How to Secure Your Spring Boot Application with Azure AD and Keycloak

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
Welcome to our channel in this video we will show you how to secure your spring boot application using suid and kick today we have an exciting tutorial for you where we will walk you through this step by step process of securing your springboard apps we will guide you in setting up suid powerful authentication and authorization service provided Microsoft we will cover everything from setting and suid tenant to registering your application and obtain the necessary credentials next we will dive into getting a postman Postman is a popular API development and testing tool Postman will help us simulate request and test our security implementation finally we will jump into implementing the security measure in our spring boot application we will demonstrate how to integrate issue ad and K clock and open source identity and access management Solution by the end of this video you will have comprehensive understanding of securing your spring boot app using Azure ad and kick allowing you to protect your application and data from unauthorized access so if you are ready to enhance the security of your remote application make sure to subscribe to our Channel and let's get started so open the favorite web browser in here I open Chrome browser and in the search tab I search portal.asure.com and then press enter so it will navigate this page so we have to login using Microsoft account I previously created a Microsoft account and I will login using this account if you don't have a Microsoft account please create a Microsoft account and after that follow this step I click in here and I previously activate two-step verification in my Microsoft account so then we'll navigate this home page so in here you can see there is a search bar so we have to search active directory so you can see Azure active directory click this icon after that you can see there is a icon name app registration please click on this and also there is a one application in here I previously created one so we have to create new application in here so for that you can see there is a button new registration click on it and we have to give name for our application so I will give name as demo app and after that we have to select first option before directory only single tenant and after that you can see in here later platform I select a web and we have to give redirect URI in here actually I will give a sample URL after that we will give a actual and correct URL for the testing purposes I will give in here simple URL and press register button so then we'll create our demo app so after that we have to set up key clock if you already download and set up key Globe skip this step if not open new tab and type key clock download and we have to go to this website www.kclock.org download and you can see there's a latest version in key group 21.1.1 so I will click this icon you can see there's a name called zip I will click on it and then the if file will download after downloading the file I go to download folder and this is the download folder and we have to extract this file so I click in here so this is the extractor Key Club folder so you can move this folder any prefer position but I will keep it in download fold open the key clock folder and there is a file name bin and after that we have to open command prompt in this location so for that I click the path and after type PMD and press enter so in the Windows operating system the command prompt will open you can see the path name is key clock and the version and slash bin so then we have to type KC Dot bat start div and press enter so you can see the key clock server is starting so you can see in here This Server run on Port 88 so then go to the web browser and open new tab and type localhost 8080 and press enter so then we'll navigate this key clock Administration console page so first we have to create admin account I will give name as a admin and password and then press create button so you can see user creator after that click Administration console icon then we have to give our username and password so this is the key clock home page first we have to create a problem so in here you can see there's a default Realm name master I click on it and press create Realm and I will give a name as a demo and press create button so you can see there is a message tell them created successfully so after that we have to create new client so for that create the clients tab and there's a button name create client press create client button and we have to give a client ID I will give a client IDs Azure client then press nest and on client authentication and authorization and click implicit flow here and here and press next button and Save so you can see the message client created successfully so once again click client step so you can see our client I read this list I show client so then we have to go to identity provider step so in this tutorial I will use sui IDs identity provider so then click open ID connect P 1.0 so then we have to give Alias the default is oidc I will change this suid and here you can say Discovery endpoint so then we have to open a visual portal this is the application we previously created in here you can see the icon endpoint I will click on this icon so you can see the URL all open ID connect metadata document I will copy this URL I press this icon and paste in here after that click in background so you can see there is a tick mark so after that you can see two meta data I will click on it you can see authorization URL token URL logout URL Usain for URL and issue automatically edit when we add this URL is all the URLs are automatically added by key clock and then we have to set up client ID so open the Azure portal I close this application we already created and you can see application client ID I copy this ID paste in here after that we have to add client secret so for that open the portal and in here in the left side you can see the icon name certification and Secret I click on it and there's a icon new client Secret is on it and we have to give name you can give any prepared name in here I will give a name as a secret key so you can hit the expiry time so in here I will select 180 database and click it so you can see this is the value keep in mind that copy this ID and keep it safe because after that this value will hide it cannot be read so for that in first time we have to copy this value and we must keep in save it is the secret key and click add button and then I will earn trust email and Save once again click identity providers tab so you can see on here so click in here you can see redirect URI I copy this URI and open the portal go to overview is the application we previously created and here you can see redirect Uris click on here so you can see we previously had a sample URL I will delete and press add URI and paste in here and after that press save button so after that we have to add some users for testing so then I click home and once again click issue active directory in here you can see users icon I click on it you can see in my directory there are two users already exist this is the default one and this one is I previously added if you want add users so for that you can see this icon new users please click on it then you can see create new users click on it so then give a user principal name and display name and this is the auto generated password you can use any suitable password in here but I will use this Auto generator password and I copy this password and paste the notepad and click review and create so you can see the email I copy this email and Save in Notepad and then press create so then click reload so you can see Jonas editable issue Aid so after that we have to download Postman and install and we have to set up Postman then we can test API so for that first we have to download Postman you can download postman.com downloads in this website according to the operator system you can download Postman and you can restore because when it's a very famous API testing tool so I already download and install I mean collection tab and I will create new collection so for that click new red collection I will give a name as a 3D demo and press enter the collection click add request I will you name as authorization and press enter and then select authorization Tab and click type or 2.2 so you can see token latest token is access token adaptive X6 error and type is authorization code and this is a callback URL callback URL is https slash it so in here I will explain more about callback URL so I put the cursor on this icon so you can see there is a message the message say this is the Callback URL that you will be redirect to after your application is authorized Postman use this to extract the authorization code to access token the Callback URL should make the one you use in during application registration process so in this tutorial I do not implement the front-end path instead of front end I use PostNet so if you implement front end part so then you have to set callback URL according to your application so after authentication process is complete so then the application redirect to this callback URL so then we have to fill this field also both URL this token URLs and others so for that I go to e-clock and I click the random setting tab so in here you can see there's a two link I click the first one open ID endpoint configuration I click on it so you can see there are a lot of URLs and all the info in NC so in here in the Chrome browser I use extension it is called Json format in this extension arrange all the data in proper manner so if you do not install this type of extension it will be difficult to read data so you can see if you do not install this type of X engine the data will see like this so in here you can see there are many URL I want to this authorization and point URL so I copy this URL and go to Postman and paste in here another one is access token URL you can see the name all token endpoint I copy this link also and paste in here another one is client ID I go to key clock and then go to client section and you can see we create client name as your client I click on it so you can see client ID is as your client and the one is client Secret I open the key clock in client tabs in the Azure client we previously created one so there is a tab call credentials I click on it in below you can see client Secret I copy this one using this icon I click on it and paste in here I save this data so post one configuration is done so then you can test our API so for that click this orange color button so you can see they say error the error said invalid parameter redirect URI so because I close this window and I go to our key clock and go to clients tab and go to our issuer client we previously created one so in here in the below you can see valid redirect URI so I change this URI I remove the Flash and Save once again go to postman I click on this button so you can see there is a new window so in here you can see there is a new button the button name is so I open the key clock go to Identity provider so you can see we previously set up a password and we gave a name as a hyad so this name can see in this button so I click this button so then the new window will open so we can sign in using account the account must in our Azure ID so previously I add a one account to our Azure ID I open the your portal so you can see go to home and once again I open issue active directory and here you can see this icon name uses I click on it so you can see three users in Azure ID this is a default one I add added these two users so in this demo I use this account for testing so previously I saved the account email and password in notepad so I use these credential for login so once again I open the key clock window so this is the window we previously opened so we have to give our email address and click next and then we have to give password then click sign in button so you can see when login First Time task in the password so I will change the password current password and you new one click next so in here the Microsoft ask verify your account so I previously mentioned I installed Microsoft authenticator mobile application in my mobile phone so you have to also install Microsoft authenticator mobile application in your mobile app then you can verify your account so using Microsoft authenticator mobile application I verify my account so then I click accept so in here after login success the when first time using new account after login successfully the first time the key clock asks some details from user actually this detail must give when first time only so we can give username email first name and last name will copy the email and paste in here I give a name as a username as Zone mark and click submit so you can see the postman will open new window in the window you can see there are a lot of details you can see the access token and token type expire in refresh expire in refresh token an ID token and lot of details you can see so in our tutorial I will use the success token for security our API so I will teach you in late so I click use token button so then in here you can see this is the access toker generated by Boseman so you can see we select access token if we select ID token then ID token will save in this field we want to access token so select access token then access token will save in this field so you can see in here the expired time also indicate in here so if we click the refresh button so then you can see the expired time will update so login is Success so go to e-clock and go to users tab so you can see the account we previously login the username John and this email and the last name in here once again I go to Postman I click this get new access token button so you can see in here access token and replace toker so you can see previous token expire in 180 000 seconds so we can add another API for using refresh token we can get new access token so for that I close this window and I add new request I will give name as get access token and this is a post method and the UR release go to key clock go to realm setting open this URL so you can see token input I copy this token and put it paste in here and click go to the tab and select this one so then we give brand type and type is a refresh token and other one is client ID then we have to give client ID is the client ID I copy this one and paste in here other one is Free Press token another one is fine Secret find secret is this one I copy this try and say equal to 10 paste in here so then we have to give refresh token in here then we can get new access token I save this so I go to authentication them once again I click this orange color button I copy this Free Press token and go to this tab and paste in here and then click send button so you can see we can get new access token I copy this access token I open the web browser and go to go to JWT dot IO website in here I delete this and paste our access token so you can see a lot of details in Access token so you can see emails also here the name unnecessary details you can see list API is logout API I add new request I will give name as a log out and this also post method and I open the we took and go to this URL and in here you can see in session input I copy this link and paste in here I click go to Tab and select this also and this is a client ID client ID is your client I paste in here and also another one is repress token another one is find secret I copy this file Secret and paste in here and yeah also pass previous token I go to authentication tab hey click this button I copy this refresh token and paste in here then I click then button so you can see our status code is 204 so our API is working successfully once again I copy this refresh token and go to get access token API I create this previous refresh token then I paste new Free Press token and I click send button so you can see invalid Grant and the status code is 400 because we previously use this logout API so we cannot use this refresh token because when call the logout API quick look verify the validity of the provided previous token and the user session associated with the Free Press token is terminated and the session state is invalidated the refresh token is marked as a invalid dough revoked preventing its further usage of obtaining new access token and also any access token issued using that refresh token the token become invalid and cannot be used for authentication or authorization the client application must be re-authenticator obtain a new set of token to continue accessing protected resources so in here also you can see error description is session not active so our next step is Implement in boot application and we will explore two different approach to it create key clock with Device print boot application we will walk you through the step and explain the difference between using the stream boot data O2 resource server dependency and take look Sprint boot starter dependency so let's start with the first approach to implement key clock with ways application using the extreme boot starter both to the server dependency you need to follow this step first open the web browser and search spring initialize go to Spring initializer website in here I select maven and isolate latest trim boot version and I will give name as a Sprint boot demo and I use Java 17 and also we have to add some dependency for that I click this button and search web and click ring web and spring security another one is O2 resource server you can see O2 resource server then click generate button you can see SD file is downloaded open download file the file we have downloaded I extract the file and I copy this folder to desktop is a project we have downloaded so in this tutorial I use IntelliJ IDEA you can use any prepared one but so I open this project using IntelliJ IDEA so this is the project we have downloaded you can see there is a file name om.xml click on it and press ok so then go to SRT file then main you can see Javan doses I open the resources and you can see there is a file name application dot properties so I change this file name as a application Dot image and click reflect open this application.aml file and type server I change the default as a 80 81 because the spring boot application default running on port 8080 I change this as 8081 because okay cook server also run in import 8080. so server awt where you are right another one is jwk that you are right so we have to set issue URI and jwk that you are right so for that open the key clock configuration you can see URI I copy this so URI and paste in here another one is jwk the URI you open the configuration file you can see jwks URI I copy this one and paste in here so our configuration is done then I right click on it and go to new and pick package I will create a cage score config and press enter and another package called controller and present inside the config package I will create another class name security config and press enter and I will add another annotation for configuration and then I will let be in annotation and figurative build a chain GTP security and we have to add this JW authentication converter converter equal ity Authentication so if you want you can customize this convert also so then I create another pass in controller and press enter add control annotation and request mapping and I Define the path and in here I will Implement a simple endpoint for testing our application the return time PC spring I return simple message so implementation is done so we can run our application so you can see our application is running on Port 8081 and there is an oil so I open the postman the folder we previously created I will let another endpoint I will give name as a test API and it's a get method you can see your application we use git mapping and also this is the QR you want I copy this path and open the postman and application running on Port 8081 and I paste the endpoint path so you can see is the open point I will save this and go to authorization tab there's an auth I will hit the endpoint so you can see status code is 0 1 this is the unauthorized request because our endpoint is thank you once again I go to authorization API I mean the postman Postman saved the cookies we previously entered our credential for login Microsoft account so that all the credentials are saved in PostNet so you can see there is a button called clear cookies if we click this button the cookies will be removed and you have to enter the credential once again I do not click this button because I want to keep these our cookies for whatever purpose so I click this get access token button I click 2ad so you can see we do not need input above credential because the credential are already entered previously and cookies choose in Postman code keep the credential I copy this access token you can see copy this one and also you can see the use token type you can see select access token and in the press this drop down button you can see ID token and access token you can also copy this access token in here also go to test API and click this type and click pair token and I remove this one and paste our new access token and press send button also you can see there is a mistake I delete this one so you can see the message hello from trim Boot and click look you can see main our API can access once again I change this type as an oauth then it will get four zero one unauthorized so you can see our API is I previously mentioned there are two way to implement springboard application with create lock first method is done so I will go to Second method so I close navigation and once again I go to spring initializer select Maven and in this configuration you have to use Sprint boot 2.7.1.2 if you follow the second method you have to use springboard 2.7.120 below version because this implementation is still not update for the latest screen boot version you have to use old version of spring boot keep in mind you have to select this version no below version I change the application name as a Sprint boot demo 2 and no need this O2 resource server dependency remove it and this dependencies are required and I click generate button and open the file and extract this file so this is the project I open this project using intelligent idea once again with the project we have downloaded click home.xml file and press OK button and open the file and go to source and Main and I open the resource folder and I change this application.properties file a change file type piece and press the refresh the button and I Define the port in application.tml file Port 8081 and then we have to add a clock configuration so I open the home.xml file so we have to add some dependencies in here also so for that I open the web browser and search a clock spring boot adapter and press enter I go to this website so you can see the URL click.org looks latest security and app in here go to using open ID connect to take your application and service and go to job adapter and go to spring boot adapt we have to add this dependency and this one first I copy this one and paste in here and also you have to copy this one also this defender's management configuration and open the project and paste in here after that you can see there is a icon load payment changes or you can click this icon now go to phone.xml file and right click and go to may1 and click reload project you can use this either way so once again I open the application.aml and I try to add a clock configuration in here for Server URL and the one is resource another one is public client and last one is here already and the public client is through and bear only also is it as a true and then we have to add this piece first one is so our alarm is demo you can see our realm is demo another post server URL open the configuration the clock I copy this one and paste in here so this is the old server URL and resource the resources you can see the client the client is your client let's see client ID is azure copy this and resources or client ID so configuration is done once again I click this Tower package I will add some packages here first one is config and second one is controller in config package I will create another class security config and present once again I open the documentation we previously opened so go to below in Spring Security adapter section you can see so there is a title called Java configuration so this code line we can use I copy this all codes and open the application and paste in here so after that you have to import some classes and also we have to add another notation key clock is removed configuration is server class so I will change this code I will remove this one I will disable esrf and then request indicated and decision management I will add some creation policy as a stateless of configuration is done so we can add another pass name core demo controller and press enter yet patient call rest controller and request mapping I will Define the path API slash P1 slash anymore and I will let at the endpoint for testing our apis for testing our application I will let get mapping annotation and public and here I will return simply message so then we can run our application so you can see our application running on Port 8081 there is no errors once again I open the postman so is the end point we have to test I click then button so you can see status code is 401 because we do not pass our access token as a header once again I click here a token and go to authorization API click get new access token copy the access token once again go to our API and I will remove this old one and paste new one and press send button so you can see Hello spring boot can key clock so our API can access using this token once again I change as an oath and then you can see the status code is 401 unauthorized to the end of the today's video on securing your spring boot application with Azure ad and key clock we hope you found this tutorial helpful and informative before we go make sure to like this video if you found it useful then subscribe to our channel for more tutorial on Sprint boot SUV also don't forget to hit that notification Bell so you never miss a update if you have any queries so need for the assistance please feel free to leave a comment down below we will do our best to help you out thank you so much for watching and we will see you in the next video episode
Info
Channel: lambdaCode
Views: 872
Rating: undefined out of 5
Keywords: springboot, azureAD, keycloak, postman, java, ApplicationSecurity, tutorial
Id: jEiXcMedHFs
Channel Id: undefined
Length: 60min 3sec (3603 seconds)
Published: Wed Jun 14 2023
Related Videos
Spring Security OAuth2 Tutorial with Keycloak | Full Course
Programming Techie
84K
API Authentication with OAuth using Azure AD
Azure Power Lunch
98K
Spring Boot Security With Azure Active Directory | OICD | Oauth2 | JavaTechie
Java Techie
13K
Fullstack OAuth2 - Angular, Spring Boot & Keycloak
Genka
1K
Tutorial. Spring Cloud API Gateway security with JSON Web Tokens
ORIL
4.9K
Keycloak Intro
Stian Thorgersen
187K
Spring Security From Beginner to Pro: A Journey Through Spring Security Architecture
Sergey Tech
5.8K
spring boot CRUD REST API with MYSQL for beginners
lambdaCode
9.1K
Spring security using OAuth2 with Microsoft AzureAD
JS Blogs
29K
Azure AD Authentication Secured API | Test Using Postman
Sharp Programmer
30K
How to integrate Java Spring Boot application with AzureAD using OIDC?
Security in Action 101
2.2K
Secure Your Spring Boot Microservices with Keycloak using OpenID and OAuth 2.0
lambdaCode
11K
Getting Started with Spring Boot and SAML
OktaDev
6.9K
Enable Authentication and Authorization with Azure Active Directory and Spring Security
SpringDeveloper
21K
Spring Security Oauth2 Tutorial with Keycloak - Part 1
Programming Techie
33K
Spring Boot 3 + Spring Security 6 - JWT Authentication and Authorisation [NEW] [2023]
Amigoscode
564K
How to Send Emails with Spring Boot: A Step-by-Step Guide
lambdaCode
11K
Spring boot 3 Keycloak integration for beginners | The complete Guide
Bouali Ali
53K
Understanding Azure AD Hybrid Join
John Savill's Technical Training
24K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.