This quickstart will show you :
- How to obtain a Keycloak Access Token from a front-end application
- How to Use that Access Token to call in secure way a first Quarkus Rest Application
- How this first service can propagate this token to another Quarkus Rest Service, again in a secure way.
This quickstart consists of :
- A simple Web App that performs the Keycloak Login and that call the
quarkus-rest-username
- The
quarkus-rest-username
, a Quarkus REST app, just returns the username of the authenticated user. - The
quarkus-rest-caps
, a Quarkus REST app, receives as path parameter aString
and capitalize it.
The flow is pretty simple :
- User --login-->
quarkus-front
<-- returns token -->Keycloak Server
quarkus-front
-- calls -->quarkus-rest-username
-- calls -->quarkus-rest-caps
- JDK8+
- Maven
- A running instance of Keycloak 5.0.0 running on port 8180
- If you have Docker you can also run your Keycloak Server like this :
docker run -d --name keycloak -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin -p 8180:8180 -v `pwd`/quarkus-kc-quickstart.json:/config/quarkus-kc-quickstart.json -it jboss/keycloak:5.0.0 -b 0.0.0.0 -Djboss.http.port=8180 -Dkeycloak.migration.action=import -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=/config/quarkus-kc-quickstart.json -Dkeycloak.migration.strategy=OVERWRITE_EXISTING
- Import the Realm
quarkus-kc-quickstart.json
in your Keycloak Server (except if you are using the docker image from above) - Go to the
quarkus-front
folder and start the app :mvn package quarkus:dev
- Go to the
quarkus-rest-username
folder and start the app :mvn package quarkus:dev
- Go to the
quarkus-rest-caps
folder and start the app :mvn package quarkus:dev
- Go to
http://localhost:8080
and press thelogin
button - Login with username and password
test/test
- In the accordeon menu go to
service call
and press the button - Next to
Service Call Result
you should see the resultTEST
The service receives a JWT Access Token from the quarkus-front-end
application. To handle the JWT, we use the smallrye-jwt
extension :
<dependency>
<groupId>io.quarkus</groupId>
<artifactId>quarkus-smallrye-jwt</artifactId>
</dependency>
Then, it just need some configuration, notice the issuer
and the publickey.location
properties :
mp.jwt.verify.publickey.location=http://localhost:8180/auth/realms/quarkus-quickstart/protocol/openid-connect/certs
mp.jwt.verify.issuer=http://localhost:8180/auth/realms/quarkus-quickstart
quarkus.smallrye-jwt.auth-mechanism=MP-JWT
quarkus.smallrye-jwt.enabled=true
Then in your JAXRS resource, you just need to add an annotation to your endpoint method :
@GET
@RolesAllowed({"user"})
public String getUsername() {
Also notice how easy it is to inject any claim of your token :
@Inject
@Claim(standard = Claims.preferred_username)
Optional<JsonString> preferred_username;
To call the quarkus-rest-caps
service we use the quarkus-smallrye-rest-client
extension, notice the annotation @RegisterClientHeaders
@Path("/caps")
@RegisterRestClient
@RegisterClientHeaders
public interface CapsService {
By doing this, we indicate that we want to propagate HTTP Headers from the JAXRS context. In our case, we want to propagate the Authorization
header that contains our access token.
In the properties we specify this header :
org.eclipse.microprofile.rest.client.propagateHeaders=Authorization
There is actually an issue with the jwt-extension
in Native Mode. The fix is planned for 0.13
and I will be update this section as soon as it will be fixed.