Getting started to secure a simple Java Microservice with Keycloak, MicroProfile and OpenLiberty

 

JWT

OpenLiberty server.xml

iss

issuer

aud

audiences

preferred_username

userNameAttribute

 "iss": "http://localhost:8282/auth/realms/cloudnativestarter", (issuer)
 "aud": "account", (audiences)
 "preferred_username": "author-cloud-native-starter" (userNameAttribute)
<span class="prism-token token 1 tag  tag  punctuation ">  <</span><span class="prism-token token 1 tag  tag ">mpJwt</span>

 <span class="prism-token token 1 tag  attr-name ">id</span><span class="prism-token token 1 tag  attr-value  punctuation ">="</span><span class="prism-token token 1 tag  attr-value ">myMpJwt</span><span class="prism-token token 1 tag  attr-value  punctuation ">"</span>
 <span class="prism-token token 1 tag  attr-name ">jwksUri</span><span class="prism-token token 1 tag  attr-value  punctuation ">="</span><span class="prism-token token 1 tag  attr-value ">http://localhost:8282/auth/cloudnativestarter/public/protocol/openid-connect/certs</span><span class="prism-token token 1 tag  attr-value  punctuation ">"</span>
 <span class="prism-token token 1 tag  attr-name ">issuer</span><span class="prism-token token 1 tag  attr-value  punctuation ">="</span><span class="prism-token token 1 tag  attr-value ">http://localhost:8282/cloudnativestarter/realms/public</span><span class="prism-token token 1 tag  attr-value  punctuation ">"</span>
 <span class="prism-token token 1 tag  attr-name ">userNameAttribute</span><span class="prism-token token 1 tag  attr-value  punctuation ">="</span><span class="prism-token token 1 tag  attr-value ">preferred_username</span><span class="prism-token token 1 tag  attr-value  punctuation ">"</span>
 <span class="prism-token token 1 tag  attr-name ">audiences</span><span class="prism-token token 1 tag  attr-value  punctuation ">="</span><span class="prism-token token 1 tag  attr-value ">account</span><span class="prism-token token 1 tag  attr-value  punctuation ">"</span><span class="prism-token token 1 tag  punctuation ">></span>

 <span class="prism-token token 3 tag  tag  punctuation "></</span><span class="prism-token token 3 tag  tag ">mpJwt</span><span class="prism-token token 3 tag  punctuation ">>
 

 

 

The microprofile-config.properties

The JWT is protected with a signing algorithm. That key for the signing is provided by Keycloak.  In our case we use MicroProfile to implement the access with JWT.
 
MicroProfile uses MicroProfile config to manage different configurations for different environments. The relevant information to use JWT from Keycloak is saved in the  microprofile-config.properties file and is located in src/main/webapp/META-INF/microprofile-config.properties
 
Here you see an extract of that file.
mp.jwt.verify.publickey.location=/META-INF/keycloak-cloudnativestarter-key.pem
mp.jwt.verify.issuer=http://localhost:8282/auth/realms/cloudnativestarter

In our case, we need to insert the public RS256 signed key from Keycloak in following file src/main/webapp/META-INF/keycloak-public-key.pem. MicroProfile uses the file microprofile-config.properties to get the location of the key.

Classes for the Authors Microservice

 
 
 
import org.eclipse.microprofile.auth.LoginConfig;
import javax.annotation.security.DeclareRoles;

@LoginConfig(authMethod = "MP-JWT")
@DeclareRoles({"authors-role-cloud-native-starter"})
 
import javax.annotation.security.RolesAllowed;
import org.eclipse.microprofile.jwt.JsonWebToken;
import javax.inject.Inject;
....
 @Inject private JsonWebToken tokenInformation;
 @RolesAllowed({"authors-role-cloud-native-starter"})

....

 if (tokenInformation != null){
    System.out.println("... [Author] MP JWT config message: " + message );
    System.out.println("... [Author] MP JWT getIssuedAtTime " + tokenInformation.getIssuedAtTime() );
....
 
 
 
 
 
 

2 thoughts on “Getting started to secure a simple Java Microservice with Keycloak, MicroProfile and OpenLiberty

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.