bootstrapping of keycloak for integration testing
by Nils Preusker
Hi guys,
I'm just setting up an integration test project for our application and I'm
wondering what's the best way to bootstrap keycloak within it.
I'm using arquillian for testing and I'm using the maven-dependency-plugin
and maven-resources-plugin to put together a wildfly instance with the
keycloak-wildfly-adapter.
So far, that approach works nicely. However, I'm not quite sure yet how to
go about
* importing a realm and
* creating a bearer/ access token to use in the test cases
One approach would be to deploy the auth-server.war (is there a mvn
repository to pull it from?), POST the realm to the respective URL of the
admin console and do the authentication the same way (POST
http://localhost:8080/auth/rest/realms/TestRealm/tokens/grants/access).
Alternatively, I suppose I could deploy a small helper war or jar that
accesses the core services of keycloak to import the realm and create test
access tokens (some convenience method like "createLogin()" in a test
utility that is deployed with shrink wrap maybe).
Which option do you recommend or is there a third one that I'm missing?
Cheers,
Nils
10 years, 7 months
Re: [keycloak-user] How to authorize JAX-RS service based on reasteasy
by Davide Ungari
Hi Bill,
I have a unique user with the roles "administrator,user" and infact on
frontend application is working, the backend is not. I'm working on domain
level.
The backend is a JAX-RS (resteasy) service running on an embedded undertown
instance. I configured resteasy using resteasy.role.based.security=true and
the annotation @RolesAllowed("user") on the method.
Now in order to proceed with development I replaced the annotation with @
PermitAll.
Thanks for your time!
--
Davide
10 years, 8 months
Re: [keycloak-user] How to authorize JAX-RS service based on reasteasy
by Davide Ungari
Hi Bill,
the roles are defined at realm level. Frontend and backend applications
have a scope mapping with assigned roles "user" under the menu "Realm
Roles".
> Where are your roles defined? At the realm level? At the application
> level? If they are defined at the realm level you need to define a
> scope for the application. Go to the admin console. The application
> link for your front-end application. Go to the scope menu item and add
> the realm roles to the scope for the front-end application> Build and deploy the preconfigured demo and view the realm in the admin > console. You will see a similar setup where the "customer-portal" and > "product-portal" apps have their scope set to the realm level roles.> Scope is the set of roles an application or oauth client is allowed to > ask for.
--
Davide
10 years, 8 months
How to authorize JAX-RS service based on reasteasy
by Davide Ungari
Hi everybody,
I followed some suggestion and now I made authentication works as follow:
1- The user call http://.../frontend
2- The frontend server redirects to the keycloak login
3- Keycloak authenticates the user and redirects to frontend server
4- The frontend server serves the AngularJS dashboard
5- User clicks to something in AngularJS app, which will send request
to http://localhost:8080/frontend/someEndpoint
6- Frontend will re-send this to
http://localhost:8080/backend/someBackendEndpoint
7- After backend request is done and received in "frontend" app, it
will resend it back to AngularJS with all the data.
Now I would like to add authorization to backend api, so I added @RolesAllowed
("role") but it does not work:
2014-04-23 23:17:10,694|WARN |core.ExceptionHandler|failed to execute
javax.ws.rs.ForbiddenException: HTTP 403 Forbidden
at
org.jboss.resteasy.plugins.interceptors.RoleBasedSecurityFilter.filter(RoleBasedSecurityFilter.java:45)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:256)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:242)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:229)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
I found out that the realmAccess is null and debugging I thinks the problem
is during authentication when in org.keycloak.RSATokenVerifier at line:
token = input.readJsonContent(AccessToken.class);
What do you think? What am I doing wrong this time?
Thanks.
--
Davide
10 years, 8 months
Re: [keycloak-user] How to secure JAX-RS service based on reasteasy running on undertow
by Davide Ungari
Hi Bill,it's a mixed approach, maybe this is confusing you.
> I don't understand what the flow is below. In your flow above you said
> your server is making a call to the backend service with the token and
> is authenticated correctly, right?
My frontend is a WAR running on Tomcat and it is secured by keycloak.
> What I don't understand is what you are doing below. Are you saying you > have a Browser client (Javascript) making a call to your backend?
The WAR serves also an AngularJS dashboard, in this dashboard I
"inject" the token from the server but then I make client side calls.
The flow is:
1- The user call http://.../dashboard
2- The frontend server redirects to the keycloak login
3- Keycloak authenticates the user and redirects to frontend server
4- The frontend server serves the AngularJS dashboard injecting the token
5- The client side dashboard makes ajax calls to the backend to load data
At point 5 I see my backend is logging that the call is AUTHENTICATED
but on client side I see the response is failing.
--
Davide
10 years, 8 months
API to add/update users in KeyCloak
by Kamalakannan J
Hello,
We are in the process of identifying the feasibility to integrate our
JBOSS AS7 application with KeyCloak application for the OAUTH requirements.
In the process, we are in a stage to identify a right way to
-> ADD/UPDATE Users from our application to KeyCloak application (without
using UI)
-> Also during the setup process we would like to add realm, register all
the clients that uses our service to KeyCloak Application(without using UI).
>From archives, it looks like there are some ways possible but it is not
clear though there are no REST API endpoints at the moment.
Please help
-Kamal
10 years, 8 months
Sharing users
by Nils Preusker
Hi, I have a question regarding user management and sharing access to the
keycloak database between applications.
While the keycloak admin console can be used to manage users, other
applications may also need to access the user database. Is there a
recommended way of accomplishing this?
I've been experimenting with adding keycloak-model-jpa to my .war as a
dependency and looking at the bootstrapping in
org.keycloak.services.resources.KeycloakApplication. However, I wasn't able
to get it to work yet and have the feeling that I might be going the wrong
way here.
Any hints?
Cheers,
Nils
10 years, 8 months
Any plans to allow customization of EmailSender?
by Ken Goodridge
EmailSender hard-codes the messages in both sendEmailVerification and
sendPasswordReset.
Am I right that there is no easy way to customize these?
If not, are there any future plans to allow it? Could it be rolled into
the admin or the themes?
Other than that, I have been able to accomplish an amazing amount with
just the 3rd alpha release. Keep up the good work.
Thanks,
Ken
10 years, 8 months