SpringBoot e-commerce project mall (50K + STAR) address: github.com/macrozheng/…
Abstract
Before we learn Oauth2, we need to write code to implement authentication and authorization services. Keycloak, a visual security framework, allows you to quickly build authentication and authorization services with just a few commands. Native support for SpringBoot, very simple to use, recommended to everyone!
Introduction to the
Keycloak is an open source authentication and authorization platform already available at 9.4K +Star on Github. Keycloak has many functions, including user registration, social login, single sign-on (SSO), two-factor authentication, and LDAP integration.
The installation
It’s easy to build the Keycloak service with Docker, just two commands, and we’ll do it that way.
- First, download the Docker image of Keycloak
jbossThe official image is not in DockerHub.
Docker pull jboss/keycloak: 14.0.0Copy the code- Run the Keycloak service with the following command:
Docker run -p 8080:8080 --name keycloak \ -e KEYCLOAK_USER=admin \ -e KEYCLOAK_PASSWORD=admin \ -d jboss/keycloak:14.0.0Copy the code- After the success of the operation can be accessed through the following address Keycloak service, click on the circle can access the management console, access to the address: http://192.168.7.142:8080
Console use
Let’s take a look at Keycloak’s administrative console and see what’s amazing about this visual security framework.
- First enter our account password
admin:adminLogin;
- Once you have successfully logged in to the Admin console, Keycloak is an English interface. Fortunately, it also supports multiple languages (including Chinese), as long as you will
Themes->Default LocaleInstead ofzh-CNCan be switched to Chinese;
- After the modification is complete, save and refresh the page, and the Keycloak console becomes a Chinese interface.
- The cloak of Keycoat has a nice explanation for many properties, and the cloak is in Chinese.
- Before we can start using Keycloak to secure our applications, we need to create a realm. A realm is the concept of a tenant, and data between different tenants is isolated from each other
macrozhengThe field;
- And then we can go to
macrozhengDomain to create a user, create onemacroUsers;
- Then we edit the user’s information in
The credentialsSet the password under;
- After creating the user, you can log in. The login address of the user and the administrator is not the same
The clientThe address is displayed on the page.
- Visit to sign after the address, which address: http://192.168.7.142:8080/auth/realms/macrozheng/account
- After successful login, users can view and modify their personal information.
Used in conjunction with Oauth2
OAuth 2.0 is the industry standard protocol for authorization. In Spring Cloud Security: An Introduction to The Use of Oauth2, we describe the use of Oauth2 in detail. Keycloak is also supported.
There are two common authorization modes
Let’s review the two commonly used Oauth2 authorization modes.
Authorization code mode
- (A) The client directs the user to the authentication server;
- (B) The user logs in and authorizes on the authentication server;
- (C) The authentication server returns the authorization code to the client;
- (D) The client obtains the access token from the authentication server by authorization code and jump address;
- (E) Authentication server issues access token (with refresh token if necessary).
Password mode
- (A) The client obtains the user name and password from the user;
- (B) The client accesses the authentication server through the user name and password;
- (C) The authentication server returns an access token (with a refresh token if necessary).
Password Mode Experience
- The first step is to create the client in Keycloak
mall-tiny-keycloak;
- Then create a role
mall-tiny;
- Then assign roles to
macroUsers;
- When all is ready, call the interface in Postman using Oauth2 to obtain the Token address: http://192.168.7.142:8080/auth/realms/macrozheng/protocol/openid-connect/token
Used with SpringBoot
Next, let’s take a look at using Keycloak to secure SpringBoot applications. Keycloak natively supports SpringBoot, so it’s easy to use.
- Since our SpringBoot application will be running on
localhost:8088Above, we need the Keycloak clientA valid redirect URITo configure;
- Next we need to modify the application
pom.xml, integrated Keycloak;
<! - integration Keycloak -- -- >
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-spring-boot-starter</artifactId>
<version>14.0.0</version>
</dependency>
Copy the code- Then modify the application configuration file
application.ymlFor specific attributes, please refer to the annotations. What needs to be noted is that the path is bound with accessible roles.
# Keycloak configuration
keycloak:
Set the domain where the client resides
realm: macrozheng
# Set the Keycloak authentication service access path
auth-server-url: http://192.168.7.142:8080/auth
Set the client ID
resource: mall-tiny-keycloak
Set it to a public client that does not require a secret key to access
public-client: true
Configure the mapping between roles and accessible paths
security-constraints:
- auth-roles:
- mall-tiny
security-collections:
- patterns:
- '/brand/*'
- '/swagger-ui/*'
Copy the code- Use of Swagger page under the next visit, will jump to Keycloak console access to login, visit the address: http://localhost:8088/swagger-ui/
- After logging in successfully, you can access Swagger page and API, a very standard Oauth2 authorization code mode, refer to the description of authorization code mode.
conclusion
Keycloak is a nice visual security framework that lets you do authentication and authorization without having to build an authentication service. Native support for SpringBoot, the basic need to modify the code can be integrated, worthy of a modern security framework!
The resources
- Keycloak official document: www.keycloak.org/getting-sta…
- Protect SpringBoot application: www.keycloak.org/docs/latest…
Project source code address
Gitee.com/macrozheng/…