In this section, you will set up a Keycloak service on your local machine, configure it, and modify the project in NetBeans to make use of it for authentication and authorisation across the site.
To clarify the network port numbering scheme:
- Port 8081 is being used for your Java/Jooby Web service. This is the main point of access for clients (users) of your system.
- Port 8080 is being used for the Keycloak auth service. Your Web service will connect to this port when it needs to check authentication or authorisation. Traffic on this port is highly sensitive and needs to be kept confidential (usually using HTTPS, though for this lab we are running Keycloak in developer mode so that you can see what's going on).
This arrangement means that there should not be traffic occurring directly between clients of your Web service and the Keycloak auth service. This is important, as such communication is comparatively "open" and subject to interception by third parties, especially man-in-the-middle attacks.
Download keycloak from
https://www.keycloak.org/downloads (use the Quarkus distribution,
.tar.gz format for Linux, and save it to your COMP 210 folder).
Extract the Keycloak archive. For example, in the Linux lab:
tar -xvzf keycloak-19.0.1.tar.gz
Start Keycloak from your terminal session.
This will start Keycloak in development mode. This is a quick-start mode that allows developers to start messing around with Keycloak without needing to properly configure a data store or the server settings --- in this mode it has pretty much all of its features enabled and uses pre-generated encryption keys. You should not use this mode for production systems.
We need to create an administrator user in Keycloak. Open:
http://localhost:8080 On the main page, under "Administration Console", enter
admin for both the username and password for the new admin user, and click Create.
Click the Administration Console link to sign in using your new
Click the main menu button in the top left.
Add a new realm by clicking <> in the top left and clicking the <> button. A realm allows us to group all of the users, roles, clients, and policies for a single application together.
Name the realm >.
AuthLab and click <
- Now we can add a user. Open the Keycloak menu, click <>, then click the <> button. Add a username, e-mail, and first and last names. You can use the details of
boris from the
dao.UserDAO class in the NetBeans project. You should get into the habit of using
@example.com for test/dummy e-mail addresses since you never know when one of these systems is actually going to send a real e-mail. Entering random/silly email addresses for testing can backfire when you accidentally fluke on a real address and someone gets sent a few dozen testing emails. The
example.com domain is specifically intended for example/testing data and is pretty much guaranteed to not have real e-mail addresses attached to it. Set the <> option to 'On' to tell Keycloak that the e-mail address should be considered to be verified already (so that you don't have to go through an additional e-mail verification step). Click <>. Note that Keycloak does also allow users to create their own accounts if that is what is needed. This can be done either via REST, or via a Web form which you are able to style to make it look like it is part of your application.
Now we need to set the password for the new user. Click the <> tab above the user's details and set the password to
boris. Set the <> option to 'OFF' so that the user isn't forced to reset their password when they first sign in, and save the changes.
Repeat the process to create a user account for
doris as well.
Now we need to add a client. This represents a single service that will be using Keycloak as an indentity provider.
Open the main Keycloak menu and click <>. Click the <> button. Leave the client protocol as
COMP210 as the Client ID.
COMP210 as the Name for the new client.
Turn <> on. Click <>. Under "Access settings", specify the Root URL as
Specify the Home URL as
Specify the Valid redirect URIs as
Specify the Valid post logout redirect URIs as
Under "Login settings", choose
base as the Login theme. This will make the login/authentication pages completely non-styled and basic (for normal deployments, you could choose a theme to match your main site theme for seamless integration).
If you are interested to try it out, enable the Consent required option. This will cause the user to be prompted to approve of any logins that happen via Keycloak (similar to other systems you may have used).
Under "Login settings", specify the Front-channel logout URL as
Click <> to save your client details.