Red Hat Summit이 콘텐츠는 선택한 언어로 제공되지 않습니다.
Chapter 1. Using OpenID Connect (OIDC) and Keycloak to centralize authorization
Learn how to enable bearer token authorization in your Quarkus application by using Keycloak Authorization Services for secure access to protected resources.
1.1. Overview
The Keycloak Authorization extension, quarkus-keycloak-authorization, extends the OpenID Connect extension, quarkus-oidc, to provide advanced authorization capabilities. It features a policy enforcer that dynamically manages access to secured resources. Access is governed by permissions defined in Keycloak, supporting flexible and dynamic Resource-Based Access Control (RBAC).
Use the quarkus-keycloak-authorization extension only if you are using Keycloak and the Keycloak Authorization Services feature is enabled in your environment to handle authorization decisions.
If you are not using Keycloak, or if Keycloak is configured without the Keycloak Authorization Services feature, use the quarkus-oidc extension instead.
How it works
The quarkus-keycloak-authorization extension centralizes authorization responsibilities in Keycloak, enhancing security and simplifying application maintenance:
-
It uses the
quarkus-oidcextension to verify bearer tokens. - It sends verified tokens to Keycloak Authorization Services.
- It allows Keycloak to evaluate resource-based permissions dynamically by using attributes such as resource name, identifier, or URI.
By externalizing authorization decisions, you can:
- Implement diverse access control strategies without modifying application code.
- Reduce redeployment needs as security requirements evolve.
Compatibility
This extension is compatible only with Quarkus OIDC service applications. It complements explicit mechanisms such as role-based access control with dynamic authorization policies.
Key Features
- Centralized Management: Delegate authorization decisions to Keycloak for consistent security policies across applications.
- Dynamic Permissions: Define access control dynamically by using resource attributes.
- Simplified Maintenance: Reduce the need to update and redeploy applications when access policies change.
Setting Up
Before using this extension, ensure the following:
- Keycloak Authorization Services feature is enabled in your Keycloak instance.
-
Your Quarkus application includes the
quarkus-keycloak-authorizationextension.
For detailed steps, see the OIDC Bearer Token Authentication guide.
Additional resources
To learn more about Keycloak Authorization Services and the policy enforcer, visit the official documentation: Keycloak Authorization Services Documentation.
1.2. Prerequisites
To complete this guide, you need:
- Roughly 15 minutes
- An IDE
-
JDK 17+ installed with
JAVA_HOMEconfigured appropriately - Apache Maven 3.8.6 or later
- A working container runtime (Docker or Podman)
- Optionally the Quarkus CLI if you want to use it
- Optionally Mandrel or GraalVM installed and configured appropriately if you want to build a native executable (or Docker if you use a native container build)
- jq tool
- Keycloak
1.3. Architecture
This example demonstrates a simple microservice setup with two protected endpoints:
-
/api/users/me -
/api/admin
Token-based access control
Access to these endpoints is controlled by using bearer tokens. To gain access, the following conditions must be met:
- Valid token: The token must have a correct signature, a valid expiration date, and the appropriate audience.
- Trust: The microservice must trust the issuing Keycloak server.
The bearer tokens issued by the Keycloak server serve as:
- User identifiers: Indicating the subject (user) for whom the token was issued.
- Client references: Identifying the client application acting on behalf of the user, per OAuth 2.0 Authorization Server standards.
Endpoints and access policies
For /api/users/me:
-
Access policy: Open to users with a valid bearer token and the
userrole. Response: Returns user details as a JSON object derived from the token.
Example response
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
For /api/admin:
-
Access policy: Restricted to users with a valid bearer token and the
adminrole.
Decoupled authorization
This example highlights the use of role-based access control (RBAC) policies to protect resources. Key points include:
- Policy flexibility: Keycloak supports various policy types, such as attribute-based and custom policies, enabling fine-grained control.
- Decoupled application logic: Authorization policies are managed entirely by Keycloak, allowing your application to focus on its core functionality.
1.4. Solution
We recommend that you follow the instructions in the next sections and create the application step by step. However, you can go right to the completed example.
Clone the Git repository: git clone https://github.com/quarkusio/quarkus-quickstarts.git -b 3.27, or download an archive.
The solution is in the security-keycloak-authorization-quickstart directory.
1.5. Creating the project
To get started, create a new project by using the following command:
Using the Quarkus CLI:
quarkus create app org.acme:security-keycloak-authorization-quickstart \ --extension='oidc,keycloak-authorization,rest-jackson' \ --no-code cd security-keycloak-authorization-quickstartquarkus create app org.acme:security-keycloak-authorization-quickstart \ --extension='oidc,keycloak-authorization,rest-jackson' \ --no-code cd security-keycloak-authorization-quickstartCopy to Clipboard Copied! Toggle word wrap Toggle overflow To create a Gradle project, add the
--gradleor--gradle-kotlin-dsloption.For more information about how to install and use the Quarkus CLI, see the Quarkus CLI guide.
Using Maven:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow To create a Gradle project, add the
-DbuildTool=gradleor-DbuildTool=gradle-kotlin-dsloption.
For Windows users:
-
If using cmd, (don’t use backward slash
\and put everything on the same line) -
If using Powershell, wrap
-Dparameters in double quotes e.g."-DprojectArtifactId=security-keycloak-authorization-quickstart"
This command generates a new project with the keycloak-authorization extension. The extension integrates a Keycloak Adapter into your Quarkus application, providing the necessary capabilities to interact with a Keycloak server and perform bearer token authorization.
Adding extensions to an existing project
If you already have an existing Quarkus project, you can add the oidc and keycloak-authorization extensions by running the following command in your project’s base directory:
Using the Quarkus CLI:
quarkus extension add oidc,keycloak-authorization
quarkus extension add oidc,keycloak-authorizationCopy to Clipboard Copied! Toggle word wrap Toggle overflow Using Maven:
./mvnw quarkus:add-extension -Dextensions='oidc,keycloak-authorization'
./mvnw quarkus:add-extension -Dextensions='oidc,keycloak-authorization'Copy to Clipboard Copied! Toggle word wrap Toggle overflow Using Gradle:
./gradlew addExtension --extensions='oidc,keycloak-authorization'
./gradlew addExtension --extensions='oidc,keycloak-authorization'Copy to Clipboard Copied! Toggle word wrap Toggle overflow
This command adds the following dependencies to your build file:
Using Maven:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Using Gradle:
implementation("io.quarkus:quarkus-oidc") implementation("io.quarkus:quarkus-keycloak-authorization")implementation("io.quarkus:quarkus-oidc") implementation("io.quarkus:quarkus-keycloak-authorization")Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Implementing the /api/users/me endpoint
Start by implementing the /api/users/me endpoint. The following code defines a Jakarta REST resource that provides user details:
Implementing the /api/admin endpoint
Next, define the /api/admin endpoint. The following code represents a simple Jakarta REST resource protected with authentication:
Role-based access control with Keycloak
Notice that explicit annotations such as @RolesAllowed are not defined to enforce access control for the resources. Instead, the keycloak-authorization extension dynamically maps the URIs of protected resources in Keycloak.
Access control is managed as follows:
- Keycloak evaluates permissions for each request based on its configured policies.
- The extension enforces these permissions, granting or denying access based on the roles or policies defined in Keycloak.
This decouples access control logic from the application code, making it easier to manage and update access policies directly in Keycloak.
1.6. Configuring the application
You can use the OpenID Connect extension to configure the adapter settings through the application.properties file, typically located in the src/main/resources directory. For example:
- 1
- Specifies the URL of the Keycloak server and the realm used for authentication.
- 2
- Identifies the client application within the Keycloak realm.
- 3
- Defines the client secret for authentication with the Keycloak server.
- 4
- Disables TLS verification for development purposes, not recommended for production.
- 5
- Enables the Keycloak policy enforcer to manage access control based on defined permissions.
- 6
- Configures Dev Services to import a specified realm file, effective only in dev mode and not in JVM or native modes.
Adding the %prod. profile prefix to quarkus.oidc.auth-server-url ensures that Dev Services for Keycloak automatically launches a container in development mode. For more details, see the Running the application in Dev mode section.
By default, applications using the quarkus-oidc extension are treated as service type applications. However, the extension also supports web-app type applications under the following conditions:
-
The access token returned during the authorization code grant flow must be the source of roles (
quarkus.oidc.roles.source=accesstoken). -
Note: For
web-apptype applications, ID token roles are checked by default.
1.7. Starting and configuring the Keycloak server
Do not start the Keycloak server when you run the application in dev mode. Dev Services for Keycloak launches a container. For more information, see the Running the application in Dev mode section.
To start a Keycloak server, use the following Docker command:
- 1
- For
keycloak.version, ensure the version is26.3.0or later. - 2
- For Keycloak keystore, use the
keycloak-keystore.jksfile located at quarkus-quickstarts/security-keycloak-authorization-quickstart/config.
Accessing the Keycloak server
- Open your browser and navigate to https://localhost:8543.
Log in to the Keycloak Administration Console by using the following credentials:
-
Username:
admin -
Password:
admin
-
Username:
Importing the realm configuration
To create a new realm, import the realm configuration file. For detailed steps on creating realms, refer to the Keycloak documentation: Create a new realm.
After importing the realm, go to Clients, choose the backend-service client, and select the Authorization and Resources tab for this client. You can now review the resource permissions:
Role of Keycloak in resource permissions
The resource access permissions are configured directly in Keycloak, which eliminates the need for @RolesAllowed annotations in your application code. This approach centralizes access control management within Keycloak, simplifying application maintenance and security updates.
1.8. Running the application in dev mode
To run the application in development mode, use the following command:
Using the Quarkus CLI:
quarkus dev
quarkus devCopy to Clipboard Copied! Toggle word wrap Toggle overflow Using Maven:
./mvnw quarkus:dev
./mvnw quarkus:devCopy to Clipboard Copied! Toggle word wrap Toggle overflow Using Gradle:
./gradlew --console=plain quarkusDev
./gradlew --console=plain quarkusDevCopy to Clipboard Copied! Toggle word wrap Toggle overflow
Dev Services for Keycloak starts a Keycloak container and imports the quarkus-realm.json configuration file.
Open a Dev UI available at /q/dev-ui and click a Provider: Keycloak link on an OpenID Connect card in the Dev UI.
Interacting with Dev UI
Testing user permissions
When prompted to log in to a Single Page Application provided by OpenID Connect Dev UI, do the following:
Log in as
alice(password:alice), who only has aUser Permissionto access the/api/users/meresource:-
Access
/api/admin, which returns403. -
Access
/api/users/me, which returns200.
-
Access
Log out and log in as
admin(password:admin), who has bothAdmin Permissionto access the/api/adminresource andUser Permissionto access the/api/users/meresource:-
Access
/api/admin, which returns200. -
Access
/api/users/me, which returns200.
-
Access
Customizing the Keycloak realm
If you started Dev Services for Keycloak without importing a realm file such as quarkus-realm.json, create a default quarkus realm without Keycloak authorization policies:
- Select the Keycloak Admin link from the OpenID Connect card in the Dev UI.
-
Log in to the Keycloak admin console. The username and password are both
admin. -
Follow the instructions at Keycloak Authorization Services documentation to enable authorization policies in the
quarkusrealm.
The Keycloak Admin link is easy to find in Dev UI:
Adding custom JavaScript policies
If your application uses Keycloak authorization configured with JavaScript policies that are deployed in a JAR archive, Dev Services for Keycloak can transfer this archive to the Keycloak container. Use the following properties in application.properties to configure the transfer:
Alias the policies archive Map the policies archive to a specific location in the container
# Alias the policies archive
quarkus.keycloak.devservices.resource-aliases.policies=/policies.jar
# Map the policies archive to a specific location in the container
quarkus.keycloak.devservices.resource-mappings.policies=/opt/keycloak/providers/policies.jar 1.9. Running the application in JVM mode
After exploring the application in dev mode, you can run it as a standard Java application in JVM mode.
Compile the application:
Using the Quarkus CLI:
quarkus build
quarkus buildCopy to Clipboard Copied! Toggle word wrap Toggle overflow Using Maven:
./mvnw install
./mvnw installCopy to Clipboard Copied! Toggle word wrap Toggle overflow Using Gradle:
./gradlew build
./gradlew buildCopy to Clipboard Copied! Toggle word wrap Toggle overflow
Run the application:
java -jar target/quarkus-app/quarkus-run.jar
java -jar target/quarkus-app/quarkus-run.jar1.10. Running the application in native mode
You can compile this demo into native code; no modifications are required.
Native compilation eliminates the need for a JVM in the production environment because the produced binary includes the runtime and is optimized for minimal resource usage.
Compilation takes longer and is disabled by default. To build the application, enable the native profile.
Build the native binary:
Using the Quarkus CLI:
quarkus build --native
quarkus build --nativeCopy to Clipboard Copied! Toggle word wrap Toggle overflow Using Maven:
./mvnw install -Dnative
./mvnw install -DnativeCopy to Clipboard Copied! Toggle word wrap Toggle overflow Using Gradle:
./gradlew build -Dquarkus.native.enabled=true
./gradlew build -Dquarkus.native.enabled=trueCopy to Clipboard Copied! Toggle word wrap Toggle overflow
After a while, run the native binary:
./target/security-keycloak-authorization-quickstart-1.0.0-SNAPSHOT-runner
./target/security-keycloak-authorization-quickstart-1.0.0-SNAPSHOT-runner1.11. Testing the application
See the preceding Running the application in Dev mode section for instructions on testing your application in development mode.
You can test the application running in JVM or native modes by using curl.
Obtaining an access token
The application uses bearer token authorization. To access its resources, first obtain an access token from the Keycloak server:
If the quarkus.oidc.authentication.user-info-required property is set to true, the application requires that an access token is used to request UserInfo. In that case, you must add the scope=openid query parameter to the token grant request; for example:
The preceding example obtains an access token for the user alice.
Accessing the /api/users/me endpoint
Any user with a valid access token can access the http://localhost:8080/api/users/me endpoint, which returns a JSON payload with user details:
curl -v -X GET \ http://localhost:8080/api/users/me \ -H "Authorization: Bearer "$access_token
curl -v -X GET \
http://localhost:8080/api/users/me \
-H "Authorization: Bearer "$access_tokenAccessing the /api/admin endpoint
The http://localhost:8080/api/admin endpoint is restricted to users with the admin role. If you try to access this endpoint with the previously issued access token, the server returns a 403 Forbidden response:
curl -v -X GET \ http://localhost:8080/api/admin \ -H "Authorization: Bearer "$access_token
curl -v -X GET \
http://localhost:8080/api/admin \
-H "Authorization: Bearer "$access_tokenGetting an admin access token
To access the admin endpoint, get an access token for the admin user:
1.12. Injecting the authorization client
You can use the Keycloak Authorization Client Java API for advanced tasks, such as managing resources and getting permissions directly from Keycloak. To enable this functionality, inject an AuthzClient instance into your beans:
public class ProtectedResource {
@Inject
AuthzClient authzClient;
}
public class ProtectedResource {
@Inject
AuthzClient authzClient;
}
To use the AuthzClient directly, set quarkus.keycloak.policy-enforcer.enable=true. Otherwise, no bean is available for injection.
1.13. Mapping protected resources
By default, the extension uses lazy loading to fetch resources from Keycloak on demand. It uses the request URI to identify and map application resources that require protection.
To disable lazy loading and instead pre-load all resources at startup, configure the following property:
quarkus.keycloak.policy-enforcer.lazy-load-paths=false
quarkus.keycloak.policy-enforcer.lazy-load-paths=falseThe time required to pre-load resources from Keycloak during startup depends on the number of resources, which might impact your application’s initial load time.
1.14. More about configuring protected resources
In the default configuration, Keycloak manages the roles and decides who can access which routes.
To configure the protected routes by using the @RolesAllowed annotation or the application.properties file, check the OpenID Connect (OIDC) Bearer token authentication and Authorization of web endpoints guides. For more details, check the Quarkus Security overview.
1.15. Access to public resources
To allow access to a public resource without applying quarkus-keycloak-authorization policies, define a permit HTTP policy in the application.properties file. For more information, see the Authorization of web endpoints guide.
You do not need to disable policy checks for a Keycloak Authorization Policy when using configurations like the following:
quarkus.keycloak.policy-enforcer.paths.1.paths=/api/public quarkus.keycloak.policy-enforcer.paths.1.enforcement-mode=DISABLED
quarkus.keycloak.policy-enforcer.paths.1.paths=/api/public
quarkus.keycloak.policy-enforcer.paths.1.enforcement-mode=DISABLEDTo restrict access to public resources for anonymous users, define an enforcing Keycloak Authorization Policy:
quarkus.keycloak.policy-enforcer.paths.1.paths=/api/public-enforcing quarkus.keycloak.policy-enforcer.paths.1.enforcement-mode=ENFORCING
quarkus.keycloak.policy-enforcer.paths.1.paths=/api/public-enforcing
quarkus.keycloak.policy-enforcer.paths.1.enforcement-mode=ENFORCINGOnly the default tenant configuration applies when controlling anonymous access to the public resource is required.
1.16. Checking permission scopes programmatically
In addition to resource permissions, you can define method scopes. A scope typically represents an action performed on a resource. You can create an enforcing Keycloak Authorization Policy with a method scope. For example:
- 1
- User must have resource permission
Scope Permission Resourceand scoperead
The Keycloak Policy Enforcer secures the /api/protected/standard-way request path, removing the need for annotations such as @RolesAllowed. However, in some scenarios, you may need to perform a programmatic check.
You can achieve this by injecting a SecurityIdentity instance into your beans, as shown in the following example. Or, you can get the same result by annotating the resource method with @PermissionsAllowed. The following example demonstrates three resource methods, each requiring the same read scope:
- 1
- The
/standard-waysub-path requires both the resource permission and thereadscope, based on the configuration set in theapplication.propertiesfile. - 2
- The
/programmatic-waysub-path checks only for theScope Permission Resourcepermission by default. However, you can enforce additional constraints, such as scope requirements, by usingSecurityIdentity#checkPermission. - 3
- The
@PermissionsAllowedannotation at/annotation-wayrestricts access to requests that have theScope Permission Resourcepermission along with thereadscope. For more information, see the section Authorization using annotations of the Authorization of web endpoints guide.
1.17. Multi-tenancy
You can set up policy enforcer configurations for each tenant, similar to how it is done with OpenID Connect (OIDC) multi-tenancy. For example:
1.18. Dynamic tenant configuration resolution
To create configurations for multiple tenants while avoiding excessive entries in your configuration file, you can use the io.quarkus.keycloak.pep.TenantPolicyConfigResolver interface to define them programmatically at runtime.
- 1
- Define or update the
/enhanced-configpath in the default tenant configuration. - 2
- Add the
/new-configpath to the tenant configuration, including custom claims and values that are populated programmatically. - 3
- Fallback to the default static tenant configuration resolution defined in the
application.propertiesfile or other SmallRye Config sources.
1.19. Configuration reference
This configuration adheres to the official Keycloak Policy Enforcer Configuration guidelines. For detailed insights into various configuration options, see the following documentation:
🔒 Fixed at build time: Configuration property fixed at build time - All other configuration properties are overridable at runtime
| Configuration property | Type | Default |
|
🔒 Fixed at build time Enables policy enforcement.
Environment variable: | boolean |
|
|
Adapters will make separate HTTP invocations to the Keycloak server to turn an access code into an access token. This config option defines how many connections to the Keycloak server should be pooled
Environment variable: | int |
|
|
Specifies how policies are enforced.
Environment variable: |
|
|
|
Defines the limit of entries that should be kept in the cache
Environment variable: | int |
|
|
Defines the time in milliseconds when the entry should be expired
Environment variable: | long |
|
|
Specifies how the adapter should fetch the server for resources associated with paths in your application. If true, the policy enforcer is going to fetch resources on-demand accordingly with the path being requested
Environment variable: | boolean |
|
|
Complex config.
Environment variable: | Map<String,Map<String,Map<String,String>>> | |
|
Simple config.
Environment variable: | Map<String,Map<String,String>> | |
|
Specifies how scopes should be mapped to HTTP methods. If set to true, the policy enforcer will use the HTTP method from the current request to check whether access should be granted
Environment variable: | boolean |
|
|
The name of a resource on the server that is to be associated with a given path
Environment variable: | string | |
|
HTTP request paths that should be protected by the policy enforcer
Environment variable: | list of string | |
|
The name of the HTTP method
Environment variable: | string | required ⚠️ Required |
|
An array of strings with the scopes associated with the method
Environment variable: | list of string | required ⚠️ Required |
|
A string referencing the enforcement mode for the scopes associated with a method
Environment variable: |
|
|
|
Specifies how policies are enforced
Environment variable: |
|
|
|
Complex config.
Environment variable: | Map<String,Map<String,Map<String,String>>> | |
|
Simple config.
Environment variable: | Map<String,Map<String,String>> | |
| Type | Default | |
|
Adapters will make separate HTTP invocations to the Keycloak server to turn an access code into an access token. This config option defines how many connections to the Keycloak server should be pooled
Environment variable: | int |
|
|
Specifies how policies are enforced.
Environment variable: |
|
|
|
The name of a resource on the server that is to be associated with a given path
Environment variable: | string | |
|
HTTP request paths that should be protected by the policy enforcer
Environment variable: | list of string | |
|
The name of the HTTP method
Environment variable: | string | required ⚠️ Required |
|
An array of strings with the scopes associated with the method
Environment variable: | list of string | required ⚠️ Required |
|
A string referencing the enforcement mode for the scopes associated with a method
Environment variable: |
|
|
|
Specifies how policies are enforced
Environment variable: |
|
|
|
Complex config.
Environment variable: | Map<String,Map<String,Map<String,String>>> | |
|
Simple config.
Environment variable: | Map<String,Map<String,String>> | |
|
Defines the limit of entries that should be kept in the cache
Environment variable: | int |
|
|
Defines the time in milliseconds when the entry should be expired
Environment variable: | long |
|
|
Specifies how the adapter should fetch the server for resources associated with paths in your application. If true, the policy enforcer is going to fetch resources on-demand accordingly with the path being requested
Environment variable: | boolean |
|
|
Complex config.
Environment variable: | Map<String,Map<String,Map<String,String>>> | |
|
Simple config.
Environment variable: | Map<String,Map<String,String>> | |
|
Specifies how scopes should be mapped to HTTP methods. If set to true, the policy enforcer will use the HTTP method from the current request to check whether access should be granted
Environment variable: | boolean |
|
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}