Use Docker and Keycloak to specify the access token and execute the API

--Start Keycloak from Docker --How to change the port --Keycloak client app and user account registration --Creating a REST API for Spring Boot --Resource server settings: Authorization server settings --Authentication access settings --API execution by specifying access token --About control by scope

Reference site

-OpenID Connect with Keycloak and Spring Boot/Security (Resource Server)

Launch Keycloak from Docker

Since Docker and Keycloak are the fastest OpenID Connect in the world, we will execute Keycloak from Docker. Reference site: https://www.keycloak.org/getting-started/getting-started-docker

docker run -p 8080:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin quay.io/keycloak/keycloak:12.0.1

--After changing the port, it will be as follows.

docker run -p 8088:8088 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin quay.io/keycloak/keycloak:12.0.1

How to change the port

Change the port number to 8088 because it will be a problem if you get the port number with other apps.

docker run -p 8088:8088 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin quay.io/keycloak/keycloak:12.0.1 -Djboss.http.port=8088

Keycloak client app and user account registration

--Check the operation of Keycloak with this Link and register the client application and user account.

Since the port number has been changed above, the port number of the Keycloak link will also be [8088] as described above. The login user will be [admin/admin]. --When registering the Keycloak sample client application, register with the changed port number.

Creating a REST API that introduces Spring Security into your Spring Boot project

Create a REST API according to this Link.

Up to this point, you will need to log in to execute the API. Therefore, as a subsequent procedure, enable API execution using an access token without logging in.

Resource server settings: Authorization server settings

--Set the authorization server information in application.properties of the project created above.

application.properties

#Authorization server Issuer Identifier
spring.security.oauth2.resourceserver.jwt.issuer-uri= http://localhost:8088/auth/realms/realm1

--When you execute the API, it becomes [401 = Unauthorized]. This state is normal operation.

Authentication access settings

① Add a client application with Keycloak.

--Set the following and save.
Access Type=Confidential
Authorization Enabled=ON

(2) Specify the access token and execute the API

② -1) Acquisition of Client Secrets Copy [Secret] of [Credentials] of the client application of Keycloak.

② -2) [When executing with Postman] API execution by specifying the access token ② -2) i) Acquisition of access token You can get an access token by setting and executing POST and "http: // localhost: 8088/auth/realms/realm1/protocol/openid-connect/token".

Response: 
{
    "access_token": "xxxxxxxxxxxxx",
    "expires_in": 300,
    "refresh_expires_in": 0,
    "token_type": "Bearer",
    "not-before-policy": 0,
    "scope": "profile email"
}

You can check the contents of the access token with this Link. See the contents

② -2) ii) If you specify the access token and execute the API, you will be able to check the implementation details.

If the access token has expired, it may become [401 = Unauthorized]. In this case, get the access token again and execute the API.

② -3) [When executing on the endpoint] API execution by specifying the access token ② -3) i) Acquisition of access token

curl -X POST "http://localhost:8088/auth/realms/[Created realm name]/protocol/openid-connect/token" --data "grant_type=client_credentials&client_secret={Copyed Client Secrets}&client_id=[Created client name]"

② -3) ii) If you specify the access token and execute the API, you will be able to check the implementation details.

About control by scope

Here, the access token is issued according to the scope and the API is executed. See API Execution by Scope (https://qiita.com/nayylin/items/3be85a6b7daf8a577f55).