This guide will help you set up Keycloak, configure a realm, and secure your application using Keycloak's authentication and authorization services. This guide is tested with Keycloak version 23
- Prerequisites
- Step 1: Install Keycloak
- Step 2: Start Keycloak
- Step 3: Access Keycloak Admin Console
- Step 4: Create a Realm
- Step 5: Create a Client
- Step 6: Configure Roles and Users
- Step 7: Configure Tiamat
- Step 8: Testing the Setup
- Step 9: Useful Links
- Java 11 or higher
- Keycloak download package or Docker (for containerized setup)
- Basic understanding of OIDC (OpenID Connect) and Keycloak concepts like Realms, Clients, Users, and Roles.
There are two ways to install Keycloak: using Docker or downloading and running it manually.
To run Keycloak with Docker, run the following command:
docker run -d --name keycloak -p 8082:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin jboss/keycloak- Download Keycloak from the official website: https://www.keycloak.org/downloads
- Extract the downloaded archive.
- Navigate to the Keycloak folder in your terminal and run the following command to start Keycloak:
./bin/standalone.sh
After installation, Keycloak should be running on http://localhost:8082.
You can start and stop Keycloak using these commands:
- Start:
./bin/standalone.sh
- Stop:
./bin/jboss-cli.sh --connect command=:shutdown
- Open your browser and go to:
http://localhost:8082 - Click on the Administration Console link.
- Log in with the default admin credentials you set during the installation:
- Username:
admin - Password:
admin
- Username:
A realm in Keycloak is the equivalent of a tenant or domain in which you manage users, credentials, roles, and groups.
- Once logged in, click on the Master dropdown (top-left corner) and select Add Realm.
- Give your realm a name (e.g.,
entur), then click Create.
A client in Keycloak represents an application that users will authenticate with.
- Go to the Clients section (in the left menu).
- Click Create.
- In General setting, set the Client type set to openid-connect.
- In the Client ID field, give your client a name (e.g.,
abzu). - Click Next
- In Capability Config, leave the default settings and click Next.
- In Login Settings, set Valid Redirect URIs to
*and web origins to*. and click Save.
- Go to Roles tab and create roles
viewStopsdeleteStopsandeditStops. - Save the changes.
- Go to the Users section.
- Click Add User and provide details like username and email.
- Once the user is created, go to the Credentials tab and set a password for the user (uncheck the Temporary option to make the password permanent).
- In the Role Mappings tab, assign roles to the user by selecting roles from the Available Roles list and clicking Add Selected. i.e.
viewStopsdeleteStopsandeditStops. - In the Attributes tab, add a follwoing attributes to the user.
role_assignmentswith value{"r":"deleteStops","o":"RB"}role_assignmentswith value{"r":"editStops","o":"RB","e":{"EntityType":["*"]}}
- Go to the Clients section and select the client you created (e.g.,
abzu). - Click on the Client Scopes tab.
- Click on the abzu-dedicated client-scope, click on the Add Mapper and select By Configuration.
- Select User Attribute and set the following values:
- Name:
role_assignments - User Attribute:
role_assignments - Token Claim Name:
role_assignments - Claim JSON Type:
String - Add to ID token:
ON - Add to access token:
ON - Add to userinfo:
ON - Add to token introspection:
ON - Multivalued:
ON - Aggregate attribute valuese:
OFF
- Name:
- Click Save.
- To test click on Client Details and select the Client Scopes tab. Click on the Evaluate button and select/write username in Usesr and click on and click on Generate Access Token. You should see the roles in the token.
... ... ... "resource_access": { "abzu": { "roles": [ "viewStops", "editStops", "deleteStops" ] }, "account": { "roles": [ "manage-account", "manage-account-links", "view-profile" ] } }, "scope": "openid email profile kcAudience", "sid": "xxxxxxxxxxxx", "role_assignments": [ "{\"r\":\"deleteStops\",\"o\":\"RB\"}", "{\"r\":\"editStops\",\"o\":\"RB\",\"e\":{\"EntityType\":[\"*\"]}}" ], ... ... ...
## Step 7: Configure Tiamat and Abzu
### Tiamat Application Properties
You need to configure your application to use Keycloak for authentication.
```properties
authorization.enabled = true
# Keycloak Configuration
tiamat.oauth2.resourceserver.auth0.ror.jwt.issuer-uri=http://localhost:8082/realms/entur
tiamat.oauth2.resourceserver.auth0.ror.jwt.audience=abzu
tiamat.oauth2.resourceserver.auth0.ror.claim.namespace=role_assignments
Abzu is client application that uses Keycloak for authentication. You need to configure Abzu to use Keycloak. https://github.com/entur/abzu Update dev.json file with the following configuration.
{
"tiamatBaseUrl": "http://localhost:1888/services/stop_places/graphql",
"OTPUrl": "https://api.dev.entur.io/journey-planner/v2/graphql",
"baatTokenProxyEndpoint": "https://api.dev.entur.io/baat-token-proxy/v1/token",
"tiamatEnv": "development",
"netexPrefix": "NSR",
"hostname": "stoppested.dev.entur.org",
"googleApiKey": "AIzaSyB_8bdt2skRkdsyQO19m_gqTzr0_2gqo8U",
"claimsNamespace": "role_assignments",
"preferredNameNamespace": "name",
"oidcConfig": {
"authority": "http://localhost:8082/realms/entur",
"client_id": "abzu",
"extraQueryParams": {
"audience": "abzu"
}
}
}- Run your abzu and tiamat applications.
- Click on Login button from abzu; this will redirect you to Keycloak for login.
- After successful authentication, you should be redirected back to your application with the proper security context.
- Search for a stop e.g. Oslo, and you should see the edit button.
- Edit the stop e.g. add/change description and save the changes.
Note: This guide assumes you have a basic understanding of Keycloak and OIDC concepts. For more detailed information, refer to the official Keycloak documentation.