Setting up and Configuring Keycloak as the Authorization Server - spring-boot-in-practice/repo GitHub Wiki

This article will demonstrate to set up and configure the Keycloak as the Authorization Server in the Windows operating system. The same steps can be followed for Linux and macOS as well.

  1. Download the Keycloak from the Keycloak website. We'll download the Distribution powered by WildFly.
  2. Unzip the zip file and browse to \standalone\configuration folder. By default, Keycloak runs in the HTTP port 8080. However, as our Spring Boot application runs in that port, we'll configure the HTTP port 9999 for the Keycloak server. Open the stanalone.xml file and perform the following edit:

        <socket-binding name="http" port="${jboss.http.port:8080}"/>
        to
        <socket-binding name="http" port="${jboss.http.port:9999}"/>
  1. Next, start the server using the standalone script available in the \bin directory. Open your browser and access http://localhost:9999 URL
  2. You'll be redirected to the http://localhost:9999/auth/ URL. Create a new user with username root and password as password under the Administration Console section. Click on the Administration Console and log in with username and password
  3. Post successful login, you'll land to the Master realm settings. We can configure one or more realms in the Keycloak server. However, in our technique, we'll stick with the Master realm. On the same page, under the General tab, you'll find the OpenID Endpoint Configuration link. Click the link.
  4. It shows the OpenID endpoint URLs:
"issuer": "http://localhost:9999/auth/realms/master",
"authorization_endpoint": "http://localhost:9999/auth/realms/master/protocol/openid-connect/auth",
"token_endpoint": "http://localhost:9999/auth/realms/master/protocol/openid-connect/token",
"introspection_endpoint": "http://localhost:9999/auth/realms/master/protocol/openid-connect/token/introspect",
"userinfo_endpoint": "http://localhost:9999/auth/realms/master/protocol/openid-connect/userinfo",
"end_session_endpoint": "http://localhost:9999/auth/realms/master/protocol/openid-connect/logout",
"jwks_uri": "http://localhost:9999/auth/realms/master/protocol/openid-connect/certs",
"check_session_iframe": "http://localhost:9999/auth/realms/master/protocol/openid-connect/login-status-iframe.html",

We'll use the issuer and the token_endpoint in the technique.

  1. In the Keycloak admin console page left menu, click on the Clients menu option, and then click on Create button available at the right-hand corner. This lets you add a client. Add the client name as the course-tracker. Click Save
  2. In the Keycloak admin console page left menu, click on the Client Scopes menu option, then click on Create button available at the right-hand corner. Add a client scope course:read. Click Save. Similarly, create another client scope course:write using the same steps
  3. In the Keycloak admin console page left menu, click on the Users menu option, then click on Add User button available at the right-hand corner. Add the Username as john and switch on Email Verified to On. Click Save. Post user creation, click on the Credential tab and provide a password for the user. We'll use the password as password. Ensure that the Temporary button is turned off. Follow the same steps and create user steve
  4. In the Keycloak admin console page left menu, click on the Clients menu option, then click on course-tracker Client ID. Browse to the Client Scopes tab and ensure under Default Client Scopes option, the Assigned Default Client Scopes are set to course:read and course:write
  5. In the Keycloak admin console page left menu, click on the Clients menu option, then click on course-tracker Client ID. Browse to the Mappers tab and click create. Provide Name as user_name, Mapper Type as User Attribute, and Claim JSON Type as 'String'. Click save.
  6. In the Keycloak admin console page left menu, click on the Client Scopes menu option, then click on course:read scope. Browse to the Mappers tab and click create. Provide Name as user_name, Mapper Type as User Attribute, User Attribute as user_name, Token Claim Name as user_name and Claim JSON Type as 'String'. Click save.

That's all. We are done with the Keycloak server configuration. For any further queries, you can refer to this YouTube Video.