How to integrate Keycloak with Payara Micro?

Question

How i can integrate the Keycloak with Payara Micro?

I want create an stateless REST JAX-RS application that use the Keycloak as authentication and authorization server, but i unknown how do it.

The Eclipse MicroProfile JWT Authentication API defines the @LoginConfig annotation:

@LoginConfig(authMethod = "MP-JWT", realmName = "admin-realm")
@ApplicationPath("/")
public class MyApplication extends Application {...}

And the java EE the @RolesAllowed annotation:

@Path("/api/v1/books")
public class BooksController {

    @GET
    @RolesAllowed("read-books")
    public Books findAll() {...}

}

How integrate these two things?

score 3 · Answer 1 · answered May 15 '18 at 06:53

3

Keycloak project doesn't provide a native adapter for Payara Server or Payara Micro and the Payara project doesn't provide it either.

But Keycloak also provides a generic servlet filter adapter which should also use with Payara Micro: https://www.keycloak.org/docs/latest/securing_apps/index.html#_servlet_filter_adapter

Just add the keycloak-servlet-filter-adapter dependency into your web application and configure the adapter in the web.xml according to the documentation. I haven't tested it though, so I don't know if it really works.

answered May 15 '18 at 06:53

OndroMih

7,280
1
26
44

I already had seen this option, but i want configure using the eclipse microprofile specification. This option use the web.xml to configure and i desire use an external configuration using the mp-config specification. – Thomás Sousa Silva May 17 '18 at 00:45
It's possible to use references to system properties and environment variables in web.xml: https://docs.payara.fish/documentation/payara-server/server-configuration/var-substitution/usage-of-variables.html However, this doesn't provide the same flexibility as using MicroProfile Config and Pablo's Soteria addon looks very nice! – OndroMih May 18 '18 at 09:58
@ThomásSousaSilva did you find a way to achieve the config with mp-jwt and payara ? – André Aug 22 '18 at 04:56

score 3 · Answer 2 · answered May 15 '18 at 11:18

3

I faced the same challenge in a personal project and as is mentioned Keycloak project does not provide a native adapter for Payara, in that moment I did a library to secure my app with Keycloak, if you like, you can take it a look and let me know if it's ok or how we can improve it.

https://github.com/pablobastidasv/kc_security

answered May 15 '18 at 11:18

Pablo Bastidas

608
1
6
17

Very thanks!! Now you can update the readme file with the keycloak config, how to get an token, how to do logout and how to use an external configuration (without microprofile-config.properties) using mp-config? – Thomás Sousa Silva May 17 '18 at 00:38
You could send the configuration through environment variables or java properties, the config file can be used as default. Regarding the token, at this point the app library has been tested to work with services, in this case the token should be obtained by the FE, do you need to secure also web pages?? – Pablo Bastidas May 17 '18 at 05:14
Yes, i desire make a backend server with jax-rs and microprofile and a frontend server with nodejs and angular both using keycloak. – Thomás Sousa Silva May 19 '18 at 03:45
In this case the library I did will work (I am working to make some improvements). Regarding the angular app, you can use https://blog.keycloak.org/2018/02/keycloak-and-angular-cli.html to make the FE part. – Pablo Bastidas May 19 '18 at 18:12
New version released, now you can use keycloak.json file to define your configuration. – Pablo Bastidas May 19 '18 at 20:56
Ok i will try do it, but you can explain because cannot is possible only define an public key and an auth url as show in this page https://docs.payara.fish/documentation/microprofile/jwt.html? – Thomás Sousa Silva May 20 '18 at 15:59
I have no clue why does not work with that mechanism. sorry... I tried and at the end I used the keycloak adapter to achieve my goal. – Pablo Bastidas May 20 '18 at 16:54
I created an application with your adapter but the application not recognizes the user roles using @RolesAllowed – Thomás Sousa Silva May 20 '18 at 22:33
I fixed this problem adding the @DeclareRoles annotation with the used roles. – Thomás Sousa Silva May 21 '18 at 02:45

score 1 · Answer 3 · answered Jan 31 '20 at 17:34

You can find solution in The Payara Monthly Roundup for April 2019

MicroProfile JWT with Keycloak - In this step by step blog, Hayri Cicek‏ demonstrates how to secure your services using MicroProfile JWT and Keycloak.

Init LoginConfig and map your roles using DeclareRoles

import javax.ws.rs.ApplicationPath;
import javax.ws.rs.core.Application;
import org.eclipse.microprofile.auth.LoginConfig;
import javax.annotation.security.DeclareRoles;

@LoginConfig(authMethod = "MP-JWT")
@ApplicationPath("/")
@DeclareRoles({ "mysimplerole", "USER" })
public class ApplicationConfig extends Application {

}

Add params to microprofile-config.properties

mp.jwt.verify.publickey.location=http://localhost:8084/auth/realms/public/protocol/openid-connect/certs
mp.jwt.verify.issuer=http://localhost:8084/auth/realms/public

And you can use your roles in RolesAllowed

@ApplicationScoped
@Path("/hello")
public class HelloWorldEndpoint {

    @GET
    @Produces("text/plain")
    @RolesAllowed("mysimplerole")
    public Response doGet() {
        return Response.ok("Hello from MicroProfile!").build();
    }
}

the link for MicroProfile JWT with Keycloak doesnt seem to work anymore — zlinks, Feb 03 '23 at 12:05
See "secure you app" in keycloak docs https://www.keycloak.org/docs/latest/securing_apps/index.html#_servlet_filter_adapter — lunicon, Feb 06 '23 at 14:32
Found in webachive https://web.archive.org/web/20220704065824/https://kodnito.com/posts/microprofile-jwt-with-keycloak/ — lunicon, Feb 06 '23 at 14:35

How to integrate Keycloak with Payara Micro?

3 Answers3