This is the second part of the Keycloak blog. We will see how to set up a Keycloak server in this blog.

Downloading and Installing Keycloak:

There are several distributions to choose on but here we will go with the Standalone version. Once we’ve downloaded the Standalone server distribution, we can unzip and start Keycloak from the terminal.
After running ./standalone.sh, Keycloak will be starting its services.
Now open the browser and visit http://localhost:8180We’ll be redirected to http://localhost:8180/auth to create an administrative login:

Let’s create an initial admin user with a password. On clicking Create, we’ll see a message –  User Created. We can now proceed to the Administrative Console. On the login page, we’ll enter the initial admin user credentials:

  • Creating a Realm: A successful login will take us to the console and open up the default Master realm for us. Here we’ll focus on creating a custom realm. Let’s navigate to the upper left upper corner to discover the Add realm button:

On the next screen, let’s add a new realm called SpringBootKeycloak:
After clicking the Create button, a new realm will be created and we’ll be redirected to it. All the operations in the next sections will be performed in this new SpringBootKeycloak realm.

  • Creating a Client: Now we’ll navigate to the Clients page. Keycloak comes with Clients that are already built-in:

But we need to add a new client to our application, so we’ll click CreateWe’ll call the new Client login-app:
In the next screen, we’ll be leaving all the defaults except the Valid Redirect URIs field. This field should contain the application URL(s) that will use this client for authentication:
Later on, we can create a Spring Boot application running at the port 8081 that’ll use this client. Hence we’ve used a redirect URL of http://localhost:8081/* above.

  • Creating a Role and User: Keycloak uses Role-Based Access. Therefore, each user must have a role.

Now we will add the user role:
Now we’ve got a role that can be assigned to users, but there are no users yet. So let’s go the Users page and add one:
We will add user named user1.
Once the user is created, a page with its details will be displayed. Now go to the credentials tab and set the initial password.
After this navigate to Role Mappings tab and assign user role to user1.

  • Generating Access Tokens with Keycloak’s API: Keycloak provides a REST API for generating and refreshing access tokens. We can easily use this API to create our own login page. Now, we need to acquire an access token from Keycloak by sending a POST request to this URL:

http://localhost:8180/auth/realms/master/protocol/openid-connect/token
The request should have the following JSON body:
{  
‘client_id’: ‘your_client_id’,
‘username’: ‘your_username’,
‘password’: ‘your_password’,
‘grant_type’: ‘password’
}

In Response, we will get an access_token and refresh_token.
The access token should be used in every request to a Keycloak-protected resource by simply placing it in the Authorization header:

headers: {‘Authorization’: ‘Bearer’ + access_token }

Once the access token has expired, we can refresh it by sending a POST request to the same URL as above, but containing the refresh token instead of username and password. Keycloak will respond to this with a new access_token and refresh_token.
{  
‘client_id’:’your_client_id’,
‘refresh_token’:refresh_token_from_previous_request,
‘grant_type’: ‘refresh_token’
}

While creating spring boot application we need to include keycloak’s dependency in pom.xml

  • Configuration: The basic mandatory configuration is as below:

keycloak.auth-server-url=http://localhost:8180/auth keycloak.realm=SpringBootKeycloak
keycloak.resource=login-app
keycloak.public-client=true
keycloak.principal-attribute=preferred_username

Here are the security constraints we can use:
keycloak.security-constraints[0].authRoles[0]=user
keycloak.securityconstraints[0].securityCollections[0].patterns[0]=/customers/*
These constraints ensure that every request to /customers/* will only be authorized if the one requesting it is an authenticated user with the role user.

Hope you liked this article. Do check out our other blogs here.