Get Started

SPRING MICROSERVICES AND KEYCLOAK 

Introduction 

Microservice architectures are the ‘new normal’. Microservices Architecture is a software development approach where an application is broken down into smaller, independent services that can be developed, deployed, and scaled independently of one another. Each service is designed to perform a specific task or function and will communicate with other services. Microservices architecture not only enhances team productivity but also improves fault isolation, accelerates scalability, aligns well with the Agile Manifesto and DevOps practices. 

There are various libraries useful for developing microservices but widely used by developers is Spring framework and its sub projects like Spring Boot, and Spring Cloud. They provide tools like service discovery, load balancing, circuit breaking, etc. Spring security also plays a critical role in enhancing the security of microservices. A comprehensive set of security features are provided by Spring framework which addresses various security concerns like authentication, authorization, and protection against common security threats. These libraries also allow for using JWT for authentication, implementing RBAC, using OAuth2 for authorization, securing communication with HTTPS, and implementing CSRF protection, rate limiting, and logging and monitoring. All these tools can help to ensure that your microservices are secure and protected against common security threats. 

Keycloak is an open-source identity and access management (IAM) solution that provides multiple security features for web applications, APIs, and microservices by empowering you to protect sensitive data and enforce access control policies effectively. Keycloak provides a wide range of authentication & authorization mechanisms which includes basic auth, social logins like Google and Facebook, multi-factor authentication (MFA) etc. It supports authentication standards such as OAuth 2.0, OpenID Connect, role-based access control (RBAC), SAML, LDAP, attribute-based access control (ABAC), and policy-based access control (PBAC) to restrict access to resources based on user roles and attributes. 

Key Features of Keycloak 

  • Single Sign-On (SSO): Once a user has successfully authenticated using Keycloak, they don’t need to log in to any more associated applications. Keycloak offers smooth single sign-on for a variety of services and applications. SSO also applies to logout. Keycloak provides single-sign out, which means users only have to logout once to be logged-out of all applications that use Keycloak. 
  • Authorization and Access Control: Flexible techniques for authorization and access control are offered by Keycloak. Keycloak supports dynamic authorization features, allowing users to dynamically adjust access control decisions based on contextual information such as user attributes, environmental factors, or runtime conditions. 
  • Centralized User Management: Keycloak provides a centralized user repository and administration interface, making it easy to manage user identities, roles, and permissions. 
  • Token-Based Security: After users have verified, Keycloak provides them with secure JWT tokens that are loaded with access rights and user identification data. When a user wants to access microservices, these JWT tokens are used to authenticate and authorize the users. 
  • Security Compliance: Keycloak logs and tracks user authentication events, providing organizations with the ability to audit and monitor user access activities. Keycloak helps organizations comply with security standards and regulations by providing features such as audit logging, encryption, secure password storage, and integration with external security tools and services. 
  • Admin Console: Administrators can centrally manage all aspects of the Keycloak server using Admin Console. Administrators can use Admin Console to enable, disable various features, create and manage applications and services, define fine-grained authorization policies, and manage users, including permissions and their sessions. 

Overview 

Getting started with Keycloak 

Getting started with Keycloak involves several steps to set up and configure the identity and access management (IAM) solution according to the requirements details of which are provided in the official website of Keycloak ‘https://www.keycloak.org/guides’. 

Microservice API Gateway and Keycloak 

1-Start Keycloak using docker 

If you have docker installed on your machine, then from the terminal, enter the below command to start Keycloak on the local port 8080 and create an initial admin user with the username admin and password admin. 

docker run -p 9090:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:24.0.3 start-dev 

2- Login to Admin Console using username/password as admin/admin. 

3- Create a realm by clicking the word master in the top-left corner, then click Create Realm. 

4- Create Client by selecting the Client from the left menu. Fill in the required details for the new client like Client ID, Client Protocol, Access Type, Root URL, Valid Redirect URIs, Web Origins, Client Authentication and save the client. After creating the client, you may need to configure additional settings such as scopes, roles, mappers, and authentication flows based on your application’s requirements. 

5- Copy the client secret like the screenshot below to use in your microservices API gateway properties file. 

6- Copy the “issuer” and “token_endpoint” from the Realm Settings -> Endpoints ->  

OpenID Endpoint Configuration to use in your microservices API gateway properties file. 

7- Include the necessary dependencies in you pom.xml file of API Gateway as shown below in the screenshot 

8- Add the copied “issuer” in the application.yml file of API Gateway. 

9- Create a security config class as shown in the screenshot below in API Gateway. 

10- Once the above steps are completed, you can start the Spring Boot API gateway application. When you access the “/eureka-gateway” endpoint, you will be redirected to Keycloak to authenticate. After you have authenticated, you will be redirected back to the API gateway where you will now be able to access the protected resources. 

Conclusion 

Spring Cloud API Gateway when combined with Keycloak provides a strong security solution for microservices. With Keycloak, a strong and scalable security infrastructure can be developed that successfully safeguards microservices and data by centralizing authentication and authorization, putting SSO into place, imposing granular access control, and utilizing token-based security. 

Author

Mohsin Ansari

Latest Blogs

Build a better future with the right fusion of Technology and Talent.

Facebook Instagram Linkedin Twitter
Resources
Newsletter
© 2023 Prama is Proudly created by IncrediBee

SEND US YOUR RESUME

Apply Now