Identity and Access Management applications are becoming increasingly common in the corporate landscape, and are used to provide a set of processes, policies, and tools for defining and managing the roles and access privileges of users within an organization. IAMs typically act as a layer between Identity Providers (or IdPs, such as LDAP, Active Directory, etc.) and the target applications themselves, support user federation, and can define which service scopes a particular user is authorized to use.
Keycloak is a popular IAM solution, and this is a simple tutorial highlighting the basic components and configurations to get it running with Integration Server. This tutorial focuses on using OAUTH2 and the Client Credentials grant type in order to execute a rest service residing on IS.
- Must have docker installed (e.g. Linux docker client or Rancher Desktop for Windows)
- Must have a REST testing tool (e.g. Postman, SoapUI, etc)
- Must have IS installed and running (normal install, IS Docker container or Service Designer are all valid)
- Must have basic Integration Server Administration knowledge (able to install packages, access the IS Admin GUI, etc)
Run Keycloak as a docker image:
docker run -p 8080:8080 -e KEYCLOAK\_ADMIN=admin -e KEYCLOAK\_ADMIN\_PASSWORD=admin quay.io/keycloak/keycloak:21.1.2 start-dev
Open Keycloak GUI:
Via a browser open: http://localhost:8080/admin
… and login with the admin user/password created above.
Click the arrow next to the master realm and create a new realm named “MyRealm”
Leave all fields default, and only add “MyRealm” to the Realm Name field. After creation, select the realm drop list once more and choose the “MyRealm” realm.
Choose “Client Scopes” from the nav bar, and create a new scope named “ISServiceScope”.
Choose “Clients” from the nav bar, and create two new Clients named “ISServer” and “ISSvcConsumer”. Populate using the same values (below), with the exception of different descriptions.
For the “ISSvcConsumer” client, choose the Client Scopes tab and add the client scope created above as default:
NOTE: We will need various Keycloak URLs for the subsequent configuration. These values can be determined by opening the “OpenID Endpoint Configuration” link under the “Realm Settings” in the side nav bar.
This tutorial uses a simple test package with a single service. The service will be executed via rest/post and accepts a firstName and lastName argument. The package looks like this:
Download the package:
KcTestPkg.zip (10.1 KB)
Install and enable the package. (Copy package to replicate/inbound and install via the IS GUI)
Open the Integration Server GUI.
Under “Administration > OAuth > Scope management” add a scope with the same name as the scope defined in Keycloak. The folder name defined matches the top-level folder name of our test package (but naturally this can be more granular in real-world use cases).
Under “Administration > OAuth > Add external authorization server” add the Keycloak config.
Introspection Endpoint: http://localhost:8080/realms/MyRealm/protocol/openid-connect/token/introspect
Client Id: ISServer
Client Secret: <copied from Keycloak ISServer client “Credentials” tab>
Under “Administration > OAuth > Edit OAuth global settings” set the Authorization server to the Keycloak auth server we just configured:
Create a new Postman collection and request.
In this example, the following values will be used:
Request URL (IS REST service): https://localhost:5543/rad/KcTestPkg.rs:kcTestRad/kctest
Under Authorization Tab:
Name: Keycloak IS Access Token
Grant Type: Client Credentials
Access Token URL: http://localhost:8080/realms/MyRealm/protocol/openid-connect/token (can be found from the realm config endpoints discussed above, search for “token_endpoint”)
Client ID: ISSvcConsumer
Client Secret: <copied from Keycloak ISSvcConsumer client “Credentials” tab>
Click the “Get New Access Token” button. You should get a success message, with a box showing your access token:
Click „Use Token“, then Send the request. Success!