Learn to Download and Configure Keycloak Sso Server

I. Introduction

Keycloak is an open-source identity and access management system aimed at securing both frontend and backend or rest applications.

In this blog, we will learn how to download and configure a Keycloak realm that we can use to secure our application.

II. Download and Configure Keycloak

1.) Download Keycloak, by navigating to https://www.keycloak.org/downloads.html and downloading the zipped standalone server distribution.

2.) Extract in your local directory. I extracted mine in C:\Java\jboss\, so it should create a keycloak folder inside that directory: C:\Java\jboss\keycloak-9.0.0.

3.) If you are using an IDE such as Eclipse or Spring STS, you can add Keycloak in the server tab. The server view can be activated by clicking Window / Show View / Other / *filter server. Right-click on the server tab panel, select New / Server. Under JBoss Community group, there is a link that will install the Wildfly server adapter, select it, click next and finish.

4.) In case we are running another server such as Tomcat or Wildfly, it's often a good idea to change the Keycloak's port by overriding the offset value. In the server panel, we can do that by expanding the Keycloak server / Filesets / Configuration file / standalone.xml. Search for jboss.socket.binding.port-offset:0 and replace with jboss.socket.binding.port-offset:1.

5.) Run Keycloak by pressing the bug or play like icon in the Server panel. The bug means debug, which will stop on every breakpoint.

6.) Now, we can open Keycloak in the browser by navigating to http://localhost:8081/auth/. You will be asked to create an admin user.

7.) After creating an admin user navigate to localhost:8081/auth and click Administration Console. Used the newly created user.

Now we are ready to create a realm that we can use to secure our application.

III. Creating Realm and Resources

After logging in, we should arrive at the master realm detail page. In this screen, we will create the realm and resources that we will use in our application.

1.) Create a new realm by hovering on the master realm and clicking "Add realm".

2.) In the next screen, we need to enter a realm name.

3.) We will create Keycloak clients by clicking the Clients menu item in the left panel and we should arrive in the list of clients currently available for Keycloak.

4.) To create our own client, click the Create button in the top right corner. Our client-id is api-services, protocol=openid-connect.

5.) In the next screen, we are presented with the client's detail. Basically, there are basically three types of access-types: 

1. confidential - It is a server-side client. Normally, it provides a browser login form that can be customized. It requires a client-secret that is automatically generated, this secret is used to convert an access code into an access token. With this client, you need to fill in several fields.


1. Valid redirect URIs - list of URLs where your application should redirect after login or logout.
2. Web Origins - Used by CORS, this is the origin URL of the request. Normally where your frontend client is deployed. For example when you are running a react client locally: http://localhost:3000/*.
   
   
2. public - Very similar to a confidential client. But this one is for client-side applications where there is no way to keep a secret key safe. This one also provides a browser login form. For this access type, it is very important to configure the redirect URIs and Web Origins to avoid being hacked.
   
   
   
3. bearer-only - Normally used by REST services application, no login but it requires a valid access token. See the documentation in the reference section below.
   
   
   

Normally, you should create at least 2 types of client or resource for your frontend=public and backend/rest=bearer-only.

References:

• https://www.keycloak.org/docs/latest/server_admin/
• https://www.keycloak.org/docs/latest/securing_apps/