rkbalgi · October 3, 2018 04:50 · rkbalgi · Oct 15, 2018
diff --git a/gistfile1.txt b/gistfile1.txt
 This gist describes the process of setting up direct grant access  (oauth2 resource owner password flow) with keycloak and spring boot. We'll follow the
 below steps -

 1. Install keycloak - there are plenty of examples out there (even a  docker image)
 2. Create a demo realm and create a client within the demo realm with the settings as - 
    client-protocol: openid-connect, access-type: confidential, (implicit-flow+direct-access-grant+service-accounts)=enabled
 3. Create 2 roles - developer and admin within the demo realm
 4. Create 2 users - one with developer role and other with admin (Ensure that user is enabled, there are no "Required User Actions" and that the password has been reset (in the credentials tab)


 Now, create a simple Spring Boot application with keycloak Spring Boot adapter. My pom.xml looks like -

  <dependencies>
    <dependency>
      <groupId>junit</groupId>
      <artifactId>junit</artifactId>
      <version>4.11</version>
      <scope>test</scope>
    </dependency>
    <dependency>
      <groupId>org.keycloak</groupId>
      <artifactId>keycloak-spring-boot-starter</artifactId>
      <version>4.3.0.Final</version>
    </dependency>
  </dependencies>

  <dependencyManagement>
    <dependencies>
      <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.0.4.RELEASE</version>
      </dependency>
      <dependency>
        <groupId>org.keycloak.bom</groupId>
        <artifactId>keycloak-adapter-bom</artifactId>
        <version>4.3.0.Final</version>
      </dependency>
    </dependencies>
  </dependencyManagement>

 Create a single resource that we will protect with keycloak like this -

 @RestController
 public class HelloResource {

  @RequestMapping(value = "/demo/message", method = RequestMethod.GET)
  public String hello(){
    return "Hello World";
  }

 }
  
  
 Now, the most important bit - the configuration file, in this case application.yml in src/main/resources

 ###
 server:
 port: 8181
 logging.level.org.keycloak: trace
 logging.level.org.springframework.security: trace

 keycloak:
  enable-basic-auth: false
  realm: infinx
  auth-server-url: http://localhost:8080/auth # keycloak server base url
  ssl-required: none
  resource: spring-demo-app ## This is the name of your client in keycloak
  use-resource-role-mappings: false
  bearer-only: true
  credentials:
   secret: xxxxxxxxx-xxx-xxx-xxxx-xxxxx # secret of the client from keycloak UI
  securityConstraints:
  - authRoles:
        - developer  # The role from keycloak
    securityCollections:
        - name: developer stuff
          patterns:
            - /demo/* # only allow developers to access 
  public-client: false
 ####  

 Thats it!, Now run your application.

 Testing -
 1. Generate a token by invoking keycloak openid endpoint (You can use curl for this purpose)
 POST http://localhost:8080/auth/realms/infinx/protocol/openid-connect/token
 Accept: */*
 Cache-Control: no-cache
 Content-Type: application/x-www-form-urlencoded

 client_id=spring-demo-app&client_secret=xxxxxxxxx-xxx-xxx-xxxx-xxxxx&username=developer1&password=password&grant_type=password

 This should return a bunch of stuff, but most important of all is the access_token

 "access_token": "ey......9RgnFhPQ2RbLw"

 GET http://localhost:8181/demo/message
 Accept: */*
 Cache-Control: no-cache
 Authorization: Bearer ey......9RgnFhPQ2RbLw

 You should be able to access the resource. Now, repeat the steps with admin user and access should be denied.
	This gist describes the process of setting up direct grant access (oauth2 resource owner password flow) with keycloak and spring boot. We'll follow the
	below steps -

	1. Install keycloak - there are plenty of examples out there (even a docker image)
	2. Create a demo realm and create a client within the demo realm with the settings as -
	client-protocol: openid-connect, access-type: confidential, (implicit-flow+direct-access-grant+service-accounts)=enabled
	3. Create 2 roles - developer and admin within the demo realm
	4. Create 2 users - one with developer role and other with admin (Ensure that user is enabled, there are no "Required User Actions" and that the password has been reset (in the credentials tab)


	Now, create a simple Spring Boot application with keycloak Spring Boot adapter. My pom.xml looks like -

	<dependencies>
	<dependency>
	<groupId>junit</groupId>
	<artifactId>junit</artifactId>
	<version>4.11</version>
	<scope>test</scope>
	</dependency>
	<dependency>
	<groupId>org.keycloak</groupId>
	<artifactId>keycloak-spring-boot-starter</artifactId>
	<version>4.3.0.Final</version>
	</dependency>
	</dependencies>

	<dependencyManagement>
	<dependencies>
	<dependency>
	<groupId>org.springframework.boot</groupId>
	<artifactId>spring-boot-starter-parent</artifactId>
	<version>2.0.4.RELEASE</version>
	</dependency>
	<dependency>
	<groupId>org.keycloak.bom</groupId>
	<artifactId>keycloak-adapter-bom</artifactId>
	<version>4.3.0.Final</version>
	</dependency>
	</dependencies>
	</dependencyManagement>

	Create a single resource that we will protect with keycloak like this -

	@RestController
	public class HelloResource {

	@RequestMapping(value = "/demo/message", method = RequestMethod.GET)
	public String hello(){
	return "Hello World";
	}

	}


	Now, the most important bit - the configuration file, in this case application.yml in src/main/resources

	###
	server:
	port: 8181
	logging.level.org.keycloak: trace
	logging.level.org.springframework.security: trace

	keycloak:
	enable-basic-auth: false
	realm: infinx
	auth-server-url: http://localhost:8080/auth # keycloak server base url
	ssl-required: none
	resource: spring-demo-app ## This is the name of your client in keycloak
	use-resource-role-mappings: false
	bearer-only: true
	credentials:
	secret: xxxxxxxxx-xxx-xxx-xxxx-xxxxx # secret of the client from keycloak UI
	securityConstraints:
	- authRoles:
	- developer # The role from keycloak
	securityCollections:
	- name: developer stuff
	patterns:
	- /demo/* # only allow developers to access
	public-client: false
	####

	Thats it!, Now run your application.

	Testing -
	1. Generate a token by invoking keycloak openid endpoint (You can use curl for this purpose)
	POST http://localhost:8080/auth/realms/infinx/protocol/openid-connect/token
	Accept: /
	Cache-Control: no-cache
	Content-Type: application/x-www-form-urlencoded

	client_id=spring-demo-app&client_secret=xxxxxxxxx-xxx-xxx-xxxx-xxxxx&username=developer1&password=password&grant_type=password

	This should return a bunch of stuff, but most important of all is the access_token

	"access_token": "ey......9RgnFhPQ2RbLw"

	GET http://localhost:8181/demo/message
	Accept: /
	Cache-Control: no-cache
	Authorization: Bearer ey......9RgnFhPQ2RbLw

	You should be able to access the resource. Now, repeat the steps with admin user and access should be denied.