How Can We Secure a Microservice?
What is Keycloak?
Keycloak is an SSO solution for web apps, mobile and RESTful web services. It is an authentication server where users can centrally login, logout, register, and manage their user accounts. The Keycloak admin UI can manage roles and role mappings for any application secured by Keycloak. The Keycloak Server can also be used to perform social logins via the user’s favorite social media site i.e. Google, Facebook, Twitter etc.
Using the Keycloak adapter, an unauthenticated user is redirected to the login screen on the Keycloak server. The user then supplies credentials for authentications to the Keycloak server. Since the authentication is done by the Keycloak server and not your application, it’s easy to add support for multi-factor authentication or social logins without having to change anything in your application.
Once the user is authenticated, Keycloak returns a token to the application. The token contains details about the user as well as permissions the user has. A token is basically just a signed JSON document and can be verified by the called services or by invoking the Keycloak server.
Installing the Servers
Follow the steps from the post Using Vagrant and Ansible To Build A Keycloak/Wildfly Development Server to setup both Keycloak and Wildfly servers.
What is Ansible doing?
After downloading and installing wildfly , keycloak-wildfly-adapter-distis then downloaded and unzipped adding additional keycloak modules needed to communicate with the authentication server.
At that point a command line script is executed adding the keycloak subsystem to the Wildfly standalone.xml configuration file
Checking out the Serenity REST Services
The services being deployed consist of:
- JaxRsActivator – This is used to bootstrap the application. It uses the `@ApplicationPath` annotation to set the application context path
- CargoServices – Service endpoint that allows us to find, update and add cargo
- JobServices – Service endpoint that finds existing jobs
- LocationServices – Service endpoint that finds existing accessible locations
- CargoAccess – Stateless session bean used to demonstrate programmatic authentication and authorization
Securing the Services
The services can be secured by updating the web.xml as follows:
The CargoAccess stateless session bean demonstrates how to programmatically use the keycloak system.
- The Jboss specific @SecurityDomain annotation is used to set Keycloak as the security domain
- The @PermitAll and @RolesAllowed annotations are used to supply access to the operations
Configure the keycloak.json adapter config file. This file specifies the configuration used to communicate with the Keycloak server. Our sample looks like:
- realm : The Keycloak realm representing the serenity application and users
- resource : Name of the application client to connect to when attempting authentication
- bearer-only : Tells the adapter to only accept bearer tokens through the Authorization header
Further documentation can found at Keycloak adapter config
Building The Services
The following should have already been done:
$ git clone firstname.lastname@example.org:SUMGlobal/keycloak_demo.git $ cd keycloak_demo
Gradle is used to create the deployment artifact
$ cd serenity $ gradle clean build $ cp build/libs/serenity.war ../vm-keycloak/shared
This will build the war file and copy it out to the vm’s shared directory. Then:
$ cd ../vm-keycloak $ vagrant ssh $ sudo -u wildfly cp /shared/serenity.war /opt/jboss/wildfly/standalone/deployments/ $ sudo service keycloak restart $ sudo service wildfly restart
That’s it. The services are now deployed at:
In the next post, we will review the cortex Angularjs application where we use the deployed services.