Overview
Identity and Access Management applications are becoming increasingly common in the corporate landscape, and are used to provide a set of processes, policies, and tools for defining and managing the roles and access privileges of users within an organization. IAMs typically act as a layer between Identity Providers (or IdPs, such as LDAP, Active Directory, etc.) and the target applications themselves, support user federation, and can define which service scopes a particular user is authorized to use.
Keycloak is a popular IAM solution, and this is a simple tutorial highlighting the basic components and configurations to get it running with Integration Server. This tutorial focuses on using OAUTH2 and the Client Credentials grant type in order to execute a rest service residing on IS.
Prerequisites
- Must have docker installed (e.g. Linux docker client or Rancher Desktop for Windows)
- Must have a REST testing tool (e.g. Postman, SoapUI, etc)
- Must have IS installed and running (normal install, IS Docker container or Service Designer are all valid)
- Must have basic Integration Server Administration knowledge (able to install packages, access the IS Admin GUI, etc)
Keycloak Configuration
“Install” Keycloak
Run Keycloak as a docker image:
-
From: https://www.keycloak.org/getting-started/getting-started-docker
-
Run:
docker run -p 8080:8080 -e KEYCLOAK\_ADMIN=admin -e KEYCLOAK\_ADMIN\_PASSWORD=admin quay.io/keycloak/keycloak:21.1.2 start-dev
Open Keycloak GUI:
Via a browser open: http://localhost:8080/admin
… and login with the admin user/password created above.
Click the arrow next to the master realm and create a new realm named “MyRealm”
Leave all fields default, and only add “MyRealm” to the Realm Name field. After creation, select the realm drop list once more and choose the “MyRealm” realm.
Configure the Realm
Add Scope to Call IS Services
Choose “Client Scopes” from the nav bar, and create a new scope named “ISServiceScope”.
Add IS Clients
Choose “Clients” from the nav bar, and create two new Clients named “ISServer” and “ISSvcConsumer”. Populate using the same values (below), with the exception of different descriptions.
For the “ISSvcConsumer” client, choose the Client Scopes tab and add the client scope created above as default:
NOTE: We will need various Keycloak URLs for the subsequent configuration. These values can be determined by opening the “OpenID Endpoint Configuration” link under the “Realm Settings” in the side nav bar.
Integration Server Configuration
IS Test Package
This tutorial uses a simple test package with a single service. The service will be executed via rest/post and accepts a firstName and lastName argument. The package looks like this:
Download the package:
KcTestPkg.zip (10.1 KB)
Install and enable the package. (Copy package to replicate/inbound and install via the IS GUI)
Define the IS OAuth Scope
Open the Integration Server GUI.
Under “Administration > OAuth > Scope management” add a scope with the same name as the scope defined in Keycloak. The folder name defined matches the top-level folder name of our test package (but naturally this can be more granular in real-world use cases).
Set the External Authentication Server
Under “Administration > OAuth > Add external authorization server” add the Keycloak config.
Name: Keycloak
Introspection Endpoint: http://localhost:8080/realms/MyRealm/protocol/openid-connect/token/introspect
Client Id: ISServer
Client Secret: <copied from Keycloak ISServer client “Credentials” tab>
User: Administrator
Example:
Under “Administration > OAuth > Edit OAuth global settings” set the Authorization server to the Keycloak auth server we just configured:
Test Integration via Postman
Create a new Postman collection and request.
In this example, the following values will be used:
Request URL (IS REST service): https://localhost:5543/rad/KcTestPkg.rs:kcTestRad/kctest
JSON Body:
Under Authorization Tab:
Name: Keycloak IS Access Token
Grant Type: Client Credentials
Access Token URL: http://localhost:8080/realms/MyRealm/protocol/openid-connect/token (can be found from the realm config endpoints discussed above, search for “token_endpoint”)
Client ID: ISSvcConsumer
Client Secret: <copied from Keycloak ISSvcConsumer client “Credentials” tab>
Scope: ISServiceScope
Click the “Get New Access Token” button. You should get a success message, with a box showing your access token:
Click „Use Token“, then Send the request. Success!
This article is part of the TECHniques newsletter blog - technical tips and tricks for the Software AG community. Subscribe to receive our quarterly updates or read the latest issue.