Secure Your Spring Boot Microservices with Keycloak using OpenID and OAuth 2.0

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

welcome to the lambdoku where we bring you the best tutorial on the software development in this tutorial we will be showing you how to secure a spring boot application with key clock using open ID if you are new to keyclock it is an open source identity and access management tool that allow developers to secure their application with ease with key clock you can easily manage use authentication authorization and user Management on the other hand is spring boot security provides a robust framework to secure your Sprint boot application it's come with several features out of box including O2 support which make it easy to integrate with key clock in this tutorial we will walk through the step of setting up key clock integrating it with your spring boot application and secure your API using open ID we will also use Postman for API test so you can see how view API work after securing it with key clock this tutorial is designed for beginners who are looking to learn how to secure spring boot application with key clock we will go through each step in detail so you can follow along with ease so if you are ready to learn how to secure your spring boot application with key clock using open ID let's get started first we have to download key clock can setup so open your favorite browser and search Key Club download so you can see the first link so you have to go to link also www.kclock.org and download click download and you can see the latest is 21.0.2 so first when you have to download this ship so then the key clock file will be downloaded after downloading quick file you have to go to download folder and this is the file we have downloaded then extract the file this is a extracted folder go to the folder and go to bin so in here we have to open command prompt in this location so I click in the path then type CMD and press enter so you can see the command prompt will open in the bin directory so then type KC dot bet space start Dash div and press enter so you can see the key clock server started and it will run on port 8080 so you can see in here also so then open new tab in browser type localhost 8080 and press enter so then you will go to this Administration console page so you have to create new admin account in here so first we will give name I will give name as admin so you can give any prepared name and press create button so you can see then you have to go to admin constrain console press this button then you have to give the admin name and password then press sign in so this is a key clock home page then this is the master realm so we have to create new realm for the application press this Arrow key and press the create random button so then we have to give a name for the relum I will give name as and press create then new realm will create so then we have to create new client so press the clients tab and press create client I will give name as a client IDs my client and press next key and here I will learn client authentication and authorization and implicit flow and next and Save so then my client is created after that we have to add new users and we have to add roles to our application so for that first we add roles so for that go to realm roles tab and create roles and I will give first no role as a admin this is admin role and save once again click random role tab you can see the admin role is created then create poll press save then go to Rhythm roles you can see admin Rule and super admin roles are added to our role section after that go to user step and press add user my first view size Roshan and I will give a email address and press create so you can see the one user is created so after that go to credential tab click set password so I will give a simple password I will turn off this temporary option click save the password is saved and after that click user you can see the one user is added so I will add another user name master costume create and go to credential tab set password and Save so you can see I have added two users so then go to Roshan and go to role mapping and click assign roles so you can see role section in here I will assign super admin as a project so click super admin and assign so Roshan wrote this you can see once again click user step and go to costume go to role mapping assign role I will assign as a admin so you can see the custom is admin so key cook related configuration part is already done so then go to realm setting so in here you can see open ID endpoints configuration so when you click here so you can see all the related endpoints are visible in here so then we have to set up Postman collection so then we have to go to postman and I will create new collection so I click in here then I will give a name as a spring boot key clock and and click and click add request I will give a name as a login this is the post request so then press body and click here and then you have to pass username and password and brand type and client ID and find secret so in here we have to pass username password brand type and client ID and client sector in here I will set up Postman for easy way to test our apis and the grant type is password client ID client ID and client Secret and after that we have to set the URL so go to the key clock in realm setting go to open ID endpoint configuration so you can see the token endpoint URL here I copy the URL and paste so you can see the spin boot app is the our problem so I will change this as a develop so n this is the key clock URL so you can see this is the base URL so I will change this as a and Save so after that you have to send username and password so we previously set to user one is Roshan and one is kasun we have to pass this credential in here so before that we have to add environment so go to environment tab and click in here and give me a message bring boot key clock demo and press so in previously we set different environment variables in here you can see you are actually cook prelim client ID client sector so we have to set up this value in environment section the first one is you are a key clock so first I copy this and go to Sprint boot key clock demo environment sections and paste here same as vellum and client ID also and client Secret so in here the URL key clock mean the base URL you can see away spin boot application run loan port 8080 so the base URL is localhost 8080 so I copy the URL here n come to key clock and paste and this is the base URL and relum realm is you can see the realm is spring boot app I copy the column name and paste in here so next one is client ID and client Secret so for that go to key clock go to clients tab and go to my clients and you can see the client IDs my client copy the One and paste it in here and go to credential so you can see client Secret copy and paste in here so then go to login tab and we have to select our environment so you can see when you put the cursor in this location you can see the URL will see the realm is spring boot app client ID also and find sake so then we have to check first our API so the username is Roshan and password is one two three because winner users do our key cloak I add one usage Roshan another one is kasun the username is Roshan and password is one two three so then I can test this API press send button so you can see the API work successfully the access token and refresh token and all the natural information we can get in here and also when the return access token and refresh token in Postman there is a feature we can set these access token and refresh token as a environment variable so for that go to test and write PM Dot environment dot set I will give a name as access token in comma em Dot response dot Json Dot access token and I copy the this code and paste and I will change this as a reverse token and refresh token so I save and copy the access token name and go to environment section and add here and also we press token also at here okay save so go to login tab and press send button so you can see in environment section the access token and refresh token also in saved in this location so in our application the first API is completed we can send username and password so after that we can generate access token and replace token our next API is logout API so for that we have to add request I will give a name as a log out is also post request and go to body edit this option is it as a client ID client ID and refresh token another one is find secret and then we have to pass the URL for the logout so you can see there is a endpoint and session endpoint so I copy this URL and paste in here so you can see is the base URL I will change as her and this is a realm and Save so you can see in the logout API we have to pass the header also click authorization tab and click Bearer token and we have to pass access token also so we can try this API also first go to login tab login API press send so you can see login Nick success and then go to logout API so you can see there is a mistake the URL key clock is this a mistake so go to environment tab so I copy the name and there are more also the wrong one if we copy this one also and paste in here so you can see the status code is 204 no content it means our apis working so our next API is get access token using replace token you can see in the login API our refresh token but refresh token in X by in 1000 and 800 seconds it means we can using replace token we can get new access token within this period of time so for that we have to add another API for that is also post method and this URL also same as login URL I copy the URL and paste in here and go to body Tab and select xww.form URL in code and give us brand type this is a free press token another one is client IDs another one is Free Press token and client Secret in here we use refresh token and we get access token I will save the so then first go to login API so then go to get access token then try this API so you can see that our API is working if you go to logout I try this logout API so then you can see the our refresh token is expired when we call the logout API the repress token will be expired so I try to once again get access token API so you can see session note activate because our refresh token is expired because we called logout API our next API is guest talk so a guest token is a specific type of token that is used to allow Anonymous access to certain protected resources guest token are useful in scenario where you want to allow an unauthorized access to some part of your application while listing requiring authentication for the other parts when a user requests resources that require authentication but they are not currently authenticated key clock will issue a guest token to user this guest token can then be used to access any resources that make as a public or Anonymous in your key group configuration note that guest token have limited functionality and are intended only for use in specific scenario for example they cannot be used to access resources that require specific user role or permission if you need more fine Grant control over access to your resource you should consider using other keygroup features such as role permission or client Scopes so I add this in here it's also post method and the URL is same as login URL I copy the URL and go to authorization section select basic code and you have to give client ID and client Secret and then go to body sections did it this xww patch form URL encoded and type here brand type and type value is client credentials and after that go to Test Section I copy the code in here copy the code paste because I already written this code in previously so now we can test our API so you can see the apis is working perfectly we can see access token in here also so we already set up our Postman environment also so then we have to implement some Sprint boot application and we can test API using Postman so let's go to the browser open new tab and search spring initializer and go to Spring initializer website so in this tutorial I will use spring boot 2.7.1.0 because this is the most stable version I will give you a group name as a number code and in this tutorial I will use Java 70 and also I will select building tool as Maven and we have to add some necessary dependencies first one is spring web another one is spring security so then we have to generate the project so click the generate button then will project generate 10 will download so then we have to open the downloaded file so this is the downloaded file then we have to extract this folder so this is the extracted folder so then I will move this folder in my paper place so I moved this forward line desktop so you can move any every place after that we have to open this project using any favorite idea so in this project I will be using intelligent so you can use Eclipse net be no any other kind of IDE but I will recommend you to use intelligent idea because it's more easy to work with IntelliJ IDEA in Spring boot application I open the IntelliJ IDEA and open the project so you can see this is the project we have downloaded so then in the folder you can see there is a file name home.txml click the file and click ok so after that we have to add some dependencies so open the form.xml file so you can see there is a already some dependencies are added so we have to add some special dependencies for our project so for that open the browser and search key clock is spring boot adapter and press enter so you can see we have to go to this website so this is a documentation related to key clock so you can see in here using open ID connect to secure string and services click this link and go to Java adapter and then spring boot adapter so we have to add these dependency in our project so I copy this and open the project and I will let and also copy the code and paste in here so after that you can see there is a icon load Main Event changes so please please click this icon so required dependencies are added in our project so we have to add some packages first one is config and other one is control so in this project I will Implement simple apis for the demonstration purposes so in here so then open the resource folder and go to application.properties so I change this folder name because I am preferred to working with yaml configuration click refactor so then we have to sum at some necessary configuration in this yaml file so for that open the documentation we previously opened go to the below so you can see in this documentation we have to add some necessary configuration for our projects so you can see this configuration we have to add our project open the project this is the application.tml file and here or service URL and resource public client bear only and also I change the default 4 to 80 81 Java project we're running on this port so then we have to add prelim or server URL resource and public client and Mero list true so for that we have to open the our key clock server we can find this necessary attribute in K cook server the first one is realm you can see in your server the realm name is spring boot tab and and other one is post server URL so you can see in this key clock project run port 8080 and resource resource mean our client so you can see our client is my client and public client is true so we edit some necessary configuration in here so then go to config and create new Java class I will give a name as a security config and in here we have to add some code so we can find this code in key clock documentation also open the documentation we previously opened and go to the below in the page so you can see there's a code I copy this code and open our project and paste so then we have to import and in here I will change some line add import in here also I will change this code and I will remove this code line so I change this code as we need so after that in controller we have to add new controller I will give a name as a test controller and we have to add some annotation this controller and request Mappy so I will add test to our API URL so then I will create two endpoint for testing our application and I will add another endpoint also so you can see in here I put the date type as a string because we return simple text message so now we can run our application so you can see our application is running on Port 8081 so we can test these endpoint these two endpoint using post name so open Postman so this is the collection we previously created so we have to add in the request and we have to set the API URL so I said best in point you can see a person point is test and user one and second endpoint is user 2. and save so I click the send button you can see 4 0 1 unauthorized so for that we have to add our access token otherwise we have to pass the access token with header forget successfully response because our info in this secure we cannot access this endpoint in simple way so because we have to pass the access token bind with this API so it means our endpoint is secure so for that go to authorization section and select Bearer toker and we have to pass the access token in here so keep in mind that you have to select we previously created environment so save and go to login API so you can see the previous let two users one is Roshan and the one is kasun so I in this API I use Roshan account click Send so you can see access token in here we previously wrote the script to our access token will be saved as a environment variable so go to the API so this access token already updated so now we can test this API so you can see we can get successfully press once so you can see if we do not pass as a header with BR token we get unauthorized if we want to get successfully response we have to pass bear a token with headers in this API and also I can explain more clearly when login return the access token and I copy the access token and go to the API and paste in here is the access token and the send button you can see we can get successfully response so then open JWT dot IO and paste our access token this is the JWT access token you can see all the data in here you can see expire time and roles so you can see the role is super admin all the necessary data in here you can see also the email address and username also in here so after that I will let role-based authentication so I will improve our application so for that open the project and go to security config in here I will add another annotation you can see enable method security and pass ASR 250 enabled true and after that so we have to change this configure Global method and also we have to pass this authentication provide so we will test our first API in here we have to add rolled a load annotation so we have to pass the role the user can access this endpoint so I will add pin role admin can only access this input but this endpoint can access any user because when we configure the our key clock we add two roles you can see go to problems role section you can see we added two Pros one is admin another one is super admi and also go to user section you can see the two users we already added open you can see the question is admin and good Roshan and you can see the Russian as a role super admin so according to our implementation our first API can only access for Castle because role admit the Roshan cannot access the first cannot access first API sustain point because as a role super admin so we will test our endpoint so before that we did some changes in our application so we have to restart our application application is started open the postman the login API is the first we try using Russian definitely our apis will not work because Roshan has only super admin role so first we have to update our Postman collection now we can check our API so you can see o03 it means the the user cannot access our endpoint because our endpoint can access only admin so you can see is the access token I copy the access token and go to jwdio and paste in here so you can see the role is stupid Roshan the role is super admit so then because the first API cannot access this user so next I will change username as person and make a request and go to the API and test API you can see there is a 200 status code our API is working successfully so I copy the token and paste in here you can see the email is gmail.com username you can see the role is admin so you can see our first API can access only admit and also you can see this endpoint can access any user because we didn't add any role base authentication so we will try this API also open the postman and I will change the URL to user tool so I will check the API so it's working so I login as a so you can see any user can access this API also and previously we set up guest token also we can try with this API also so you can see the second endpoint can can access using this token also but when I change the url to First API so then you can see there is a 403 status code because we can get the token you can see the when we put the cursor in this access token variable you can see the current access token so we can simply copy this access token using this button I copy the access token T dot IO website and paste in here you can see there is a rows but admin row low super admin row not in here so because the guest using guest token we cannot access this end point but we can access this endpoint in this tutorial we covered a lot of ground from setting up key clock and configuring a new realm and client so in creating key clock with our Sprint boot application and securing our API with open ID we also use Postman for the API testing so you could see the result of our artwork I hope you found this tutorial helpful and informative if you have any question or comments please leave the in the comment section below and don't forget to subscribe to our Channel Lambda core for more tutorial on software development thank you for watching and happy gory

Info

Channel: lambdaCode

Views: 4,867

Rating: undefined out of 5

Keywords:

Id: 62n24Afe80Y

Channel Id: undefined

Length: 53min 5sec (3185 seconds)

Published: Mon May 01 2023