labs / tiddlers / content / labs / 04 / _Labs_04_Keycloak

In this section, you will set up a Keycloak service on your local machine, configure it, and modify the project in NetBeans to make use of it for authentication and authorisation across the site.

To clarify the network port numbering scheme:

  • Port 8081 is being used for your Java/Jooby Web service. This is the main point of access for clients (users) of your system.
  • Port 8080 is being used for the Keycloak auth service. Your Web service will connect to this port when it needs to check authentication or authorisation. Traffic on this port is highly sensitive and needs to be kept confidential (usually using HTTPS, though for this lab we are running Keycloak in developer mode so that you can see what's going on).

This arrangement means that there should not be traffic occurring directly between clients of your Web service and the Keycloak auth service. This is important, as such communication is comparatively "open" and subject to interception by third parties, especially man-in-the-middle attacks.

  1. Download keycloak from (use the Quarkus distribution, .tar.gz format for Linux, and save it to your COMP 210 folder).

  2. Extract the Keycloak archive. For example, in the Linux lab:

     cd comp210
     tar -xvzf keycloak-19.0.1.tar.gz
     cd keycloak-19.0.1/bin
  3. Start Keycloak from your terminal session.

     ./ start-dev

    This will start Keycloak in development mode. This is a quick-start mode that allows developers to start messing around with Keycloak without needing to properly configure a data store or the server settings --- in this mode it has pretty much all of its features enabled and uses pre-generated encryption keys. You should not use this mode for production systems.

  4. We need to create an administrator user in Keycloak. Open:

    http://localhost:8080 On the main page, under "Administration Console", enter admin for both the username and password for the new admin user, and click Create.

  5. Click the Administration Console link to sign in using your new admin/admin user.

  6. Click the main menu button in the top left.

  7. Add a new realm by clicking <

    > in the top left and clicking the <> button. A realm allows us to group all of the users, roles, clients, and policies for a single application together.

    Name the realm AuthLab and click <


  8. Now we can add a user. Open the Keycloak menu, click <>, then click the <> button. Add a username, e-mail, and first and last names. You can use the details of boris from the dao.UserDAO class in the NetBeans project. You should get into the habit of using for test/dummy e-mail addresses since you never know when one of these systems is actually going to send a real e-mail. Entering random/silly email addresses for testing can backfire when you accidentally fluke on a real address and someone gets sent a few dozen testing emails. The domain is specifically intended for example/testing data and is pretty much guaranteed to not have real e-mail addresses attached to it. Set the <> option to 'On' to tell Keycloak that the e-mail address should be considered to be verified already (so that you don't have to go through an additional e-mail verification step). Click <>. Note that Keycloak does also allow users to create their own accounts if that is what is needed. This can be done either via REST, or via a Web form which you are able to style to make it look like it is part of your application.
  9. Now we need to set the password for the new user. Click the <

    > tab above the user's details and set the password to boris. Set the <> option to 'OFF' so that the user isn't forced to reset their password when they first sign in, and save the changes.

  10. Repeat the process to create a user account for doris as well.

  11. Now we need to add a client. This represents a single service that will be using Keycloak as an indentity provider.

    Open the main Keycloak menu and click <

    >. Click the <> button. Leave the client protocol as openid-connect.

    Enter COMP210 as the Client ID.

    Enter COMP210 as the Name for the new client.

    Enable <


    Click <


    Turn <

    > on. Click <>. Under "Access settings", specify the Root URL as http://localhost:8081/.

    Specify the Home URL as http://localhost:8081/.

    Specify the Valid redirect URIs as http://localhost:8081/*.

    Specify the Valid post logout redirect URIs as http://localhost:8081/*.

    Under "Login settings", choose base as the Login theme. This will make the login/authentication pages completely non-styled and basic (for normal deployments, you could choose a theme to match your main site theme for seamless integration).

    If you are interested to try it out, enable the Consent required option. This will cause the user to be prompted to approve of any logins that happen via Keycloak (similar to other systems you may have used).

    Under "Login settings", specify the Front-channel logout URL as http://localhost:8081/logout.

    Click <

    > to save your client details.