OIDC Authentication with Keycloak

Author: SIMULATAN

application.yml

@@ -1 +1,3 @@
 environment: DEVELOPMENT
+port: 8080
+publicHost: http://localhost:{{port}}

build.gradle.kts

@@ -86,6 +86,9 @@ dependencies {
     testImplementation(tests.mockk)
     testImplementation(tests.assertj.core)
     testImplementation(tests.json)
+
+    // dev
+    devImplementation(dev.keycloak.adminClient)
 }
 
 application {

infra/keycloak/.env.default

@@ -0,0 +1,3 @@
+# KEYCLOAK_PORT=8081
+KEYCLOAK_ADMIN=admin
+KEYCLOAK_ADMIN_PASSWORD=myadminpassword

infra/keycloak/.gitignore

@@ -0,0 +1 @@
+.env

infra/keycloak/docker-compose.yml

@@ -0,0 +1,14 @@
+services:
+  keycloak:
+    image: quay.io/keycloak/keycloak:24.0
+    user: ${UID:-1000}:${GID:-1000}
+    env_file:
+      - path: .env.default
+        required: true
+      # overrides the .env file
+      - path: .env
+        required: false
+    ports:
+      - ${KEYCLOAK_PORT:-8081}:8080
+    command:
+      - start-dev

settings.gradle.kts

@@ -141,5 +141,10 @@ dependencyResolutionManagement {
 			library("json", "org.json", "json")
 				.version("20240303")
 		}
+
+		create("dev") {
+			library("keycloak-adminClient", "org.keycloak", "keycloak-admin-client")
+				.version("24.0.2")
+		}
 	}
 }

src/dev/kotlin/me/snoty/backend/dev/DevUtils.kt

@@ -0,0 +1,9 @@
+package me.snoty.backend.dev
+
+import kotlin.random.Random
+
+private val charPool : List<Char> = ('a'..'z') + ('A'..'Z') + ('0'..'9')
+fun randomString(stringLength: Int = 32) =
+	(1..stringLength)
+	.map { Random.nextInt(0, charPool.size).let { charPool[it] } }
+	.joinToString("")

src/dev/kotlin/me/snoty/backend/dev/auth/KeycloakConfigurationResult.kt

@@ -0,0 +1,6 @@
+package me.snoty.backend.dev.auth
+
+data class KeycloakConfigurationResult(
+	val clientId: String,
+	val clientSecret: String
+)

src/dev/kotlin/me/snoty/backend/dev/auth/KeycloakConfigurer.kt

@@ -0,0 +1,69 @@
+package me.snoty.backend.dev.auth
+
+import me.snoty.backend.dev.randomString
+import org.keycloak.admin.client.resource.RealmsResource
+import org.keycloak.representations.idm.ClientRepresentation
+import org.keycloak.representations.idm.RealmRepresentation
+import org.slf4j.Logger
+import org.slf4j.LoggerFactory
+import kotlin.time.Duration.Companion.days
+
+class KeycloakConfigurer(private var realmsResource: RealmsResource, private var realmName: String) {
+	private val logger: Logger = LoggerFactory.getLogger(javaClass)
+
+	/**
+	 * Configures the realm, first validates if the realm exists and if none exists, creates the realm.
+	 */
+	fun configure(): KeycloakConfigurationResult {
+		val realms = realmsResource.findAll()
+		if (realms.stream().noneMatch { realm: RealmRepresentation -> realm.id == realmName }) {
+			logger.info("Realm {} does not exist yet, creating...", realmName)
+			createRealm(realmName, realmsResource)
+		}
+		return updateRealm()
+	}
+
+	private fun createRealm(realmName: String?, realmsResource: RealmsResource?) {
+		val realmRepresentation = RealmRepresentation()
+		realmRepresentation.displayName = realmName
+		realmRepresentation.id = realmName
+		realmRepresentation.realm = realmName
+		realmRepresentation.isEnabled = false
+
+		realmsResource!!.create(realmRepresentation)
+		logger.info("Created realm '{}'", realmName)
+	}
+
+	private fun updateRealm(): KeycloakConfigurationResult {
+		val realmRepresentation = RealmRepresentation().apply {
+			isBruteForceProtected = true
+			isEnabled = true
+			isRegistrationAllowed = true
+			isEditUsernameAllowed = true
+			// avoids browser-side https enforcement
+			browserSecurityHeaders = mapOf("strictTransportSecurity" to "")
+			ssoSessionIdleTimeout = 7.days.inWholeSeconds.toInt()
+			ssoSessionMaxLifespan = 30.days.inWholeSeconds.toInt()
+			accessTokenLifespan = 1.days.inWholeSeconds.toInt()
+		}
+		val realmResource = realmsResource.realm(realmName)
+		realmResource.update(realmRepresentation)
+
+		val clientsResource = realmResource.clients()
+		return (clientsResource.findByClientId("snoty").firstOrNull() ?: let {
+			logger.info("Client 'snoty' does not exist yet, creating...")
+				ClientRepresentation().apply {
+					clientId = "snoty"
+					secret = randomString(64)
+					isDirectAccessGrantsEnabled = true
+					isServiceAccountsEnabled = true
+					redirectUris = listOf("http://localhost:8080/*")
+					clientsResource.create(this)
+					logger.info("Created client 'snoty'")
+				}
+			})
+		.let {
+			return@let KeycloakConfigurationResult(it.clientId, it.secret)
+		}
+	}
+}

src/dev/kotlin/me/snoty/backend/dev/auth/KeycloakContainerConfig.kt

@@ -0,0 +1,18 @@
+package me.snoty.backend.dev.auth
+
+import com.sksamuel.hoplite.ConfigAlias
+import com.sksamuel.hoplite.Masked
+
+/**
+ * Configuration that resembles the environment variables for the Keycloak container.
+ * The same .env file can be used for the keycloak container and the application.
+ * This reduces the risk of configuration drift between the two.
+ */
+data class KeycloakContainerConfig(
+	@ConfigAlias("KEYCLOAK_ADMIN")
+	val adminUser: String,
+	@ConfigAlias("KEYCLOAK_ADMIN_PASSWORD")
+	val adminPassword: Masked,
+	@ConfigAlias("KEYCLOAK_PORT")
+	val port: Int = 8081
+)

src/dev/kotlin/me/snoty/backend/dev/auth/KeycloakSetup.kt

@@ -0,0 +1,46 @@
+package me.snoty.backend.dev.auth
+
+import com.sksamuel.hoplite.ConfigLoaderBuilder
+import com.sksamuel.hoplite.addFileSource
+import com.sksamuel.hoplite.parsers.PropsParser
+import me.snoty.backend.spi.DevRunnable
+import org.keycloak.admin.client.KeycloakBuilder
+import org.slf4j.LoggerFactory
+
+const val REALM_NAME = "snoty"
+const val ADMIN_CLI = "admin-cli"
+
+class KeycloakSetup : DevRunnable {
+	override fun run() {
+		val containerConfig = ConfigLoaderBuilder.default()
+			.addParser("env", PropsParser())
+			// `.env.default` file - WARNING: this assumes all *.default files are .env files
+			.addParser("default", PropsParser())
+			// local configuration takes precedence
+			.addFileSource("infra/keycloak/.env", optional = true, allowEmpty = false)
+			.addFileSource("infra/keycloak/.env.default", optional = true, allowEmpty = false)
+			.build()
+			.loadConfig<KeycloakContainerConfig>()
+			.onFailure { LoggerFactory.getLogger(javaClass).warn("Failed to load KeycloakContainerConfig: ${it.description()}") }
+			.also {
+				LoggerFactory.getLogger(javaClass).info("Loaded KeycloakContainerConfig: $it")
+			}.getUnsafe()
+		val serverUrl = "http://localhost:${containerConfig.port}"
+
+		val keycloak = KeycloakBuilder.builder()
+			.serverUrl(serverUrl)
+			// the realm of the user we're authenticating with
+			.realm("master")
+			.username(containerConfig.adminUser)
+			.password(containerConfig.adminPassword.value)
+			.clientId(ADMIN_CLI)
+			.build()
+
+		val result = KeycloakConfigurer(keycloak.realms(), REALM_NAME)
+			.configure()
+
+		System.setProperty("config.override.authentication.serverUrl", "$serverUrl/realms/$REALM_NAME")
+		System.setProperty("config.override.authentication.clientId", result.clientId)
+		System.setProperty("config.override.authentication.clientSecret", result.clientSecret)
+	}
+}

src/dev/resources/META-INF/services/me.snoty.backend.spi.DevRunnable

@@ -1 +1,2 @@
 me.snoty.backend.dev.DevNotifier
+me.snoty.backend.dev.auth.KeycloakSetup

src/main/kotlin/me/snoty/backend/Application.kt

@@ -6,6 +6,9 @@ import me.snoty.backend.server.KtorServer
 import me.snoty.backend.spi.DevManager
 
 fun main() {
+	// ran pre-config load to allow dev functions to configure the environment
+	DevManager.runDevFunctions()
+
 	val configLoader = ConfigLoaderImpl()
 	val config = configLoader.loadConfig()
 
@@ -22,8 +25,6 @@ fun main() {
 		}
 	}
 
-	DevManager.runDevFunctions()
-
 	KtorServer(config, buildInfo)
 		.start(wait = true)
 }

src/main/kotlin/me/snoty/backend/config/Config.kt

@@ -3,5 +3,7 @@ package me.snoty.backend.config
 data class Config(
 	val database: DatabaseConfig,
 	val port: Short = 8080,
-	val environment: Environment
+	val publicHost: String,
+	val environment: Environment,
+	val authentication: OidcConfig
 )

src/main/kotlin/me/snoty/backend/config/ConfigLoaderImpl.kt

@@ -16,6 +16,7 @@ class ConfigLoaderImpl : ConfigLoader {
 
 		return ConfigLoaderBuilder.default()
 			.withResolveTypesCaseInsensitive()
+			.addDefaultPreprocessors()
 			.addSource(PropsPropertySource(pgContainerConfig.getOrElse { Properties() }))
 			.addFileSource("application.local.yml", optional = true)
 			.addFileSource("application.yml", optional = true)

src/main/kotlin/me/snoty/backend/config/OidcConfig.kt

@@ -0,0 +1,9 @@
+package me.snoty.backend.config
+
+data class OidcConfig(
+	val serverUrl: String,
+	val issuerUrl: String = serverUrl,
+	val oidcUrl: String = "$serverUrl/protocol/openid-connect",
+	val clientId: String,
+	val clientSecret: String
+)

src/main/kotlin/me/snoty/backend/server/KtorServer.kt

@@ -31,7 +31,7 @@ class KtorServer(val config: Config, val buildInfo: BuildInfo) {
 	private fun Application.module() {
 		configureMonitoring()
 		configureHTTP()
-		configureSecurity()
+		configureSecurity(config)
 		configureSerialization()
 		configureDatabases(config.database.value)
 		configureRouting(config)

src/main/kotlin/me/snoty/backend/server/plugins/Monitoring.kt

@@ -27,6 +27,8 @@ fun Application.configureMonitoring() {
 		verify { callId: String ->
 			callId.isNotEmpty()
 		}
+		// generate if not set already
+		generate(10)
 	}
 	routing {
 		get("/metrics") {

src/main/kotlin/me/snoty/backend/server/plugins/Security.kt

@@ -1,68 +1,95 @@
 package me.snoty.backend.server.plugins
 
-import com.auth0.jwt.JWT
-import com.auth0.jwt.algorithms.Algorithm
+import com.auth0.jwk.UrlJwkProvider
 import io.ktor.client.*
 import io.ktor.client.engine.apache.*
 import io.ktor.http.*
+import io.ktor.http.auth.*
 import io.ktor.server.application.*
 import io.ktor.server.auth.*
 import io.ktor.server.auth.jwt.*
 import io.ktor.server.response.*
 import io.ktor.server.routing.*
-import io.ktor.server.sessions.*
+import kotlinx.serialization.Serializable
+import me.snoty.backend.config.Config
+import me.snoty.backend.server.handler.UnauthorizedException
+import me.snoty.backend.utils.respondStatus
+import java.net.URI
 
-fun Application.configureSecurity() {
-	authentication {
-		oauth("auth-oauth-google") {
-			urlProvider = { "http://localhost:8080/callback" }
+fun Application.configureSecurity(config: Config) {
+	val authConfig = config.authentication
+	install(Authentication) {
+		oauth("keycloak") {
+			client = HttpClient(Apache)
 			providerLookup = {
 				OAuthServerSettings.OAuth2ServerSettings(
-					name = "google",
-					authorizeUrl = "https://accounts.google.com/o/oauth2/auth",
-					accessTokenUrl = "https://accounts.google.com/o/oauth2/token",
+					name = "keycloak",
+					authorizeUrl = "${authConfig.oidcUrl}/auth",
+					accessTokenUrl = "${authConfig.oidcUrl}/token",
+					clientId = authConfig.clientId,
+					clientSecret = authConfig.clientSecret,
+					accessTokenRequiresBasicAuth = false,
 					requestMethod = HttpMethod.Post,
-					clientId = System.getenv("GOOGLE_CLIENT_ID"),
-					clientSecret = System.getenv("GOOGLE_CLIENT_SECRET"),
-					defaultScopes = listOf("https://www.googleapis.com/auth/userinfo.profile")
+					defaultScopes = listOf("openid")
 				)
 			}
-			client = HttpClient(Apache)
+			urlProvider = {
+				"${config.publicHost}/callback"
+			}
 		}
-	}
-	// Please read the jwt property from the config file if you are using EngineMain
-	val jwtAudience = "jwt-audience"
-	val jwtDomain = "https://jwt-provider-domain/"
-	val jwtRealm = "ktor sample app"
-	val jwtSecret = "secret"
-	authentication {
-		jwt {
-			realm = jwtRealm
+		jwt("jwt-auth") {
+			authHeader { call ->
+				call.request.parseAuthorizationHeader()
+					// optionally load from cookies
+					?: parseAuthorizationHeader("Bearer ${call.request.cookies["access_token"]}")
+			}
 			verifier(
-				JWT
-					.require(Algorithm.HMAC256(jwtSecret))
-					.withAudience(jwtAudience)
-					.withIssuer(jwtDomain)
-					.build()
+				UrlJwkProvider(URI("${authConfig.oidcUrl}/certs").toURL()),
+				authConfig.issuerUrl
 			)
+			challenge { _, _ ->
+				call.respondStatus(UnauthorizedException("JWT is invalid"))
+			}
 			validate { credential ->
-				if (credential.payload.audience.contains(jwtAudience)) JWTPrincipal(credential.payload) else null
+				JWTPrincipal(credential.payload)
 			}
 		}
 	}
 	routing {
-		authenticate("auth-oauth-google") {
-			get("login") {
-				call.respondRedirect("/callback")
-			}
-
+		authenticate("keycloak") {
+			get("/login") {}
 			get("/callback") {
-				val principal: OAuthAccessTokenResponse.OAuth2? = call.authentication.principal()
-				call.sessions.set(UserSession(principal?.accessToken.toString()))
-				call.respondRedirect("/hello")
+				val principal = call.authentication.principal<OAuthAccessTokenResponse.OAuth2>()
+					?: return@get call.respondRedirect("/login")
+
+				call.response.cookies.append("access_token", principal.accessToken)
+				call.respondText(principal.accessToken)
+			}
+		}
+		authenticate("jwt-auth") {
+			get("/userInfo") {
+				call.respond(call.getUser())
 			}
 		}
 	}
 }
 
-class UserSession(accessToken: String)
+fun ApplicationCall.getUser(): User =
+	getUserOrNull() ?: throw UnauthorizedException("User not authenticated")
+
+fun ApplicationCall.getUserOrNull(): User? {
+	val principal = authentication.principal<JWTPrincipal>() ?: return null
+	val claims = principal.payload.claims
+	return User(
+		id = claims["sub"]?.asString() ?: "unknown",
+		name = claims["name"]?.asString() ?: "unknown",
+		email = claims["email"]?.asString() ?: "unknown"
+	)
+}
+
+@Serializable
+data class User(
+	val id: String,
+	val name: String,
+	val email: String,
+)