Get started with security for your Java Microservi
  • Introduction
  • Setup the IBM Cloud Environment
    • Overview
    • Access the Cluster
    • Access IBM Cloud Shell and get the code
  • Setup the IBM Cloud application environment
    • Overview
    • Exercise 1: Setup Istio
    • Exercise 2: Expose Istio Ingress gateway
    • Exercise 3: Expose the gateway via DNS with TLS enabled
    • Exercise 4: Setup Keycloak
  • Platform security with mTLS
    • Exercise 1: Deploy microservices to Kubernetes
    • Exercise 2: Secure microservices using Authentication with mTLS
    • (Optional) Exercise 3: Authorization with Istio
  • Authentication and Authorization with Keycloak and Quarkus
    • (Optional) Exercise 1: Setup the web-application and Microservices locally
    • Exercise 2: Authentication in Vue.js fronted application
    • Exercise 3: Authorization in Quarkus application
  • Additional Resources
    • Known issues
    • Blog posts related to security
    • Cloud-Native-Starter project
    • Cloud-Native-Starter project security
    • Cloud-Native-Starter project reactive
Powered by GitBook
On this page
  • Architecture
  • YouTube video related to the workshop
  • Step 1: Clone the project to your local machine
  • (Optional) Setup Keycloak locally
  • Step 1: Start Keycloak Docker image local
  • Step 2: Import the existing realm configuration
  • Step 3: Press view all users
  • Step 4: Verify the role mapping
  • Setup Web-App
  • Step 1: Configure web-app
  • Step 2: Run the web-app
  • Setup Web-Api
  • Step 1: Configure web-api-secure
  • Step 2: Run the web-api-secure Microservice
  • Setup Articles microservice
  • Step 1: Configure articles-secure
  • Step 2: Run the articles-secure Microservice
  • Open the Web-App
  • Step 1: Open the Web-App in your local browser
  • Step 2: Log in with the test user: alice, password: alice

Was this helpful?

  1. Authentication and Authorization with Keycloak and Quarkus

(Optional) Exercise 1: Setup the web-application and Microservices locally

Previous(Optional) Exercise 3: Authorization with IstioNextExercise 2: Authentication in Vue.js fronted application

Last updated 3 years ago

Was this helpful?

To run these optional exercises you need to ensure you have installed the following tools on your local machine and you can run them in your terminal sessions.

  • (running Keycloak locally)

  • Java 9 or higher

Architecture

Here is the local architecture whichs shows the Web-App and the two Microservices Web-API and Articles are running on your local machine in terminal sessions. Keycloak is running on Kubernetes on IBM Cloud.

The gif shows the logon to the example web frontend application. This is the simplified sequence which happens in the background:

  2. After the successfully Keycloak authentication we will be redirected to the web frontend and the frontend gets an access-token.

  3. The access-token contains the needed information for the authorization at the Java microservice Web-API and the user information.

  4. The web frontend extracts and displays the username.

  5. Then the web fronted uses the access-token to invoke the Web-API Microservice endpoint to get the articles and displays the Articles.

YouTube video related to the workshop

Step 1: Clone the project to your local machine

git clone https://github.com/IBM/cloud-native-starter.git
cd cloud-native-starter/security
ROOT_FOLDER=$(pwd)

(Optional) Setup Keycloak locally

In this part we will setup Keycloak locally. We will run a local Keycloak Docker container and reuse an existing realm configuration.

The image below shows the relevant elements we will use later.

Step 1: Start Keycloak Docker image local

Open the first terminal session and enter following command:

docker run -it -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin -p 8282:8080 jboss/keycloak:9.0.2

Note: We use here

  • KEYCLOAK_USER=admin

  • KEYCLOAK_PASSWORD=admin

  • 8282:8080 port forwarding

  • keycloak:9.0.2 container image

Step 2: Import the existing realm configuration

  1. Open the Keycloak in a browser select the Administration Console

    Use following URL:

    http://localhost:8282/

  2. Login to using the URL in your browser with user/admin and password/admin

  3. Select Add realm

  4. Choose for import Select file and open the quarkus-realm.json.

Step 3: Press view all users

You should see following users: admin, alice, jdoe

Step 4: Verify the role mapping

Setup Web-App

Step 1: Configure web-app

Now insert Keycloak URL/auth in main.js (http://localhost:8282) and save the changes.

cd $ROOT_FOLDER/web-app/src
nano main.js

Example:

if (currentHostname.indexOf('localhost') > -1) {
  urls = {
    api: 'http://localhost:8081/',
    login: 'https://YOUR_URL/auth' // insert your http or https://<KeycloakURL>/auth
  }
  store.commit("setAPIAndLogin", urls);
}

Step 2: Run the web-app

Open the second terminal session and start the application on port 8080.

cd $ROOT_FOLDER/web-app
yarn install
yarn serve

Setup Web-Api

Step 1: Configure web-api-secure

Insert your the auth-server-url URL of your Keycloak instance in application.properties file and save the file.

Therefore you use the Keycloak URL you got during the setup of Keycloak on IBM Cloud.

cd $ROOT_FOLDER/web-api-secure/src/main/resources
nano application.properties

Example:

// When running locally, uncomment the next line, add your Keycloak URL, must end on '/auth/realms/quarkus'
quarkus.oidc.auth-server-url=https://YOUR_URL/auth/realms/quarkus

quarkus.oidc.client-id=backend-service
quarkus.oidc.credentials.secret=secret

quarkus.http.port=8081
quarkus.http.cors=true

resteasy.role.based.security=true

Step 2: Run the web-api-secure Microservice

Open a third terminal and start the service on port 8081.

cd $ROOT_FOLDER/web-api-secure
mvn clean package quarkus:dev

Setup Articles microservice

Step 1: Configure articles-secure

Insert your the auth-server-url URL of your Keycloak instance in application.properties file and save the file. Therefore you use the Keycloak URL you got during the setup of Keycloak on IBM Cloud.

cd $ROOT_FOLDER/articles-secure/src/main/resources
nano application.properties

Example:

// When running locally, uncomment the next line, add your Keycloak URL, must end on '/auth/realms/quarkus'
quarkus.oidc.auth-server-url=https://YOUR_URL/auth/realms/quarkus

quarkus.oidc.client-id=backend-service
quarkus.oidc.credentials.secret=secret

quarkus.http.port=8082
quarkus.http.cors=true

resteasy.role.based.security=true

Step 2: Run the articles-secure Microservice

Open a fourth terminal and start the service on port 8081.

cd $ROOT_FOLDER/articles-secure
mvn clean package quarkus:dev

Open the Web-App

Step 1: Open the Web-App in your local browser

Open the following URL in your browser:

http://localhost:8080

Step 2: Log in with the test user: alice, password: alice

Congratulations, you have successfully completed this optional hands-on lab tasks for uthentication and Authorization with Keycloak and Quarkus section of the workshop. Awesome :star:

When we invoke the web frontend on ` we will be routed to login dialog provided by the Keyloak server.

If you have your Keycloak running on Kubernetes you just skip to .

http://localhost:8080
setup Web-App
git 2.24.1 or higher
yarn 1.22.4 or higher
Node.js v14.6.0 or higher
Apache Maven 3.6.3
Docker 3.0.4 or higher