Spring boot 3 Keycloak integration for beginners | The complete Guide

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
what's going on guys and welcome back to my channel in this video I'm gonna answer a question that all of you have been asking and it was a requirement from you you all asked about a video how to integrate key clock with spring boot so in this video comes the answer so in this video we will see together how to set up kick log how to set up a realm create users understanding the the roles groups and so on and so forth and the best part is how to integrate key clock with springboot 3 and Spring Security 6. so this video is pretty much detailed and contains all the information also by the end of this video I'm gonna show you how to work with roles from Key clock and use this Rose to authorize users for specific endpoints and also it will be pretty much detailed as I mentioned so before we start if you're new to my channel just go ahead hit the Subscribe button join me on my YouTube channel so you won't miss any video that I'm publishing every week so with no further Ado let's get started first let me walk you through the curriculum of this course so what we will see in this course first of all we will explore and explain the features of key clock and explain all the terms that we need and then I will tell you about the advantages of using keyclock for securing your applications then I will explain the terms that I will be using in this video so you will you will know what is what so you won't be confused when I use terms such realm client Scopes and so and so forth and then I will work you step by step through the installation and setting up the key clock for your development environment then we will configure together kick log this means we will create a real clients roles users groups and so on and so forth so I will explain you step by step what is what and how to do each step and then finally we will integrate kick lock within a spring boot 3 application and we will see how we can secure a rest API using kick log and then of course we will see how to test this and how to generate tokens how to pass them how to work with with roles how to secure your endpoints with roles coming from kick log so this is what we will see in this video now let's move on first let me give you a quick definition what is key clock so kick lock is an open source identity and access management or what we call IAM tool developed by gbos which is a division of red hat it provides a set of features that allow applications and services to authenticate users and manage their access permissions kick log is typically used for modern applications and services such as those built with microservices and API first architecture so now let me walk you through the main features that keyclock includes so first of all we have a single sign-on and single log Auto single sign on also used a AKA SSO so the single sign-on key clock supports both open ID connect which is an identity layer built on top of oauth 2.0 and xaml which is saml 2.0 protocol for single sign on and single logout and this enables users to authenticate once and and gain access to multiple applications without needing to log in again and then we have identity brokering and social login so kick log can interface with external identity providers allowing Aid to act as identity Brokers it also supports social logins like Google Facebook Twitter and so on and so forth and making it easier for users to authenticate using their existing social media accounts and then we have user Federation so kick log can interface with existing user databases such as ldap or active directory which allows organizations to use their existing user base without the need to migrate users to a new system and then we have fine grained authorization services so key clock supports role-based access control which is called also airbag or lb AC lowing administrators to Define roles and assign them to users it also offers fine-grained permissions which means you can specify exactly what actions user can perform and then we have centralized management and admin console so kick log offers a comprehensive admin console for managing users roles permissions and so and so forth it can be used to define and manage security policies centrally and then we have client adapters so click lock provides client adapters for a variety of platforms including Java JavaScript node.js Etc which means or which makes it easier to integrate click lock with different applications so this is also what we will be seeing in this course we will integrate keyclock with Java and springboard 3. and finally we have standards based click log adheres to current protocols such as open ID connect oauth 2 and xaml which makes it compatible with a wide range of applications and services so there are also many other features that we can talk about when we when we talk about kick log but for now let's stick to these main features and the most important ones now let me walk you and talk to you about the advantages of using key clock now let's talk about the advantages of key clock so first of all key clock is an open source project which means it benefits from the input and security of a large community of developers this also makes it free to use so this is one of the of the best advantages of using key clock so you don't need to pay for it and it's also open source and supported by a wide Community then versatility with its support for different protocols kick log can be integrated with a wide range of applications and services and then scalability kick log can be scaled to support large user bases and high traffic loads making it suitable for Enterprise level applications so if you want to opt or if you want to choose for an identity and access management keyclock can be one of the best choices for you and then security so kick log is a security focused product offering features like Brute Force detection user management access and password policies to help you keep your applications secure and then customize the ability sorry for pronouncing this like that but since it is open source kick lock can be customized to fit your specific needs you can add your own themes extend its functionalities and more and so and so forth so click lock is fully customizable and you can extend and do whatever you want with it and finally which is the best for me it it is the ease of use so kick log offers a user-friendly interface for administrators and it is designed to be easy to integrate in your applications so in this course you will hear me mentioning and using uh some terms and I want to explain them first so then you it will be easier for you to follow so first of all we I will be using or like the first term that I will explain is realm so in key clock a realm is a way to isolate and manage a set of users roles clients and groups it is essentially a security domain that manages a group of users their credentials roles and groups so each realm has its own dedicated settings like login policies tokens user registrations Etc when you set up keyclock the first time so it's it creates a default Master realm with which you can configure to suit your requirements you can also create additional realms for different parts of your organization or different applications then client so in Click log clients represent applications that can interact with kick log for user authentication and authorization a client could be a web application mobile application or even other servers so each client is configured within a specific realm and can be set up with various access types like credentials public or viewer only depending on the application's need and then we will also see and mention client scopes so client Scopes in Kick log Define a set of public of default or optional client roles permissions and claims that can be included in the access token or the ID token they allow you to centralize and manage common sets of permissions and claims for your clients so default client Scopes are automatically applied to all tokens of the client while optional client Scopes are only applied if they are explicitly requested by the client then the next term is users so users in Click lock represent individuals that can authenticate with key clock so each user belongs to a specific realm and can be assigned roles and groups so user profiles in Click lock can contain a range of attributes including usernames email first name last name and any custom attributes you wish to Define so users can also have credentials like password OTP or like one-time password codes or client certificates so to make it easy users are us like the final users of the applications and it can be also servers and so on and so forth so finally the final term is groups so groups in key clock represent a way to manage common attributes and roles mapping for a set of users you can use groups to simplify the management of large number of users as it is easier to manage roles and attributes for a group than for individual users so user in click in key clock can belong to one or more groups and inherit the attributes and roles mapping of those groups so groups is a way to group a set of users and assign them a set of roles permissions and so and so forth before starting and styling kick lock let's first have a look on the official website all you need to do is to go to keyclock.org and you will have this interface so at this time click lock is has the version 21.1.1 and as you can see here click lock is an open source identity and access management so here we have the get started but first let's have a look on the features that kick lock provides so as we mentioned before we have the single sign on and you have the description right here so you will have one interface or like one centralized interface to login or your your users to access your different clients and applications also click lock is an ad is an identity brokering and social login so it also provides social login such as Google GitHub Facebook and so and so forth it's also a user Federation once one of the features so for example if you have an existing in-depth or active directory service you can also Implement your own provider so you can link key clock to work with that without the need to migrate or recreate users on key clock also you have a really easy to use and friendly user-friendly admin console as you can see here and we will explore it later on step by step also you have an account management console and standard protocols authorization services and so and so forth so now to get started with click lock we can click on this get started right here which will navigate us to the to the guides page right here so if I click in here we see here that you have a getting started features or parts of of key clock so for example if you want to migrate to gwarkos distribution you have a migration guide also if you want to get started with Docker kubernetes and also if you want to use some services or servers so you are you have everything in here so in this course we will be using Docker for key clock so let's click on this and you see here in this page so here you have get started with kick lock on Docker and make sure you have Docker installed also if you're new to docker please go ahead and check the docker video that I released um some time ago so you will you will have a full understanding and a getting started with Docker so now all we need to do is to run this Docker command to in order to install Docker so I will just copy it for now and then we will be used later on so here also you have this um you have here the documentation for Geek log so then once you once you install kick log you you can click on this link and it will navigate you to the admin console also you have this guide how to create a realm how to create users groups and so and so forth so I will walk you through all these details in this course so now let me open my terminal and install Docker so to install key clock on Docker as I mentioned before make sure you have Docker installed and also check out the docker video to get more information about that so I will copy this Command right here and then open my terminal and I will just paste it in here and hit enter and you see it's unable to find key clock image so now it's it's pulling the image and then it will start a container for key clock so here as we can see here we have the logs for starting kick log and then added admin user to real master this is what we mentioned before because kick lock by default would be creating a realm called master so now in order to access the key clock admin console all we need to do is to go and open the browser on the localhost 8080 which is mentioned right here so because you are exposing the 8080 Port so let's go and check the interface so once you access localhost 8080 on this board you have this interface right here so if you did not provide or if you do not provide the environment variables for for username and password you will have you you will have a different interface to ask you to set up your admin and your admin login and password but for this case we already specified that in as environment variables so let's access our admin console so now it's loading the admin UI and here all we need to do is to use admin and admin as username and password so here let me click on sign in and then it will be loading the admin UI so here let me zoom out a bit so you can see the full screen so here you have the server info and by default we have this master realm and we have clients client Scopes real Bros User Group session events and so and so forth so I will walk you through every detail of this so now in the next step we let's create our own red let's create our application and let's do everything that we need for this rail now let's create a new realm so here as you can see we have by default the master and we have this button here create real so when you click on it you can import or drag a file to import a realm from a Json file but in this case we want to create one from scratch so the real name I will call it alibu in this case and I will set it to enabled and then just click create so here we have real created successfully let me close this one and as we can see here we have the list of the Realms that we have within kick lock so we have alibu and we have master and we can switch between them so now we have now the Management console for our realm and we can create clients so by default we have different clients like for example account account console admin CLI and so on and so forth and we also can create our own client so as I explained before a client can be a web application a mobile app rest API and so and so forth or also we can just click on import client if you have the Json file or XML file for this specific configuration now let's create a simple client so in this case I will leave it to open ID connect as a client type or you if you want to use you can use saml and for the client ID let's say alibo rest API and here let's say demo client for alibu rest API for example and then you can give some description so here we have some description and then always display on UI also if you don't know or if you don't understand this you can just click on this info button right here and you will get all the needed information so this means that always list these clients in the account UI even if the user does not have an active session so you can set it you can leave it to off and then let's click on next so here we have this capability config so client authentication so this means this defines the type of the oidc the open ID connect client when it's on the oidc types is set to confidential access type when it's off it's set to Public Access so now we don't we can make it public and then let's click on next uh before clicking on next you can also Define the flow so I would invite you to get more information about this also if you need that just drop a comment and I will create additional videos for that so let's click next and here we have the login settings so here we have the root URL so the root URL is the appended to the relative URLs so this the root URL of our application so let's say for the for the moment because we will we will create a new realm later on for when we will integrate the key clock when Within the springboard application we will have or we'll restart everything from scratch almost but now I just want to walk you through the key clock UI so let's say for example my root URL is localhost and let's say 8081 as the port and then we have the home URL we can use the same one also we have the valid redirect URL so the value direct URL is everything after or everything that belongs to the base URL or the root URL that you have okay so here this means after a successful login where we want to redirect the user okay so we want to redirect it to any URL that we can specify later on so also here we have a valid post logout redirect URL so after a logout or a successful logout where we want to redirect user and also for the for now let's say we want to redirect it to the to the root page of to the root URL of our application and here we have web Origins so what are the allowed Origins to access our application and for the moment I will leave it to Star this means any any web origin so now let's click on Save and here we see that we have an overview of the client that we just created so this is the client ID we have the name description and so on and so forth and also we can go back and go down and we see that client authentication authorization the flow all the information that we specified before so here we also have the consent required or not and also we can specify the login theme so we have the base one or the kick lock theme and so on and so forth so you can just play with this and see the different changes so now after creating a client let's click in here and here we see that we have the client that we just created so now if I go in here we can also see the roles the client Scopes the sessions and also we have advanced and so and so forth so now if I go to client Scopes so the client Scopes as we mentioned these are the Scopes are common set of protocol mappers and roles that are shared between multiple clients so these are the information that we want to expose so by default keyclock has a list of Scopes but we can also for example add the email add phone profile and so and so forth to expose or to or to send within the token that will be generated also we can Define realm roles so here we can create a role for our realm and let's say for example admin so here admin role and then and then we can click on Save we can create other roles so for example let's say we have also user and user role let's save it and then we can create users okay so here we have the list of users so for now we don't have any user but in case we can create users for our application so here we have the user action so the user action it's this is this one is not mandatory but for example if you want you can set or you can force the user to update the password update the profile verify the email or configure an OTP and so and so forth so one once the user connects for the first time we can have a required action so as I mentioned before for example because in here we will be creating a user and we will set a password for the user also we can ask the user for example to update the password to update the profile and so and so forth so here let's say alibu as username you can skip specifying the image because as you can see all the user the username is required so let's click on Create and then we see the ID of the user the creation date and for now we don't have anything else also what we can do we can go to credentials and here we see that we don't have any credentials yet for the user so what we can do we can set a password for our user and here let's say for example also alibu as password I will just show it in here and then we can decide if this password is temporary or not so let's say it's off for now let's say this is the final password for our user and then we click on Save and then save password so we see here that we have this label we you can change it you can also show the data you can you can have access you can also reset the password or even delete this password for this user also we have a list of roles so we can assign roles to the user this we will see later on so now let's go back to our client and let's click on this alible rest API and we see that we have a list of roles so here we can create roles for the client so let's create some and the role name let's say client admin for example you can you can name it as you want and also I can create another one and let's call it client user for example I want to have two roles client and user so as we can see we have this list right here and then within the rim role we see that we have this admin and user right here so if we click on for example on the admin we see that we have actions right here so we can associate with the role and here we can specify or like filter by client and we can assign a role to a specific client so as you can see here we have so let me filter by client also we see that here it's aliburest API client so for example I can assign this one this admin or um this client admin to the rest API and then what we see here now it's a composite role okay so the description is admin role and we see that the user now is not composite yet but if I click on user and do assign Associated role and filter by client again and I say this one is a client user and a sign if I go back again we see that this user is also a composite one okay so now so now if we go back to our users so here we have this alibu user that we created and we see that we have a road mapping so by default it has a default roles alibu but we can assign New Roads okay and for example for this user we will give it an admin role and also for this user role we can assign it or we can assign a role to that and here let's say filter by client and we can say that all that this user is also a client admin or an administrator or like has role admin for our client so if I click on assign so we see here also that we have this client admin all right so now we saw how we create how we can create clients we can create roles users assign a role to user and so and so forth now let me show you how we can generate a token for a specific user so to do that all we need to do is to access a specific URL or the open ID configuration to see the configurations or like the list of the URLs that we can use so now if we access this URL which is localhost 8080 slash Realms slash the real name in this case it's alibu and then dot well-known slash open ID Dash configuration and we will see this page right here or this Json response right here and we have this bunch of information like the issuer this is the issuer of our um of our oauth2 provider we have the authorization endpoint stock token endpoint and so and so forth so we have a bunch of information that we can see right here so also we have the grant types supported which is authorization code refresh token password credit credentials and so on so forth and what is interesting for us is this token endpoint so in this for this one if I copy this URL and open Postman and try to generate a token or try to to login my user the one that we already created so if I go back here and then I go to users so if I try to login or generate a token for this user right here and this is how I would this is what I would be showing you right now so now on Postman I will post the URL that I just copied right here and it will be a post request and then let's specify the body the body should be of Type X form URL encoded so in here I will start specifying some information so as we mentioned before we have first of all Grant type so for the grand type we want to we want it to be of type password because we want to generate or we want to Grant a user using password then we have or we need to specify the client ID so the client ID is the client that we created is the audible rest API and then we need to to specify the username and password so the username is adibu and the password is also available so now all we need to do to check if this configuration is right is to click on send and here we see that we have a response so we see that we have an access token which is this is the Bureau token and we will see what are the details of this token expires and refresh expires and we have also a refresh token and the type it's of type beer so it's a beer token and we have the Scopes that we have right here so the scope is image and profile so now for example if I specify a wrong password or wrong username and click on send we will see that we have an error message so it's 401 unauthorized and also we have invalid Grant and invalid user credentials so let me get back again and click on send so now let's see what is the content of this JWT token so I will copy this one I will go back to my browser and then I will open the JWT dot IO website and all I need to do is to paste this token right here so now let's see what are the informations that are returned by our application so here we see that we have an expiry date issued at and we have a bunch of information and we also have the the bear token the type of the token sorry which is of that beer also we have the authorized party which is alibu rest API this is our client also we have the load Origins that we specified in the beginning we have also the realm access so here we have this list of roles so we have the offline access which are the defaults and also the realm access we have this admin that we specified before now if we see this part right here we have this resource access alibu rest API and we have the roles or the list of roles that we can assign to a specific user so this user has a client admin which is the one that we specified right here so if I click on this one and then let me zoom out and then click on road mapping we see that we have this client admin which is assigned to the this client right here also we have a bunch of information like the like the account roles we have also the scope we have also the session ID if the email is verified or not and also the preferred username and all this information and Scopes we can specify in our configuration so now we saw how we can create and configure a kick log creating a rail and creating client also authenticating a user now let's go ahead and start integrating key clock with spring boot so we will start by creating a springboot project and then I will walk you through the configuration step by step and also I will show you how we can integrate kick lock and use key clock as an authentication provider for spring boot application now let's create a new Springwood project so as always it will be mavenproject Java and let's use the 3.0.6 and now let's specify the project metadata so it will be com.adibu and the artifact it would be keyclock and then it would be a demo project for spring Boot and key clock for example and this is the package name and we'll be using Java 17. then let's add a web dependency since we want to expose some web endpoints and then I will add long book and we will also need Spring Security and spring or off to Resource server so oauth to Resource server and then let's generate the project and open it with entityj so here I have my spring boot project I will create a sample controller so I will call it demo controller to have some endpoints so first it would be rest controller and then I need the request mapping and I will call it slash API V1 slash demo for example and then I will create one simple endpoint so it will be public string hello and this one it will return a simple string so hello from spring boot key clock and then this will be for example a get mapping and this is it so now we have a demo controller let me duplicate this and say okay hello to for example and this one I will make it slash hello Dash 2 just an example so hello this one it will be uh hello from springboot and click lock and this one for example let's say for later on it will be just for the admin and this this is where I will show you how also we can use roles from Key clock so now let's move on and start configuring our security so now I will create a new Java class I will call it security config and here I will just provide a basic configuration or basic Spring Security configuration so first of all it would be a configuration and then enable web security all right so then as always I will need a bin of type security filter chain so public security filter chain I would call a security filter chain and I need to provide the HTTP security as parameter I will call it http so now I will provide the configuration for uh for this security so first of all I will say http.csrf.disable so I will just disable this one and then authorize requests and I want any request dot any request I wanted to be authenticated so I want to authenticate or like to have the user to authenticate to access any request of my API so this is the first part and then I need to tell spring so now I want to tell it what what is my resource server to use in order to validate the token that I will get as a header all right so it will be HTTP dot oauth resource server so it's oauth2 resource server and then it's of type JWT okay so now this one will throw an exception so I will add the exception to the method signature so here it throws exception and then I will Define the decision management policy so it will be HTTP dot session management and then I will add session management or session creation policy and they want this one to be stateless so stateless and also I can use a static import for that and that's it and finally I need to return HTTP dot build so now I have a basic configuration or like my security configuration so here I want to authenticate all the requests and also I told spring to use the oauth2 resource server and I mentioned that I have a JWT that needs to be validated using this oauth2 resource server so having this one having this oauth2 resource server.jwt we need to pass few parameters or few configurations to our application context in order to tell spring what is our resource server what is the the link or the URL to validate our token so let's go ahead and add this configuration so now I will close this and then I will go to resources and then application properties so first of all I will be using yaml representation because it's more readable and now let's provide some configuration so first we have Spring Security so it would be spring and then security and then we have our resource server so here we need to specify the resource server and then we as we mentioned before it's GWT and then we need to specify the issuer URI and the jwk set URI so here we have issuer Dash URI and this one we need to specify the URL of our kick lock instance so it will be HTTP colon slash slash and then localhost and then 8080 and then slash realms slash our realm name so our real name is we called it alibu as we specified before and now we need to specify the GW key jwk set URI so jwk Dash set Dash URI and then we need to specify this so first let me copy this reference and then it will be dollar and then this URL right here and then slash protocol slash open ID Dash connect and then slash search so this is the URL to validate the JWT and then of course let's not forget to specify the port so server port and let's say 8081 because the port 8080 is already in use by key clock so now we have our configuration but before we move on we just forgot one small property so it's Spring Security and then oauth 2 and then all this goes under oauth2 okay so let me fix this one and also this and this and this so it's Spring Security oauth 2 resource server and then JWT and then we need to specify the issuware URI and the jwk set URI which is we'll be using this one so here I just use this variable reference because in case I change this one I only need to change it in one place and then it will be slash protocol slash open ID connect slash so this is how to how to validate the certification or our JWT token so now let's run our application and make sure that if we don't provide the correct JWT token we get an authorized and if we provide it we get the correct configuration now let's run our application I will run it in debug mode and of course enable annotation processing for lombok and then so here we have this exception could not resolve placeholder and this is this comes from this application properties right here because we forgot to also update in here so it's Spring Security dot oauth 2 and then resource server.jwt.asure URI so now let's run again the application and go ahead and test it so now the application is up and running on the port 8081 so now let's open Postman and try to access one of these endpoints so let me close everything and just remind you that you have this demo controller which is accessible on slash API V1 demo so now let me open Postman and show you how this is gonna be so here in the new tab I will use HTTP colon localhost so I will just take any one of them and then just update the port so it will be slash API slash V1 slash demo and then if I try to access this one so first of all I see that I have this unauthorized so if I don't provide anything because as you can see in the authorization I did not provide anything so here my user is not authorized to access this demo controller so now let's go back to this to this one again let's let's send a new request and get a new token so I will copy this one and then let's go back to this tab and here it will be Bearer token so I will just remove this and replace it with the token that I just copied and I click on send so when I click on send we see that we have 200 okay and we have this hello from Spring Boot and key clock also if I try to access slash hello Dash 2 we click on send and we see also that we are able to access the second endpoint which we said that we want this one to be accessible only by users having the admin role all right or let's say even a different role we can create user and roles for that later on so now let's go back and tell you and let me guide you through how we can use roles within springboot so now to add Road based authentication first of all we need to enable method security so and just to remind you the method security it has the pre-post enabled Default true so you don't need to add any properties all you need is to to have this annotation on your security config level so now let's go back to our controller and here let's say pre-authorize and let's say has role and for for this we want the user to have the role client user for example and for this one we want it to be client admin so as we specified before so let me remind you what the JWT token looks like so here we see that we have for example for this client the alibu rest API we have a client admin and also we can create another role for another user which is client user so now if I restart my application and try to access these two endpoints first of all we will get a 401 unauthorized and then I will explain to you why so let's go back to our Postman and let me generate a new token so I will copy this one and then I will paste it in here so if I click on send we see that we have this 403 Forbidden this means that we cannot access this endpoint so even the hello tool is only accessible by admin as we can see here and the problem is that spring as you know this has rolled method it use it uses a default prefix called roll underscore so we need to convert the roles that we get from this JWT token provided by Kick lock and add this prefix right here so also let me show you what this means so here in our security configuration we have this HTTP and then all to Resource server and we mentioned that we want to use JWT and this JWT has a converter by default which is called the JWT authenticationconverter.java so this is a class implementing the converter interface and we pass a JWT as object and also an abstract authentication token and this one is just try to extract or to get the claims for the principal claim name so I will add a breakpoint right here and then send the request again and let me show you how the JWT looks like so I will go back to postman click on send and now we are back to our IntelliJ to this breakpoint so here we have the authorities and first of all we are trying to convert this JWT and then if I pass to the next we see that we have this of this object authorities so this object authorities has scope email and scope profile but first let's have a look on the JWT object so for the JWT we have headers claims token value it should add and expires at so we are interested in the claims so inside the claims we have all the information that we saw on the jwt.ao website and here what we have we have also the real access and we have all the information that we need but the one that we are interested in is the resource access so inside resource access we have this result it's it's a map of Key value so the key is resource access and we have the value right here and here we see the multiple all the resources that we want and for our case we are interested in our client because only this client or our API is linked to this alibu rest API so inside this alibu rest API we have the key which is the same name and inside we have the value which contains the rules so the rules it's also a key map a map or a key value map and then we have the value and we have this client admin and now we need to convert the value of this client admin to roll and restore client and rescore admin so whatever the role that we get from or we want to configure on key clock we need to convert it to a role which is understandable and acceptable by springboot so now let me show you how to do that so I will just resume the program and now I can stop it so then I can close this one let's go back to our security configuration and now let's create our converter so now first of all let's create a new class and then let's call it JWT auth converter so this class will be responsible of converting the roles for our application and let's make it a component to be able to inject it later on in our security configuration so as we saw before this should implement the the interface converter and this interface converter comes from this specific package so which is the org.springframework.core.convert.converter so you need to be careful about importing the correct one so and as we saw before this convert it takes JWT so it also comes from the org spring framework security oauth 2 JWT and then also we have the abstract authentication token so let's add this abstract authentication token and now we need of course to implement the methods so let's click on Implement and we need only to implement this convert method so I will click on OK and now I will walk you through the implementation of this one so here we have this JWT called source and here it's just claiming because it should should be non-null so I will just add this annotation to satisfy sorry not the one from lombok but it should be the non-null from Spring all right so now we no longer have this warning now let's first implement this one so in order to start uh converting or like to extract the granted authorities first we need an object of type JWT granted authorities converter so I will create a private final JWT granted authorities converter let's call it JWT granted authorities converter equals I'm just in the new line new granted authorities so new JWT granted authorities converter so this the one that we'll be using later on so now let's start implementing this convert method so first I will create VAR authorities equals stream Dot concat foreign what I want to concat is my JWT granted authorities converter dot convert and then I want to convert my source or let me also here rename it JWT to have a better meaning so my JWT and then what I want to do is also JWT dot stream because I want to concat and then I need to create a method called like to extract the claims or the principal claims so here and then the second parameter is so I will just I will call the method extract resource roles and this one it will take the GWT as parameter and then I will say just as stream and that's it so now I need to create this extract resource roles so I will create method so this one I would I wanted to return a collection of type anything that extends granted authorities so I need also to import the collection and now let me walk you through the implementation of this one so here we have a private collection of anything that extend granted Authority and we called it extract resource roles and also it takes the JWT as parameter and now let's start extracting the roles so first I will create a map an object map of string and object and I will call it resource access so let me import the map right here so this one is from java utils and here we said it's resource access so let me fix this typo and then I will create also another map so I'll duplicate this one and then we call it resource and finally we need a collection of string which is our resource roads so here because we talk about resource which is the one I already explained before when we debugged together the jwd token so now let's add few checks so if first of all if I if I have my JWT Dot get claims so now I I will try to extract a claim called resource resource access resource underscore access and also just to remind you I'm talking about this one I'm talking exactly about this one so this is the claim that they want to extract so I will copy it and then I will paste it in here to avoid any kind of typos so if this one is null so this means that I don't have any I don't have any claim called resource access so I will just return a set dot off this means I want to return an empty collection okay otherwise my resource access equals this one so if I have if I have it so I will just extract it and then I will do the same thing so here I will just do an if and then I will use the resource access object and then get so here I will try to get something called resource ID and my resource ID as always is this one so now I will just use it as a constant and then later on you can also extract it to the application yaml configuration to have it to have to have it as a variable and you can use it depending on on the environment whether if it's development or production so if this one also equals null what I want to do is also returning an empty set so I'll just duplicate this one and move it right here so also if my resource access or if I don't have any resource called aliburest API I also want to return a set or an empty set so I don't this means I don't have any roles for this specific resource so then if not what I will do my resource equals this one so I will just copy it right here and then of course I need to convert it or to cast it to a map so I will just add this cast right here so I will cast this one this object to a map of type string object okay so now if I have my resource if I have my resource access and my resource which is my client that I created on on Kick lock level so what I will do now I will extract the roles so I will get the object that called rules so here it will be resource roles equals and then resources or with this resource dot get and then roles so also we need to convert this one to uh we need to cast it to uh to a map or to a collection of string because it's of type collection of strings so then we can extract the roles or map the roles from from this rows that we extracted from the JWT token so finally let's return our resource roles and then stream let's stream over it and then let's do map so here we we want to map it so here we have or let's say roll and then we want to we want to return a new simple granted authority of role and or scroll press roll so here we want to do roll and the restore and then plus the role itself so as I explained before and then of course we need Dot collectors to to set so here we are extracting the the resource and then we are mapping it and we are just adding this role prefix okay so now if I go back to my main method so here I have the list of authorities and then I just forgot semicolon right here and then I need to return this object which is of type JWT authentication token so here I will return a new object of type new JWT authentication token and this one takes few parameters first of all we need the JWT itself and then we need the authorities and finally we need another attribute as we can see here so we need the string name the string name is the principal claim name so now we need a new method we call it get principle claim name principal claim name and we will extract this principal claim name from our JWT so let's create this method and this one should return a string and it takes as parameter the JWT so now let me show you how to extract this claim so now from our JWT let's have first of all a string claim name equals JWT claim names dot sub so by default it's the subject and then if we have a different principal attribute so we can also use it so here what I mean exactly if I go back to my JWT dot AO interface what I want to extract is this one so the preferred username we also have the subject uh the subject right right here but this subject is returning the ID that was generated by Kick lock but in my case I want to get or to extract this preferred username so I will just copy this value and now I will go back here so here I will create a variable so private final let's say principal attribute of type string so this is the attribute and then it's it's going to be like this so then later on I will I will extract it to uh to the application configuration so here if I have or if my principal attributes is null uh sorry if it's not null what I want to do I want to set the claim name equals this principal attribute so it's as simple as that and then I want to return JWT dot get claim and then the claim name so here what what I want to do is if I have a different attribute or principle attribute name so I want to extract that one otherwise I will be using the default which is the sub as we saw in um and the JWT dot IO when we converted our JWT token so now let's go back in here so let's check uh this one okay so I will just use an explicit type right here so I will just make it a collection of granted Authority and then of course we just forgot here to dot collect and then collectors to set all right so here we have our Authority so we fix also that and we have also the principal claim name so now let me go ahead and extract this principal attribute and also I will extract this resource ID so this one I will just create a variable call it resource ID and also the same in here I want to use the resource ID and let me create a variable right here so let's call it also resource ID and now let's go back to our application.yaml so I will create a variable so let me call it JWT and then off and then converter because we are using this one in the converter and let's call this one for example resource Dash ID and let's give it this value and also let's create another one let's let's call it principal attribute so principle Dash attribute and then we wanted to have this value so this preferred name I will just paste it in here and space of course so let me make this full screen and now in this converter I will just inject these two values so I will remove this one and also this so we also no longer need the final keyword and I will add the add value annotation and in here it will be dollar and this so I also can directly copy this one so you also can see the shortcuts that I'm using right here and I will paste it in here so I made and then I will paste this one here and I will also duplicate it and we called it principle Dash attribute so now if I try to access them so this is the principal attribute and then here it's resource ID so I made a typo and the same here so also I can access this one so this um ensure me that I did not made a mistake alright so now we have our converter let's again let me recap this one because I know maybe it was a bit long to implement this so what we did so far we created a class we called it JWT authentication converter and in order to make it a converter we need to implement this interface and this this interface is a generic one it takes a JWT and also an abstraction authentication token and also we need to override or to implement the convert method that comes with a parameter called JWT so then we created this JWT granted authorities converter object and this one is the one we use to convert the JWT okay so then inside the convert method what we did is we first of all we have this convert and we have this extract roles method and both of them or both of these two streams we concated them into one stream and then we performed a collect operation and then let me work you again through the extract resource roles so to extract the resource roles from the JWT we created three objects so the first one is a claim called resource access and the resource which represents our client ID then we have the final variable which is the resource roles which will store the roles that you will extract from the the W JWT token and then we have a check and early return so if we don't have this resource access as a claim so we return an empty list same otherwise so we store it in here so we we stored or we assign it to the resource access variable and the same for the resource ID and then we do the same thing if we have the resource ID and finally we get or we try to get the roles because if we have the access the resource access and the claim within the resource ID we are sure that we have the object roles so then we will Loop or rest or stream over the resource roles and then we will transform them to simple granted authorities and then we have roll underscore and then the role name and then we collect them to uh to set and then we return it so here we are using set just to avoid the application in case we by mistake the kick lock admin assigned the same role twice to the same user or to user so we don't have the application and then if we go back right here so now we create or we extracted the authorities and then we need for this object for this JWT authentication token we need to return the JWT the authorities authorities and also the the principal claim name so the principal claim Name by default it's sub so it's the object called sub as you can see right here but as I mentioned before in Kick log the sub is the ID which was created for the user and it's the internal ID generated by Kick log and for our case we need the principle attribute or the preferred user name and that's why we need to extract it in here and here it's just a fallback in case we don't have or for example for one environment for prod or for a different environment we forgot we forget to set this principal attribute right here in in the properties so at least we don't return null value so by default we return sub if we have the principal attribute so we extract or we get that claim from there all right so now we have our authentication converter ready to use so as I mentioned always if you create a component or if you create something you need to link it so let's go back to our security configuration now I will add the lombok required RX Constructor and then I will inject private final and then my JWT authentication converter let's call it JWT auth converter and here after this one so after specifying the oauth2 resource server.jwt we can also specify the dot JWT authentication converter so here let's say it will be our authentication converter so this means that we want to mention to Spring that we want to use our own converter instead of the default one so now let's restart our application and make sure that the converter that we implemented is working fine and also I will add a breakpoint in here so at this at this level and we will see step by step how this is going to be so now let's start our application and test so now I will run my application in debug mode and then let's go back to postman and now let's generate a new token I will copy it and use it for my request so I will replace this one let me remove the old one and now if I click on send I should move back to antilij so now let's see what do we have so here we have our JWT object and as we mentioned before we have header claims and so on and so forth so the first step is we want to check that if we have a claim called resource access so here we have the list of claims and we see that we have resource access so if I move to the next step so here we did not we did not enter this one because we already have our resource so now we will assign this object to the resource axis and then as we can see here we have our resource access so it has the alibaurist API and the account one so let's move on now we want to check if we have the resource called re-alible rest API which is the client ID that we created before so it's already the case and as you can see here so we have our resource and it has the object called role okay so now from the object we can get the value and here we have the the row that we assigned to our user on Kick lock so now if I move to the next step so here we are we will be able so if I evaluate this one so select it right click evaluate expression and by the way leave me in the comment if you need or if you want a video about how to debug using ntdj and how to debug and detect bugs and so on and so forth just leave me in the comment and they will create a video for that so now let's evaluate and as we can see so here we have the result and now it's called roll and restore client admin okay so let me close this one and let's resume the program also I can remove this breakpoint and if I go back to my ntdj sorry to postman I see that we have a response from here so we mentioned before so as you know here in our demo controller we have this one should have client admin as role and this one is the user should have a client user so if I try to access this endpoint within my admin user I should get a 403 so let's try this one so instead of hello 2 let's just access demo and now we see that we have for three forbidden this means that within even if we have a valid token we are not authorized to access that resource so now what I want you to do as a Next Step just go ahead go back to to the kick log admin interface and create uh create new users assign new roles and I want you to play more and more within this that was pretty much it for this video I hope you enjoyed it I hope you learned many things and now I hope you have a full understanding of key clock and how to integrate it with spring boot so also if you need something else or if you want to learn a bit more about kick log drop me a comment leave what you want to learn next and I would be happy to provide a video about that now before we leave if you're new to my channel don't forget to hit the Subscribe button and also to join me on social media you have all the links down in the description of this video so it was really nice having you today and see you the next time
Info
Channel: Bouali Ali
Views: 82,718
Rating: undefined out of 5
Keywords: spring, jpa, data jpa, mapping, onetoone, one to one, spring data, many to one, manytoone, class, generatedvalue, persistence, repository, service, jparepository, jpa repository, uml, class diagram, design, software, engineer, software engineer, java, jakarta, javax, spring boot, springboot, security, spring security, aliboucoding, spring boot 3.0, spring boot 3, spring 3, jwt, filter, authentication, authorization, bearer, jjwt, oauth2, github, social connect, social login
Id: vmEWywGzWbA
Channel Id: undefined
Length: 73min 30sec (4410 seconds)
Published: Mon May 22 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.