# Exercise 3: Authorization in Quarkus application Quarkus comes with two great quides that describe how to use Keycloak in web apps and services: * [Use OpenID Connect to Protect Service Applications](https://quarkus.io/guides/security-openid-connect) * [Use OpenID Connect to Protect Web Applications](https://quarkus.io/guides/security-openid-connect-web-authentication) * Develop protected Endpoints The Microservice Articles provides an endpoint `/articles` which only users with the role `user` can access. In application.properties the Keycloak URL is defined as well as the client ID and secret. The shows the simplified architecture: ![](/files/-MIs0azs_yoI9TRJAyKn) ## Developing protected Endpoints The service Articles provides an endpoint ‘/articles’ which only users with the role ‘user’ can access. In application.properties the Keycloak URL is defined as well as the client ID and secret. ```java quarkus.oidc.auth-server-url=https://YOUR_URL/auth/realms/quarkus quarkus.oidc.client-id=backend-service quarkus.oidc.credentials.secret=secret quarkus.http.port=8082 quarkus.http.cors=true resteasy.role.based.security=true ``` Note the line `resteasy.role.based.security=true`. This setting is important, so that the Articles service can receive the Authorization header from the Web-API service. I couldn’t find this in the Quarkus documentation, but Phillip Krüger from the Quarkus team provided this information. Once you’ve configured your Quarkus application, implementing the endpoint is trivial. Here we use `@RolesAllowed`, but there are other annotations available, for example `@Authenticated`. ```java @GET @Path("/articles") @Produces(MediaType.APPLICATION_JSON) @RolesAllowed("user") @NoCache public Set
getArticles() { return articles; } ``` This allows the test user Alice to invoke this endpoint, since she has the role \`user. ![](/files/-MFGFeYpdKsHwPeIz8JO) ## Invoking protected Endpoints The Web-API service has also a protected endpoint which has been implemented as above. Additionally it also invokes the Articles service. In order to do this, the MicroProfile REST Client is used. Let’s take at the configuration first. ```java quarkus.oidc.auth-server-url=https://keycloak-default.niklas-heidloff-b3c-4x16-162e406f043e20da9b0ef0731954a894-0000.us-south.containers.appdomain.cloud/auth/realms/quarkus quarkus.oidc.client-id=backend-service quarkus.oidc.credentials.secret=secret quarkus.http.port=8081 quarkus.http.cors=true org.eclipse.microprofile.rest.client.propagateHeaders=Authorization ``` The last line (6) is important again. This allows forwarding the authorization header with the JWT token without having to implement any code. ```java private ArticlesService articlesService; @PostConstruct void initialize() { URI apiV1 = UriBuilder.fromUri("http://{host}:{port}/articles").build(articlesHost, articlesPort); articlesService = RestClientBuilder.newBuilder() .baseUri(apiV1) .register(ExceptionMapperArticles.class) .build(ArticlesService.class); } public List getArticles(int amount) throws NoConnectivity { try { return articlesService.getArticlesFromService(amount); } catch (Exception e) { throw new NoConnectivity(e); } } ``` [Related blog post](http://heidloff.net/article/security-quarkus-applications-keycloak) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ibm-developer.gitbook.io/get-started-with-security-for-your-java-microservi/authentication-and-authorization-with-keycloak-and-quarkus/application_authorization.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.