Implement Oauth2 resource server. Add Keycloak to docker compose

Author: Konstantin Pankratov

.gitignore

@@ -5,3 +5,4 @@ target/
 start_vpn.sh
 server/generated-sources/
 data/
+.env

docker-compose.yml

@@ -1,9 +1,41 @@
 services: 
-  backend:
-    build:
-      context: .
-      dockerfile: Dockerfile
-    image: panderu/study-buddies-backend:latest 
-    container_name: backend
-    ports: 
-      - "8080:8080"
+  keycloak_web:
+    image: keycloak/keycloak:latest
+    container_name: kc-web
+    environment:
+      KC_DB: postgres
+      KC_DB_URL: jdbc:postgresql://keycloakdb:5432/keycloak
+      KC_DB_USERNAME: ${KC_DB_USERNAME}
+      KC_DB_PASSWORD: ${KC_DB_PASSWORD}
+
+      KEYCLOAK_ADMIN: ${KC_DB_USERNAME}
+      KEYCLOAK_ADMIN_PASSWORD: ${KC_DB_PASSWORD}
+
+
+      KC_HOSTNAME: localhost
+      KC_HOSTNAME_PORT: 8080
+      KC_HOSTNAME_STRICT: 'false'
+      KC_HOSTNAME_STRICT_HTTPS: 'false'
+      KC_LOG_LEVEL: debug
+
+      KC_METRICS_ENABLED: 'true'
+      KC_HEALTH_ENABLED: 'true'
+      KC_PROXY: edge
+      KC_PROXY_HEADERS: forwarded
+    command: start-dev
+    depends_on:
+      - keycloakdb
+    ports:
+      - '7070:8080'
+######################################################
+  keycloakdb:
+    image: postgres:15
+    volumes:
+      - postgres_data:/var/lib/postgresql/data
+    environment:
+      POSTGRES_DB: keycloak
+      POSTGRES_USER: ${KC_DB_USERNAME}
+      POSTGRES_PASSWORD: ${KC_DB_PASSWORD}
+######################################################
+volumes:
+  postgres_data:

server/application.properties

@@ -99,6 +99,46 @@
     	<artifactId>bcpkix-jdk18on</artifactId>
     	<version>1.78.1</version>
 		</dependency>
+
+		<dependency>
+			<groupId>org.keycloak</groupId>
+			<artifactId>keycloak-spring-boot-starter</artifactId>
+			<version>25.0.3</version>
+		</dependency>
+		<!-- https://mvnrepository.com/artifact/org.springframework.security/spring-security-core -->
+		<dependency>
+			<groupId>org.springframework.security</groupId>
+			<artifactId>spring-security-core</artifactId>
+			<version>6.4.2</version>
+		</dependency>
+		<!-- https://mvnrepository.com/artifact/org.springframework.security/spring-security-web -->
+		<dependency>
+				<groupId>org.springframework.security</groupId>
+				<artifactId>spring-security-web</artifactId>
+				<version>6.4.2</version>
+		</dependency>
+
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
+		</dependency>
+
+		<!-- https://mvnrepository.com/artifact/org.springframework.security/spring-security-config -->
+		<dependency>
+			<groupId>org.springframework.security</groupId>
+			<artifactId>spring-security-config</artifactId>
+			<version>6.4.2</version>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-oauth2-client</artifactId>
+		</dependency>
+		<!-- https://mvnrepository.com/artifact/org.springframework.security/spring-security-oauth2-authorization-server -->
+		<dependency>
+			<groupId>org.springframework.security</groupId>
+			<artifactId>spring-security-oauth2-authorization-server</artifactId>
+		</dependency>
+
 	</dependencies>
 
 	<!-- Build section: Contains build-specific information such as plugins -->

server/pom.xml

@@ -0,0 +1,41 @@
+package com.studybuddies.server.configuration;
+
+import java.util.Collection;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
+import org.springframework.core.convert.converter.Converter;
+import org.springframework.lang.NonNull;
+import org.springframework.security.authentication.AbstractAuthenticationToken;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.oauth2.jwt.Jwt;
+import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
+import org.springframework.security.oauth2.server.resource.authentication.JwtGrantedAuthoritiesConverter;
+
+public class KeycloakJwtAuthenticationConverter implements
+    Converter<Jwt, AbstractAuthenticationToken> {
+
+
+  @Override
+  public AbstractAuthenticationToken convert(@NonNull Jwt source) {
+    return new JwtAuthenticationToken(
+            source,
+            Stream.concat(
+                new JwtGrantedAuthoritiesConverter().convert(source).stream(),
+                extractResourceRoles(source).stream()
+        ).collect(Collectors.toSet())
+    );
+  }
+
+  private Collection<? extends GrantedAuthority> extractResourceRoles(Jwt jwt) {
+    var resourceAccess = new HashMap<>(jwt.getClaim("resource_access"));
+    var eternal = (Map<String, List<String>>) resourceAccess.get("account");
+    var roles = eternal.get("roles");
+    return roles.stream()
+        .map(role -> new SimpleGrantedAuthority("ROLE_" + role.replace("-", "_"))).collect(
+            Collectors.toSet());
+  }
+}

server/src/main/java/com/studybuddies/server/configuration/KeycloakJwtAuthenticationConverter.java

@@ -0,0 +1,23 @@
+package com.studybuddies.server.configuration;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
+import org.springframework.security.web.SecurityFilterChain;
+
+@Configuration
+@EnableWebSecurity
+public class SecurityConfig {
+
+  @Bean
+  protected SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+    http
+        .csrf(AbstractHttpConfigurer::disable)  // Disable csrf because of use of JWT Tokens
+        .authorizeHttpRequests(req -> req.anyRequest().authenticated());  // Permit only authenticated requests
+    http.oauth2ResourceServer(auth -> auth.jwt(token -> token.jwtAuthenticationConverter(new KeycloakJwtAuthenticationConverter())));
+
+    return http.build();
+  }
+}

server/src/main/java/com/studybuddies/server/configuration/SecurityConfig.java

@@ -5,7 +5,7 @@ spring:
         name: server
     datasource:
         url: jdbc:h2:file:./data/demo
-        username: sa
+        username: sa #TODO: Extract this into a dev config application-dev.yml
         password: password
         driverClassName: org.h2.Driver
     jpa:
@@ -15,6 +15,10 @@ spring:
             ddl-auto: update
     h2:
         console.enabled: true
-
+    security:
+        oauth2:
+            resourceserver:
+                jwt:
+                    issuer-uri: "http://localhost:7070/realms/study-buddies"
 springdoc:
-    swagger-ui.path: /api-docs
+    swagger-ui.path: /api-docs