

You can get some motivation from the repo.

keycloak-delegate-authn-consent

Creating a custom Java OAuth2.0 authorization server with MITREid

If you are open to using other Oauth and OIDC implementations, I can offer you MITREid, which is the OIDC reference implementation and can be configured for a large number. Below is a link to his repo and its open source.

I myself used this requirement, similar to yours, and it is very customizable and easy to implement.

https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server

MITREid Connect uses Spring Security for its authentication, so you can put any component that you like into this space. There are many good resources on the Internet on how to write and configure Spring Security Filters for custom authentication mechanisms.

You need to look at the user-context.xml file where the user identification is defined. In the main project, this is a simple username / password for the local database. In other cases, such as an LDAP overlay project, it connects to the LDAP server. On some systems, such as the MIT "oidc.mit.edu" server, there are actually several different authentication mechanisms that can be used in parallel: LDAP, kerberos, and certificates in this case.

Note that in all cases, you still need access to the UserInfo data store. This can be obtained from the database, from LDAP or from something else, but it should be available for each registered user.

The MITREid Connect server can function as an OpenID Connect authentication provider (IdP) and an OAuth 2.0 authorization server (AS) at the same time. The server is a Spring application, and its configuration files are located in the openid-connect-server-webapp / src / main / webapp / WEB-INF / file and end in .xml. The configuration has been split into several XML files to facilitate overrides and customization.

+2
source share

More articles:


All Articles