Secures your application with Spring Security 5 and Keycloak

Image for post
Image for post

Spring Security 5 brought new OAuth2/OIDC client instead of the legacy client support in the old Spring Security OAuth sub project. The new OAuth2 umbrella modules in the core project will replace the old Spring Security OAuth, Spring Social etc. In the further 5.1, OAuth2 authorization server and resource server are planned to implement, check the OAuth2 related issues on Github .

Spring Security 5 OAuth2 client has built-in supports for facebook, github, okta, Google etc, unlike Spring Social, in this new client, Spring Security 5 provides a generic solution for client registration, thus you can configure any OAuth2/OIDC providers without codes.

A new oauth2login sample is added in Spring Security source codes to demonstrate the newest OAuth2 client.

In this post, we will fork this sample, and try to start up a local keycloak server and configure it as a custom OAuth2/OIDC provider in our project.

Setup local keycloak server

To simplify the work, I prepared a docker-compose.yml file to start keycloak server in a single command.

version: '3.3' services:    

image: jboss/keycloak
- "8000:8080"
- KEYCLOAK_USER=keycloak
- mysql

image: mysql
- MYSQL_USER=keycloak
- ./data/mysql:/var/lib/mysql

Start up keycloak by docker-compose command.

docker-compose up

Register client app in keycloak

When keycloak is started, open your browser and navigate to http://localhost:8000 or http://<docker-machine ip>:8000 if you are using a docker machine.

  1. Create a new schema: demo.
  2. Switch to the new demo schema in the dropdown menu.
  3. Create a client app: demoapp.
  4. Create a new user for test purpose.

Configure keycloak in our application

Generate a new project via Spring Initializr or fork the official oauth2login sample as start point.

Add a new keycloak node under the spring/security/oauth2/client node in the application.yml file.

client-id: demoapp
client-secret: demoapp
clientName: Keycloak
authorization-grant-type: authorization_code
redirectUriTemplate: '{baseUrl}/login/oauth2/code/{registrationId}'
- openid
- profile
- email
authorization-uri: http://localhost:8000/auth/realms/demo/protocol/openid-connect/auth
token-uri: http://localhost:8000/auth/realms/demo/protocol/openid-connect/token
user-info-uri: http://localhost:8000/auth/realms/demo/protocol/openid-connect/userinfo
jwk-set-uri: http://localhost:8000/auth/realms/demo/protocol/openid-connect/certs
user-name-attribute: preferred_username

For custom OAuth2 provider, you have to configure the details of the OAuth2 provider, and provides the details of client registration for OAuth client support.

Bootstrap the application by mvn spring-boot:run or run it in IDE directly, then navigate to http://localhost:8080 in your browser.

You will find a new Keycloak link added in our application login page.

  1. Click the Keycloak link, it will guide you to redirect to keycloak login page.
  2. Use the user/password we have created in the last step to login.
  3. if it is successful, it will return back to our application home page.
Image for post
Image for post

4. Click the Display User Info link, it will show all user attributes from /userinfo endpiont exposed by keycloak.

Image for post
Image for post

Check out the source codes from my github account.

Written by

Self-employed technical consultant, solution architect and full-stack developer

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store