Thank you for those kind words. I hope this will be true soon 😅

Thank you. I hope this will be true soon 😅

😂 Yes, many people told me the same. I try to correct my look in my new videos 😅

Glad to hear that

Glad I helped you! I was thinking about making some videos about deploying on the different main platforms (AWS and GCP) with different approaches (VM, Docker, Kubernetes, Lambda, static...). What do you think?

@@TheDevWorldbySergioLema It would be extremely fascinating. Give it a little bit of seasoning of automation processes or practicle advice. You could make another tutorial series like the others. Tbh, it really excites me when thinking about it

Ok, I will try to do my best. Don't hesitate to share my channel or my playlist in your network, I'm sure you know a lot of people who will be interested too.

I try to be consistent with the content I upload. the messages of the community are the motivation to continue

In fact, you should protect everything but the login and create account endpoints.

@@TheDevWorldbySergioLema but there are some endpoints that is should be public, for example in e-commerce site, we don't oblige users to be authenticated to see the products, to add products to the cart...

Ok, I see your point. In this case you have to create multiple routes in the gateway configuration, and add the TokenFilter only on the protected endpoints: github.com/serlesen/authorization-server/blob/main/backend-gateway-client/src/main/resources/application.yml

thanks. In this case, you just call the login endpoint of your API Gateway, the redirection received will be the one of the login form of Keycloak. The rest will be handled by Keycloak until the callback you've configured

Thanks for your interest! You can import your existing users to Keycloak with the Import feature (www.keycloak.org/server/importExport). I've never did it, I don't know how it works.

First of all, thank you. Which part are you trying to test/mock? The resource server or the client server? I think that just overriding the Security Filters in the test suite, you should be able to mock the Keycloak part.

@@TheDevWorldbySergioLema I have API Gateway as a resource server and functional microservices (name it InvoiceMicro) also as a resource server's. In my case i am trying to mock authenticated request, right now it looks like beforeAll my InvoiceMicro make a call for keycloak for token, save the response as a string and add them to every test with WebClient. I am not sure if it's understandable :D

The resource server uses the OAuth2 protocol to authenticate the requests. Take a look at the testing with the OAuth2 as done in the following link, stackoverflow.com/questions/29510759/how-to-test-spring-security-oauth2-resource-server-security

Hi. Thanks for following me. I've never done it for a mobile app. Did you check this guide, developers.google.com/identity/protocols/oauth2/native-app?hl=en? Your mobile app should request the api gateway. Then the api gateway will redirect the user to the keycloak server. The endpoints to use are the same as done in a frontend application. About not using the browser for the login form, I'm not sure how to do it, as the keycloak server is the one which handles the authentication, and it's the one which informs the user about the scopes. Overriding all of this is like a Man-In-The-Middle attack. If you find something more, i would be interested in your results.

@@TheDevWorldbySergioLema Ok i have learnt that i should use "Trusted Web Activity" in android and that its a security risk to run authentication on the app native screen so i am doing that sadly with that approach i wont be able to utilize on many android features for example on the dynamic wallpaper colors but i will have to live with it.

Ok, I see. What you can simply do in your API Gateway, is redirect all the oauth2 requests to an internal microservice (as the Authorization Server) which will be responsible for the authentication. Don't know if this can help you.

@@TheDevWorldbySergioLema Thanks for the advice i have actually considered this but decided that going with the standard secure way (using keycloak) will be optimal as i have no real experience in DevSecOps. And thanks again for this video i have seen it countless times trying to understand oauth with keycloak and spring cloud gateway and it helped me a lot

Yes, using the standard way is the best choice. And thanks again for following me (don't hesitate to share my channel in your network, maybe some more can be interested in my content).

That's a good point. I've never use the Authorization in a Resource Server. I'll take a look at the documentation

From what I've read quickly: * You need to add the roles to the users in Keycloak * In the resources server, you add the annotation EnableGlobalMethodSecurity * in the endpoints, you add the PreAuthorize annotation About the 2 last points, you can check this video for more details: kzfaq.info/get/bejne/kKiVrNxltpnSeas.html

@@TheDevWorldbySergioLema client roles or realm roles? I need also a JWT converter? I tried with method annotation without success...

User's roles. And you don't need a JWT converter, as the roles come in the JWT and are translated to the Authorization bean (which is used in the PreAuthorize annotation). That's the theory, I didn't test it.

@@TheDevWorldbySergioLema It works!

First, thank you for following me. As indicated in the first video of this playlist, you can have just 3 Spring Boot application to handle this authentication pattern. If you want to introduce a Spring Cloud Gateway application, you can do it as the client server (as done in my second video of this playlist) or as the resource server. Using a Spring Cloud Gateway in any of those cases won't change the way the pattern is implemented. It will depend on how your architecture is implemented: if you have a lot of resources microservices to dispatch the information, I would put the Gateway as the resource server; if you have a complete microservice architecture which reads a single resource server, I would put the Gateway as the client server; or you can even combine both and have a Gateway in both places. The usage of the Gateway will depend on what's behind: a single service or multiples. I hope my answer helped you.

@@TheDevWorldbySergioLema Oh thank you for that detailed answer, i though the same too. Once again your w are really Amazing. Thanks for taking your time to share things with us.

Glad it helped you. Don't hesitate to share my channel, maybe someone in your network will also be interested by my content 😉

The best scenario to use KeyCloak is when you want to have a single authentication system for multiple applications. Let's say you're working on a company which have a backoffice to manage the products, some APIs built by other clients but consumed by the company, a mail server... All those applications are used by the same people. Instead of creating an account on each system, you can have KeyCloak as a SSO (Single Sign-On).

@@TheDevWorldbySergioLema thank you for reply! May be you can create some video with real case example, but any way thank you for your work

A problem I saw was that the browser stored the authentication cookie for localhost (which is the address of all the services) and is unable to distinguish the services. That's why I used alias for each service. This way, even having different port numbers, there is a different name for each service. Did you try adding the alias?

@@TheDevWorldbySergioLema yes I did try adding alias in the etc/ route with the three different names for keycloak, gateway, and resources. The resources and keycloak login work on its own but not through the gateway. I tried commenting out keycloak and oauth from my code, and test the gateway + resources alone, but still 404 error when I call through the gateway.

Try adding more verbose logs on the Gateway. Sometimes the 404 hides another error. Create a simple unprotected redirection from the gateway to the resources, it must work. Then add gradually, the headers redirection and the authentication to see which one is causing the problem.

Thanks. I'm sorry, but the project only works with PostgreSQL. Still it should't be hard to adapt it to MySQL. Check this docker compose file offered by Keycloak, github.com/keycloak/keycloak-containers/blob/main/docker-compose-examples/keycloak-mysql.yml

@@TheDevWorldbySergioLema Thanks for the quick reply. Would the Postgres db used in this project, also used be used for other micro services in a wider project, or is this db only for the keycloak instance?

For security concernes, I recommend you to leave this database isolate to other systems. As you already isolate the logic (having Keycloak as a separate authentication service), isolate the data too.

@@TheDevWorldbySergioLema Great thanks again for the quick reply!

It's a file in the Linux-based OS where you can create aliases for localhost. It's at "/etc/hosts". You need to add the lines I've shown in the video to add another alias for localhost. The aliases are needed, otherwise, Keycloack won't be able to distinguish the authentication server from the resources server from the client server (as all are localhost).

@@TheDevWorldbySergioLema Thanks for explanation! :)

I've done the integration with React, kzfaq.info/get/bejne/nsyVgtSnrd6sf2w.html (not yet with Angular 😉) About the role-based, you must define the user's roles in Keycloak, then add the annotation EnableGlobalMethodSecurity and use the annotations PreAuthorize on the controllers to control the access per roles.

@@TheDevWorldbySergioLema Thanks for the reply. I meant the angular side actually? The backend side is OK. Let me have a look at your React version.

@@TheDevWorldbySergioLema Hi, I have just had a look at your react-cloudgateway-resourceserver-keycloak combination. I deduce the following fom the code. Please correct me if I am wrong, or you might need to add something more to my deductions. 1)Cloudgateway server has no spring security code other than the cors setting and relaying the request from the front-end to the required end-points in the resource server. 2) Front-end has an "auth_helper.js " file which creates a UserManager object by way of oidc-client.js file using the keycloak-settings parameters related to the client. So the Keycloak only knows the front-end. 3) When sending a request from the front-end to the gateway server(and then to the resource server), the front-end gets the access-token from the keycloak server (front-end does not store access-token in local storage) by way of UserManager object and does its request adding the token to the request header(Here you use axios to send the request). One question here: Probably we need to get from the token the role of the user so that we can carry out a role-based preliminary request-filtering at the front-end side. 4) Resource server has all the code and settings to accept the keycloak server as the token provider plus the role based authorization of its end-points. Thanks.

I think this is about the video of the React integration with Keycloak. 1) Yes, the Gateway has no security logic; 2) All the authentication is handled by the frontend, that's why we need to configured the Keycloak client differently, without client-id, client-secret; 3) Yes, the frontend use the token from Keycloak to request the API gateway and the resources server. If you add the roles to the user, the JWT will have them, then it's the job of the resources server to check the roles of the JWT with the annotations PreAuthorized 4)That's right, the resources server will consume the JWT and accept of deny access if you configure a role based authorization

Thank you John

In this case, letting the Gateway being the resources server will be the best option. This way, you only have one microservice (the API Gateway) which has all the configuration about the OAuth2 flow, then, the inner microservice use the JWT and always trust the incoming requests from the API Gateway (I'm preparing a video with this configuration, hope it will be ready soon).

Using a JWT, you need to store username credentials into your application. This way you can generate a JWT once validated manually the credentials. Using Keycloak, you don't need to store the credentials into your application. All is managed by Keycloak. And Keycloak may be managed by another team or company.

Yes. You must adapt your gateway each time a new resource server is added: the redirection route must be specified, the authentication protocol, the scopes...

Thank you. Maybe I didn't understand the question, but I think that was what I explained in the video. You have the backend-resources behind an API Gateway. Aside, you have the Keycloak which handles the authorizations. Check the Github project, github.com/serlesen/authorization-server/tree/chapter_3

You're right, I should have used a fixed version (don't remember the one available when making the video).

The users must be created in Keycloak. But you can have your own login page, you only have to say to Keycloak if you want to use the default Keycloak login page, or your login page.

@@TheDevWorldbySergioLema thanks for answer, can you create tutorial how we can do it ?.

I'll put it on my todo list 😉

I'm not sure about what is the "legacy" mode of Keycloak.

I know about session management in sprin security not sure how it fits in this oauth 2 flow with spring Authorization server kindly provide your views on this

You can do it from keycloak: stackoverflow.com/questions/43347758/disable-multiple-login-at-keycloak

@@TheDevWorldbySergioLema yeah we are aware of this feature at keycloak but trying to achieve with spring Authorization server

I've never used this approach on the authorization server. Maybe you can try something like what I did in this video (serializing the session in Redis): kzfaq.info/get/bejne/j72GndF72LC2d2Q.html

I've done it with React. You must just read the HTTP code, check if it's a redirection, and call the Location header if needed. If you delegate the request to the browser, the redirection is done automatically.

@@TheDevWorldbySergioLema is your project open source? Would be great :)

Yes, you have it in the description of the video. Here is the link, github.com/serlesen/authorization-server/tree/chapter_3

@@TheDevWorldbySergioLema i mean the react part :)

Oh sorry, I've just made a quick test and deleted the code. Sorry

Woauh! That's very specific.

@@TheDevWorldbySergioLema Do you mean to say that such a bundle is almost not used? As far as I understand, Spring has released a new version of OAUTH 2.1. It is completely redesigned and very different from the old one. Perhaps this is a very good solution. You will be the first to provide material on this topic.

I will take a look

Та что то материалов нормальных нет... Тоже туго так, жесть

😅

@@TheDevWorldbySergioLema really nice tutorial tho, thank you!

Thanks for watching Muhamad!