The objective of this project is to provide a "simple" example to access a Java Microservice using the Open Source Identity and Access Management Keycloak and JavaWebToken (JWT).
We want to ...
... secure the Microservice with Authentication
... secure a specific REST Endpoint invocation of the Microservice with Authorization
... test the access to the Microservice with a JUnit test.
The Microservice runs on OpenLiberty and uses MicroProfile. The example Microservice is called
Authors and is from the open sourced Cloud Native Starter project.The example doesn't use a frontend UI for the Authentication. The JUnit test will authenticate with the Keycloak REST API.
Here is a 7 minutes YouTube video about the setup of the example.
Authors Microservice application supports a protected login with JWT and the specific REST call
getAuthors is protected by a specific user role. The image below contains a simplified architecture overview of the example which runs on the local machine, here you see:
JUnit test and Authors Microservice are running on a
Authors Microservice is build with MicroProfile
JWT Key is saved on the OpenLiberty server in the
Authors Microservice using MicroProfile configuration
JUnit test requests a
bearer token to access the
The major configuration information inside
Note: In this example Keycloak server is available on localhost:8282 and Authors Microservice on OpenLiberty runs on localhost:3000.
A very simplified overview of the test execution to access
Authors Microservice using
JWT , is shown in the sequence diagram below.
JUnit test called
Test_GetAuthors. The test invokes the private operation
Request a bearer token from
Keycloak using a REST Endpoint (http://localhost:8282/auth/realms/protocol/openid-connect/token). The request contains the needed Keycloak data for the authorization as parameters to get the
formData.param("username", user).param("password", password).param("realm", realm).param("grant_type", grant_type).param("client_id", client_id);
bearer token does contain the
Java Web Token, which is protected with the
RS256 (RSA Signature with SHA-256).
RS256 is a JWT signing algorithm.
Proceeding with the test by invoking the private operation
Verifying the JWT by the
Authors Microservice application, that will be done automatically,, by using the given
RS256 signed Key for the JWT in our Microservice application on the
OpenLiberty server. When the provided Key is validated, the JWT can be used to access the REST Endpoint of the Authors Microservice.
Now the Endpoint validates, does the
JavaWebToken contain the right role to access the information?
Then the response data data will be compared with the expected value.
For the setup of Keycloak we need ...
... run a local Keycloak Docker image
... add a realm
... import an existing realm configuration with:
Role and Group definition
Groups role mapping
... create a user and add him to the existing group with the role to add the Microservice
For the setup of the Java Microservice with OpenLiberty and MicroProfile with the JUnit test, it's useful to understand the steps from the blog post "Write and execute a JUnit test for a Java Microservice based on MicroProfile and run both in the OpenLiberty development mode".
We need to ...
... configure the
server.xml of OpenLiberty
... add login and security functionality to the
... secure the REST Endpoint in the
We need to ...
... use the two-factor authentication to access the
... use a REST a client to send the requests to the
Authors Microservice and Keycloak
Authors Microservice response in the JUnit test
This project has been created by using following technical environment:
OpenLiberty: version 18.104.22.168
Keycloak: version 9.0.2
MicroProfile: version 3.2
Glassfish: version 1.1
yasson: version 1.0
JUnit: version 5.6.0
OpenLiberty Maven Plugin: version 3.1
Apache Maven Compiler Plugin: version 3.1
Maven Surefire Plugin: version 2.22.2
Apache CXF MicroProfile Client: version 3.3.1
Maven Java Compiler:: version 1.8