Day 3 of the Keycloak Advent Calendar describes the steps to ** delegate authentication for Spring Boot-based web applications to Keycloak **. Keycloak has an adapter for Spring Boot that makes it easy to secure Spring Boot-based web applications. This makes it a secure Spring Boot application that supports the latest authentication protocol ** "OpenID Connect" ** (OIDC).
Once linked, users will become OIDC's "End User", Spring Boot-based web applications will become OIDC's "Relying Party", and Keycloak will become OIDC's "OpenID Provider".
Before you start working with this tutorial, you need to complete Keycloak setup and create an admin user. Please refer to the article Keycloak Advent Calendar Day 2 to carry out those tasks. Also, Gradle or Maven will be used to build and launch the web application, so please install either one.
This time, we will build both Keycloak and Spring Boot-based web application on localhost.
The procedure for cooperation is as follows. After this is completed, check the operation.
Before we create a realm, let's take a brief look at it. ** "Realm" in Keycloak means a range for grouping users, roles, connected datastores (LDAP, etc.). ** Users can create in the realm, and the authentication method etc. can be defined for each realm. By default, there is one realm called "Master", and you can manage all the realms you add afterwards. The "Master" realm is the highest level in the realm hierarchy and can be managed by a super administrator (the administrator account created during initial setup).
You can use the "Master" realm to manage users, etc., but basically it is recommended to create a realm, so create a realm first. You can also delete the "Master" realm.
Go to [http: // localhost: 8080 / auth / admin /](http: // localhost: 8080 / auth / admin /) and log in to the Keycloak admin console with an administrator account.
Click Add Realm in the drop-down menu labeled Master in the top corner on the left.
The Add Realm page opens. A new realm will be created, so enter "demo" as the realm name and click the "Create" button.
When you create a realm, you will be taken to the main page of the management console. The current realm should be "demo".
You can switch between the master realm under your control and the realm you just created by clicking the drop-down menu in the upper left corner.
Next, create a client (*). In this case, the client is the "Relying Party" defined by OIDC (also called the "client" in OAuth 2.0, which is the basis of OIDC 1.0), and is the Spring Boot application.
| * To be precise, create a client profile. The client itself is created using "Spring Initializr" described later. td> tr> table>
Click Client on the left menu bar. The client list screen will be displayed, so click the "Create" button.
Type "sample-app" and click the "Save" button.
<!-![Screenshot from 2017-11-05 20.27.19.png](https://qiita-image-store.s3.amazonaws.com/0/43869/9f17916d-8ca3-3e59-b85f- ce215ea23c75.png) |
1.3. Creating a role
Next, create a role to assign to the user. We'll configure it later so that only users assigned this role can access the Spring Boot application.