TLDR;
This video provides a comprehensive guide on integrating Keycloak, an open-source identity and access management solution, with a Spring Boot 3.3 application for enhanced security. It explains the need for Keycloak in managing user authentication and authorisation across multiple applications within an organisation, offering a single sign-on (SSO) experience. The video covers the installation and setup of Keycloak, creation of realms, clients, roles, and users, and demonstrates how to configure a Spring Boot application to authenticate users against Keycloak using JWT tokens.
- Keycloak is an open-source identity and access management solution.
- Spring Boot 3.3 is used for the application.
- JWT tokens are used for authentication and authorisation.
- Single sign-on (SSO) is achieved using Keycloak.
Introduction to Keycloak and Spring Security [0:02]
The video introduces Keycloak as an open-source O2 server, highlighting its role in managing username, password, and user details for applications. It contrasts Keycloak with other O2 servers like GitHub, Microsoft Azure, and O0, noting Keycloak's advantage as a free and widely-used solution. The discussion sets the stage for understanding how Keycloak simplifies security across multiple applications within an organisation by providing a centralised authentication mechanism.
The Need for O2 Servers and Single Sign-On [2:07]
The video explains the need for O2 servers by illustrating the shortcomings of traditional JWT-based authentication in multi-application environments. It describes a scenario where a user needs to access multiple portals within a company, each requiring separate authentication logic and username/password storage. To avoid this redundancy and improve user experience, the video suggests using an O2 server like Keycloak to provide a single sign-on (SSO) experience, where users can access multiple applications with a single set of credentials.
Keycloak Architecture and Workflow [5:55]
The video outlines the architecture and workflow of using Keycloak for authentication. It explains how a login page interacts with the Keycloak server to validate user credentials and generate a JWT token. This token is then used by the client to access protected resources in Spring Boot applications. The video also touches on how the Spring Boot application validates the JWT token by communicating with Keycloak to ensure its authenticity.
Installing and Setting Up Keycloak [8:10]
This section provides a step-by-step guide on downloading and installing Keycloak. It covers extracting the downloaded ZIP file, navigating to the bin folder, and running the Keycloak server using a specific command. The video also demonstrates accessing the Keycloak admin console through a web browser and creating an initial admin user.
Configuring Realms, Clients, Roles, and Users in Keycloak [10:51]
The video details the process of configuring Keycloak by creating a realm, which is used to segregate users, passwords, roles, and clients. It explains how to create a client within the realm for a specific application, specifying the client type as "open ID connect". The guide includes setting up valid redirect URLs and defining roles such as "user" and "admin". It also covers creating users and assigning them specific roles, as well as setting credentials for these users.
Obtaining a JWT Token from Keycloak [14:52]
This part of the video explains how to obtain a JWT token from Keycloak by accessing the open ID endpoint configuration. It demonstrates using a tool like Postman to make a POST request to the token endpoint, providing parameters such as client ID, username, password, and grant type. The video shows how to retrieve the JWT token from the response, which will then be used to access protected resources in the Spring Boot application.
Spring Boot Application Flow with Keycloak [16:46]
The video describes the flow of a Spring Boot application integrated with Keycloak. It explains how the user login page sends credentials to Keycloak, which validates them and returns a JWT token. The client then uses this token to call Spring Boot application APIs, with the token included in the headers. The Spring Security filter chain intercepts the request, extracts the JWT token, and uses a JWT decoder to decrypt it. The video also discusses the role of the JWT authentication converter in extracting user roles from the token and creating an authentication object.
Creating a Spring Boot Application and Configuring Dependencies [20:24]
This section guides viewers through creating a new Spring Boot application using Spring Initializr. It specifies the use of Spring Boot version 3.3.3 and includes the necessary dependencies such as Spring Web, O2 Resource Server, and Spring Security. The video mentions importing the created application into an editor and setting up the application.properties file with Keycloak-related configurations.
Configuring application.properties [21:20]
The video details the configuration of the application.properties file, which includes setting the client ID, scope, Keycloak URL, realm name, and JWT issuer URI. These properties are essential for the Spring Boot application to communicate with the Keycloak server and validate JWT tokens.
Creating APIs and Implementing Spring Security Configuration [22:12]
This section covers creating REST APIs in the Spring Boot application, specifically hello user and hello admin APIs. It explains how to implement Spring Security configuration to protect these APIs based on user roles. The video demonstrates creating a SecurityFilterChain bean to define authorisation rules, specifying that /hello admin can only be accessed by users with the "admin" role and /hello user by users with the "user" role.
JWT Authentication Converter [24:32]
The video explains the use of a JWT authentication converter to extract roles from the JWT token and create a GrantedAuthority object. It details the implementation of a custom converter class that implements the Converter interface. The converter extracts the roles from the JWT token's claims, creates SimpleGrantedAuthority objects, and sets them in the authentication object.
Extracting Roles from the JWT Token [27:14]
This section provides a detailed explanation of how to extract roles from the JWT token. It describes examining the structure of the JWT token, specifically the payload, to identify where the roles are located. The video demonstrates how to write code to extract the roles from the token's claims, handling both realm access and resource access roles.
Testing the Spring Boot Application with Keycloak [29:53]
The video demonstrates testing the integrated Spring Boot application with Keycloak. It shows how to start the application and obtain a JWT token from Keycloak using the appropriate URL and credentials. The video then demonstrates calling the /hello admin API with the JWT token in the authorisation header, verifying that it returns the expected response. It also shows that attempting to access the /hello user API with the admin token results in a forbidden error, confirming that the role-based access control is working correctly.
