Use the Quarkus OpenID Connect (OIDC) extension to secure a Jakarta REST application with Bearer token authentication. The bearer tokens are issued by OIDC and OAuth 2.0 compliant authorization servers, such as Keycloak.
For more information about OIDC Bearer token authentication, see the Quarkus OpenID Connect (OIDC) Bearer token authentication guide.
If you want to protect web applications by using OIDC Authorization Code Flow authentication, see the OpenID Connect authorization code flow mechanism for protecting web applications guide.
This example shows how you can build a simple microservice that offers two endpoints:
-
/api/users/me -
/api/admin
These endpoints are protected and can only be accessed if a client sends a bearer token along with the request, which must be valid (for example, signature, expiration, and audience) and trusted by the microservice.
A Keycloak server issues the bearer token and represents the subject for which the token was issued. Because it is an OAuth 2.0 authorization server, the token also references the client acting on the user’s behalf.
Any user with a valid token can access the /api/users/me endpoint.
As a response, it returns a JSON document with user details obtained from the information in the token.
The /api/admin endpoint is protected with RBAC (Role-Based Access Control), which only users with the admin role can access.
At this endpoint, the @RolesAllowed annotation is used to enforce the access constraint declaratively.
Follow the instructions in the next sections and create the application step by step. You can also go straight to the completed example.
You can clone the Git repository by running the command git clone {quickstarts-clone-url}, or you can download an {quickstarts-archive-url}[archive].
The solution is located in the security-openid-connect-quickstart directory.
You can either create a new Maven project with the oidc extension or you can add the extension to an existing Maven project.
Complete one of the following commands:
To create a new Maven project, use the following command:
If you already have your Quarkus project configured, you can add the oidc extension to your project by running the following command in your project base directory:
This will add the following to your build file:
<dependency>
<groupId>io.quarkus</groupId>
<artifactId>quarkus-oidc</artifactId>
</dependency>implementation("io.quarkus:quarkus-oidc")-
Implement the
/api/users/meendpoint as shown in the following example, which is a regular Jakarta REST resource:package org.acme.security.openid.connect; import jakarta.annotation.security.RolesAllowed; import jakarta.inject.Inject; import jakarta.ws.rs.GET; import jakarta.ws.rs.Path; import org.jboss.resteasy.reactive.NoCache; import io.quarkus.security.identity.SecurityIdentity; @Path("/api/users") public class UsersResource { @Inject SecurityIdentity securityIdentity; @GET @Path("/me") @RolesAllowed("user") @NoCache public User me() { return new User(securityIdentity); } public static class User { private final String userName; User(SecurityIdentity securityIdentity) { this.userName = securityIdentity.getPrincipal().getName(); } public String getUserName() { return userName; } } }
-
Implement the
/api/adminendpoint as shown in the following example:package org.acme.security.openid.connect; import jakarta.annotation.security.RolesAllowed; import jakarta.ws.rs.GET; import jakarta.ws.rs.Path; import jakarta.ws.rs.Produces; import jakarta.ws.rs.core.MediaType; @Path("/api/admin") public class AdminResource { @GET @RolesAllowed("admin") @Produces(MediaType.TEXT_PLAIN) public String admin() { return "granted"; } }
NoteThe main difference in this example is that the
@RolesAllowedannotation is used to verify that only users granted theadminrole can access the endpoint.
Injection of the SecurityIdentity is supported in both @RequestScoped and @ApplicationScoped contexts.
-
Configure the Quarkus OpenID Connect (OIDC) extension by setting the following configuration properties in the
src/main/resources/application.propertiesfile.%prod.quarkus.oidc.auth-server-url=http://localhost:8180/realms/quarkus quarkus.oidc.client-id=backend-service quarkus.oidc.credentials.secret=secret # Tell Dev Services for Keycloak to import the realm file # This property is not effective when running the application in JVM or native modes quarkus.keycloak.devservices.realm-path=quarkus-realm.json
Where:
-
%prod.quarkus.oidc.auth-server-urlsets the base URL of the OpenID Connect (OIDC) server. The%prod.profile prefix ensures thatDev Services for Keycloaklaunches a container when you run the application in development (dev) mode. For more information, see the Run the application in dev mode section. -
quarkus.oidc.client-idsets a client id that identifies the application. -
quarkus.oidc.credentials.secretsets the client secret, which is used by theclient_secret_basicauthentication method.
For more information, see the Quarkus OpenID Connect (OIDC) configuration properties guide.
Put the realm configuration file in the src/main/resources application folder so that it gets copied to the classpath and imported automatically to Keycloak. You do not need to do this if you have already built a complete solution, in which case, this realm file is added to the classpath during the build.
-
To run the application in dev mode, run the following commands:
-
Dev Services for Keycloak will start a Keycloak container and import a
quarkus-realm.json.
-
-
Open a Dev UI, which you can find at /q/dev-ui. Then, in an
OpenID Connectcard, click theKeycloak providerlink . -
When prompted to log in to a
Single Page Applicationprovided byOpenID Connect Dev UI, do the following steps:-
Log in as
alice(password:alice), who has auserrole.-
Accessing
/api/adminreturns a403status code. -
Accessing
/api/users/mereturns a200status code.
-
-
Log out and log in again as
admin(password:admin), who has bothadminanduserroles.-
Accessing
/api/adminreturns a200status code. -
Accessing
/api/users/mereturns a200status code.
-
-
|
Note
|
Do not start the Keycloak server when you run the application in dev mode; |
+ . To start a Keycloak server, you can use Docker to run the following command:
+
docker run --name keycloak -e KC_BOOTSTRAP_ADMIN_USERNAME=admin -e KC_BOOTSTRAP_ADMIN_PASSWORD=admin -p 8180:8080 {keycloak-image} start-dev-
You can access your Keycloak server at localhost:8180.
-
To access the Keycloak Administration console, log in as the
adminuser by using the following login credentials:-
Username:
admin -
Password:
admin
-
-
Import the realm configuration file from the upstream community repository to create a new realm.
For more information, see the Keycloak documentation about creating and configuring a new realm.
|
Note
|
To configure the Keycloak server from your application by using the Keycloak Admin Client, include one of the following extensions based on your setup:
These guidelines ensure seamless integration of the Keycloak Admin Client with your REST framework, whether you are working with a REST server, a REST client, or both. For more information, see the Quarkus Keycloak Admin Client guide. |
-
Compile the application:
-
Run the application:
java -jar target/quarkus-app/quarkus-run.jar
You can compile this same demo as-is into native mode without any modifications. This implies that you no longer need to install a JVM on your production environment. The runtime technology is included in the produced binary and optimized to run with minimal resources required.
Compilation takes a bit longer, so this step is disabled by default.
-
Build your application again by enabling the
nativeprofile: -
After waiting a little while, you run the following binary directly:
./target/security-openid-connect-quickstart-1.0.0-SNAPSHOT-runner
For information about testing your application in dev mode, see the preceding Run the application in dev mode section.
You can test the application launched in JVM or native modes with curl.
-
Because the application uses Bearer token authentication, you must first obtain an access token from the Keycloak server to access the application resources:
export access_token=$(\
curl --insecure -X POST http://localhost:8180/realms/quarkus/protocol/openid-connect/token \
--user backend-service:secret \
-H 'content-type: application/x-www-form-urlencoded' \
-d 'username=alice&password=alice&grant_type=password' | jq --raw-output '.access_token' \
)|
Note
|
When the export access_token=$(\
curl --insecure -X POST http://localhost:8180/realms/quarkus/protocol/openid-connect/token \
--user backend-service:secret \
-H 'content-type: application/x-www-form-urlencoded' \
-d 'username=alice&password=alice&grant_type=password&scope=openid' | jq --raw-output '.access_token' \
) |
The preceding example obtains an access token for the user alice.
-
Any user can access the
http://localhost:8080/api/users/meendpoint, which returns a JSON payload with details about the user.
curl -v -X GET \
http://localhost:8080/api/users/me \
-H "Authorization: Bearer "$access_token-
Only users with the
adminrole can access thehttp://localhost:8080/api/adminendpoint. If you try to access this endpoint with the previously-issued access token, you get a403response from the server.
curl -v -X GET \
http://localhost:8080/api/admin \
-H "Authorization: Bearer "$access_token-
To access the admin endpoint, obtain a token for the
adminuser:
export access_token=$(\
curl --insecure -X POST http://localhost:8180/realms/quarkus/protocol/openid-connect/token \
--user backend-service:secret \
-H 'content-type: application/x-www-form-urlencoded' \
-d 'username=admin&password=admin&grant_type=password' | jq --raw-output '.access_token' \
)For information about writing integration tests that depend on Dev Services for Keycloak, see the Dev Services for Keycloak section of the "OpenID Connect (OIDC) Bearer token authentication" guide.