Liking cljdoc? Tell your friends :D

Keycloak plus Clojure

Keycloak is an open source Identity and Access Management solution aimed at modern applications and services. It makes it easy to secure applications and services with little to no code. This library wrap the Keycloak Java Adapter and provide some utilities facilitating the integration.

This repo was first an explanation of integrating Keycloak with Clojure, now I transform it to offer a library named keycloak-clojure to wrap the Keycloak Java Adapter and provide some utilities facilitating the integration. The initial explanation is now in the README of the sample directory.

Before going further be sure to read the sample's README to understand the concepts Keycloak offers and the integration points needed to integrate it with your application backend and frontend. Of course the way Keycloak integrates with your application depends of the stack it uses.

Keycloak

Concepts

Realm is the core concept in Keycloak. A realm secures and manages security metadata for a set of users, applications and registered oauth clients.

A client is a service that is secured by a realm. Once your realm is created, you can create a client i.e. a runtime component talking to keycloak: web frontend code in a browser, mobile frontend code in a React Native app, API server, etc. You will often use Client for every Application secured by Keycloak.

When a user browses an application's web site, the application can redirect the user agent to the Keycloak Server and request a login. Once a user is logged in, they can visit any other client (application) managed by the realm and not have to re-enter credentials. This also hold true for logging out.

Roles can also be defined at the client level and assigned to specific users. Depending on the client type, you may also be able to view and manage user sessions from the administration console.

Adapters are keycloak librairies in different technologies used for client to communicate with the keycloak servers. Luckily thanks to Clojure and Clojurescript running on hosted platform, respectively the JVM and the JS engine, we can use the Keycloak Java Adapter and the Keycloak Jsvascript Adapter.

OpenId Connect terminology is implemented by keycloak.

Installation

You can use the JBoss Keycloak docker image docker pull jboss/keycloak:4.8.3.Final

You'll need an SQL database for the storage, I choose postgresql. There is a lot of documentation out there to configure Keycloak and postgresql, just google it. I put them behind a dockerized nginx proxy that manages quite easily the certificates renewing and proxying of docker container (TLS is mandatory for Keycloak outside of a localhost deployment). I use nginx proxy with the Letsencrypt nginx proxy companion for the SSL support (SSL access is for me quite mandatory for keycloak...). It's quite easy to setup (just add some env variables to the docker container and that's it) and it works very well.

I put a script in bin/start-keycloak-docker.sh assuming a postgresql running on locahost/default port (better perf on my mac than starting a dockerized postgres) to automate that thing.

Install Postgresql

brew install postgresql

Make sure postgresql starts along the machine booting process:

pg_ctl -D /usr/local/var/postgres start && brew services start postgresql

create the default database user for keycloak

createuser keycloak --createdb --pwprompt

when asked for a password, type password

create the default database for keycloak

createdb keycloak -U keycloak

start Keycloak in a docker container

cd docker
./start-keycloak-docker.sh

now you can connect on keycloak using "admin"/"password" to the "master" realm (the default one that Keycloak is using for connecting the "admin" user)

Create Application Realm

Now depending on the the usage the realm concept:

  • Multiple realms: one realm per tenant if you develop a SaaS application
  • Single Realm: just one realm if your application is an internal enterprise application

Manual Realm Creation

You can create the realm manually. In the keycloak administration console create:

The client screen has an "installation" tab that allows to grab the credentials secret for this client that will be part of the needed configuration.

Automatic Realm Creation

Add the keycloak-clojure dependency to your Clojure project: [keycloak-clojure "0.1.5"] or keycloak-clojure {:mvn/version "0.1.5"}. Fire up a REPL, then:

(ns keycloak.admin-test
  (:require [keycloak.admin :refer [create-realm!]]
            [keycloak.deployment :refer [keycloak-client client-conf]]))

;;create the admin keycloak client in "master" realm for client "admin-cli"
(def admin-client (keycloak-client (client-conf "master" "admin-cli" "http://localhost:8080/auth") "admin" "password"))

;;create our own
(create-realm! admin-client "myrealm")

Keycloak interaction with a web frontend and an API backend

The following schema describes the steps and the interactions between the browser, the keycloak server and the API server:

Backend

Installation

Keycloak configuration

Client

Authentication and authorization usage

Admin Usage (create Realm, Client, Role, User, etc.)

Sample integration with Yada

Frontend

Installation

Usage

Sample integration with Re-frame

Can you improve this documentation?Edit on GitHub

cljdoc is a website building & hosting documentation for Clojure/Script libraries

Keyboard shortcutsReport a problemcljdoc on GitHub
× close