In this section, you will set up a Keycloak service on your local machine, configure it, and modify the project in NetBeans to make use of it for authentication and authorisation across the site.
To clarify the network port numbering scheme:
This arrangement means that there should not be traffic occurring directly between clients of your Web service and the Keycloak auth service. This is important, as such communication is comparatively "open" and subject to interception by third parties, especially man-in-the-middle attacks.
Download keycloak from https://www.keycloak.org/downloads
(use the Quarkus distribution, .tar.gz
format for Linux, and save it to your COMP 210 folder).
Extract the Keycloak archive. For example, in the Linux lab:
cd comp210 tar -xvzf keycloak-19.0.1.tar.gz cd keycloak-19.0.1/bin
Start Keycloak from your terminal session.
./kc.sh start-dev
This will start Keycloak in development mode. This is a quick-start mode that allows developers to start messing around with Keycloak without needing to properly configure a data store or the server settings --- in this mode it has pretty much all of its features enabled and uses pre-generated encryption keys. You should not use this mode for production systems.
We need to create an administrator user in Keycloak. Open:
http://localhost:8080 On the main page, under "Administration Console", enter admin
for both the username and password for the new admin user, and click Create.
Click the Administration Console link to sign in using your new admin
/admin
user.
Click the main menu button in the top left.
Add a new realm by clicking <
> in the top left and clicking the <> button. A realm allows us to group all of the users, roles, clients, and policies for a single application together. Name the realm AuthLab
and click <
boris
from the dao.UserDAO
class in the NetBeans project. You should get into the habit of using @example.com
for test/dummy e-mail addresses since you never know when one of these systems is actually going to send a real e-mail. Entering random/silly email addresses for testing can backfire when you accidentally fluke on a real address and someone gets sent a few dozen testing emails. The example.com
domain is specifically intended for example/testing data and is pretty much guaranteed to not have real e-mail addresses attached to it. Set the <> option to 'On' to tell Keycloak that the e-mail address should be considered to be verified already (so that you don't have to go through an additional e-mail verification step). Click <>. Note that Keycloak does also allow users to create their own accounts if that is what is needed. This can be done either via REST, or via a Web form which you are able to style to make it look like it is part of your application. Now we need to set the password for the new user. Click the <
> tab above the user's details and set the password toboris
. Set the <> option to 'OFF' so that the user isn't forced to reset their password when they first sign in, and save the changes. Repeat the process to create a user account for doris
as well.
Now we need to add a client. This represents a single service that will be using Keycloak as an indentity provider.
Open the main Keycloak menu and click <
>. Click the <> button. Leave the client protocol asopenid-connect
. Enter COMP210
as the Client ID.
Enter COMP210
as the Name for the new client.
Enable <
>.Click <
>.Turn <
> on. Click <>. Under "Access settings", specify the Root URL ashttp://localhost:8081/
. Specify the Home URL as http://localhost:8081/
.
Specify the Valid redirect URIs as http://localhost:8081/*
.
Specify the Valid post logout redirect URIs as http://localhost:8081/*
.
Under "Login settings", choose base
as the Login theme. This will make the login/authentication pages completely non-styled and basic (for normal deployments, you could choose a theme to match your main site theme for seamless integration).
If you are interested to try it out, enable the Consent required option. This will cause the user to be prompted to approve of any logins that happen via Keycloak (similar to other systems you may have used).
Under "Login settings", specify the Front-channel logout URL as http://localhost:8081/logout
.
Click <
> to save your client details.