Diaobotian's visual security framework makes it easy to build your own authentication and authorization platform!

When we were learning Oauth2 before, we needed to write code to implement authentication and authorization services. I recently discovered a visual security framework Keycloak, which can quickly build authentication and authorization services with just a few commands, without the need for self-development. SpringBoot is natively supported, it is very simple to use, and I recommend it to everyone!

SpringBoot actual combat e-commerce project mall (50k+star) address: https://github.com/macrozheng/mall

Introduction

Keycloak is an open source authentication and authorization platform, which has 9.4k+Star on Github. Keycloak has many functions, which can realize user registration, social login, single sign-on, two-factor authentication, LDAP integration and other functions.

Install

It is very simple to use Docker to build a Keycloak service. Two commands are done. We will use this method.

• First download the Docker image of Keycloak, pay attention to use jboss , the official image is not in DockerHub;

docker pull jboss/keycloak:14.0.0

• Use the following command to run the Keycloak service:

docker run -p 8080:8080 --name keycloak \
-e KEYCLOAK_USER=admin \
-e KEYCLOAK_PASSWORD=admin \
-d jboss/keycloak:14.0.0

• After the operation is successful, you can access the Keycloak service through the following address, click the circled place to access the management console, the access address: http://192.168.7.142:8080

Console use

Next, let's experience Keycloak's management console and see what is magical about this visual security framework.

• First enter our account password admin:admin to log in;

• After successfully logging in and entering the management console, we can find that Keycloak is an English interface. The conscience is that it also supports multiple languages (including Chinese). Just change Themes->Default Locale to zh-CN to switch to Chinese;

• After the modification is completed, save and refresh the page, and the Keycloak console will become a Chinese interface;

• Keycloak is very conscientious to add explanations to many attributes, and they are still in Chinese. You can know how to use them by basically looking at the explanation;

• Before we start using Keycloak to protect application security, we have to create a realm. The realm is equivalent to the concept of tenants. Data between different tenants is isolated from each other. Here we create a macrozheng realm;

• Next, we can create a user macrozheng and create a user of macro

• After that, we edit the user's information and set the password under the credentials;

• After creating the user, you can log in. The login address of the user and the administrator are not the same, we can check the address client page;

• You can log in after accessing this address, access address: http://192.168.7.142:8080/auth/realms/macrozheng/account

• After the user logs in successfully, he can view and modify his personal information.

Use with Oauth2

OAuth 2.0 is an industry standard protocol for authorization. In "Spring Cloud Security: Getting Started with Oauth2" , we introduce the use of Oauth2 in detail. Of course, Keycloak is also supported. Let's experience it by calling the interface.

Two commonly used authorization modes

Let's review the two commonly used Oauth2 authorization modes.

Authorization code mode

• (A) The client directs the user to the authentication server;
• (B) The user logs in and authorizes the authentication server;
• (C) The authentication server returns the authorization code to the client;
• (D) The client obtains the access token from the authentication server through the authorization code and redirect address;
• (E) The authentication server issues an access token (you need to bring a refresh token).

Password mode

• (A) The client obtains the user name and password from the user;
• (B) The client accesses the authentication server through the user's username and password;
• (C) The authentication server returns an access token (you need to bring a refresh token).

Password mode experience

• First, you need to create the client mall-tiny-keycloak ;

• Then create a role mall-tiny ;

• Then assign the role to the macro user;

• Everything is ready, you can get the Token by calling the interface using Oauth2 in Postman, and get the address of the token: http://192.168.7.142:8080/auth/realms/macrozheng/protocol/openid-connect/token

Use with SpringBoot

Next, we experience the use of Keycloak to protect the security of SpringBoot applications. Since Keycloak natively supports SpringBoot, it is still very simple to use.

• Since our SpringBoot application will run on localhost:8088 , we need to configure the valid redirection URI of the Keycloak client;

• Next we need to modify the pom.xml application to integrate Keycloak;

<!--集成Keycloak-->
<dependency>
    <groupId>org.keycloak</groupId>
    <artifactId>keycloak-spring-boot-starter</artifactId>
    <version>14.0.0</version>
</dependency>

• Then modify the configuration file application.yml application. Please refer to the comments for the specific attributes. Note that the roles that can be accessed are bound to the path;

# Keycloak相关配置
keycloak:
  # 设置客户端所在领域
  realm: macrozheng
  # 设置Keycloak认证服务访问路径
  auth-server-url: http://192.168.7.142:8080/auth
  # 设置客户端ID
  resource: mall-tiny-keycloak
  # 设置为公开客户端，不需要秘钥即可访问
  public-client: true
  # 配置角色与可访问路径的对应关系
  security-constraints:
    - auth-roles:
        - mall-tiny
      security-collections:
        - patterns:
            - '/brand/*'
            - '/swagger-ui/*'

• Next, visit the Swagger page of the application. When you visit, you will jump to the Keycloak console to log in. The access address is: http://localhost:8088/swagger-ui/

• After the login is successful, you can access the protected Swagger page and API interface, a very standard Oauth2 authorization code mode, and the process can refer to the description of the authorization code mode.

Summarize

Keycloak is a very good visual security framework that allows us to complete authentication and authorization functions without building an authentication service. It natively supports SpringBoot and can be integrated without modifying the code. It is worthy of being a modern security framework!

Reference

• Keycloak official document: https://www.keycloak.org/getting-started/getting-started-docker
• Protect SpringBoot application security: https://www.keycloak.org/docs/latest/securing_apps/index.html#_spring_boot_adapter

Project source code address

https://gitee.com/macrozheng/mall-learning/tree/master/mall-tiny-keycloak