Merge pull request #46 from igorcampos-dev/feature/keycloak-OIDC

Feature/keycloak OIDC

Author: igorcampos-dev

spring-keycloak-example/Dockerfile

@@ -18,30 +18,14 @@ RUN --mount=type=bind,source=pom.xml,target=pom.xml \
     ./mvnw package -DskipTests && \
     mv target/$(./mvnw help:evaluate -Dexpression=project.artifactId -q -DforceStdout)-$(./mvnw help:evaluate -Dexpression=project.version -q -DforceStdout).jar target/app.jar
 
-FROM package as extract
+FROM eclipse-temurin:21.0.7_6-jre-jammy AS final
 
-WORKDIR /build
+RUN apt-get update && apt-get install -y nginx supervisor && rm -rf /var/lib/apt/lists/*
+COPY docker/nginx/nginx.conf /etc/nginx/nginx.conf
+COPY docker/nginx/supervisord.conf /etc/supervisor/conf.d/supervisord.conf
 
-RUN java -Djarmode=layertools -jar target/app.jar extract --destination target/extracted
+COPY --from=package /build/target/app.jar /app/app.jar
 
-FROM eclipse-temurin:21.0.7_6-jre-jammy AS final
+EXPOSE 8083 8080
 
-ARG UID=10001
-RUN adduser \
-    --disabled-password \
-    --gecos "" \
-    --home "/nonexistent" \
-    --shell "/sbin/nologin" \
-    --no-create-home \
-    --uid "${UID}" \
-    appuser
-USER appuser
-
-COPY --from=extract build/target/extracted/dependencies/ ./
-COPY --from=extract build/target/extracted/spring-boot-loader/ ./
-COPY --from=extract build/target/extracted/snapshot-dependencies/ ./
-COPY --from=extract build/target/extracted/application/ ./
-
-EXPOSE 80
-
-ENTRYPOINT [ "java", "org.springframework.boot.loader.launch.JarLauncher" ]
+ENTRYPOINT ["supervisord", "-n"]

spring-keycloak-example/Dockerfile.keycloak

@@ -1,6 +1,7 @@
 FROM quay.io/keycloak/keycloak:26.3 AS builder
 
 WORKDIR /opt/keycloak
+
 RUN /opt/keycloak/bin/kc.sh build
 
 FROM quay.io/keycloak/keycloak:26.3

spring-keycloak-example/README.md

@@ -19,12 +19,31 @@ Includes a minimal setup for running a Spring Boot application secured by Keyclo
 
 ## Authentication Types Implemented
 
-- nothing
+### OIDC (OpenID Connect) via Keycloak
+
+- **Description:** Authentication using Keycloak as the OpenID Connect (OIDC) identity provider.
+
+- **Port:** `8083`
+
+- **Spring Profile:** `OIDC`
+
+- **Backup keycloak:** `oidc_auth_db_backup.sql`
+
+- **User Credentials:**
+    - Username: `oidc-user`
+    - Password: `oidc-password`
+
+- **Protected Route:** `/secured`
+
+- **Realm:** `redirect-login-example`
+
 
 ---
 
 ## Related Resources
 
-| Description                     | Link                                                                  |
-|---------------------------------|-----------------------------------------------------------------------|
-| Running Keycloak in a container | [keycloak.org/containers](https://www.keycloak.org/server/containers) |
+| Description                                                      | Link                                                                                                  |
+|------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------|
+| Running Keycloak in a container                                  | [keycloak.org/containers](https://www.keycloak.org/server/containers)                                 |
+| Teaching how to set up Openid connect                            | [youtube/IW15Q68V50E](https://youtu.be/IW15Q68V50E?si=sJjvFoq8m0xL8xLn)                               |
+| Discussion about healthcheck configuration in keycloak container | [gist.github.com/sarath-soman](https://gist.github.com/sarath-soman/5d9aec06953bbd0990c648605d4dba07) |

spring-keycloak-example/compose.yaml

@@ -7,12 +7,21 @@ services:
       context: .
       dockerfile: Dockerfile
     environment:
-      SERVER_PORT: 80
-      SPRING_PROFILES_ACTIVE: "default"
+      SERVER_PORT: 8083
+      SPRING_PROFILES_ACTIVE: "OIDC"
+      AUTH_CLIENT_ID: oidc-client
+      AUTH_CLIENT_SECRET: pvRQkTKcE2zZw9vxT30oXC1Zynq2b3yw
+      AUTH_SCOPE: openid, profile, email
+      AUTH_GRANT_TYPE: authorization_code
+      AUTH_REDIRECT_URI: "{baseUrl}/login/oauth2/code/{registrationId}"
+      AUTH_ISSUER_URI: http://localhost:8080/realms/redirect-login-example
     ports:
-      - "80:80"
+      - "8083:8083"
     depends_on:
-      - keycloak
+      keycloak:
+        condition: service_healthy
+    networks:
+      - spring_keycloak
 
   keycloak:
     container_name: keycloak
@@ -22,7 +31,10 @@ services:
     ports:
       - "8080:8080"
     environment:
-      KC_DB: dev-file
+      KC_DB: postgres
+      KC_DB_URL: jdbc:postgresql://keycloak-database:5432/oidc_auth_db
+      KC_DB_USERNAME: postgres
+      KC_DB_PASSWORD: password
       KC_HTTP_ENABLED: "true"
       KC_HTTP_PORT: "8080"
       KC_HOSTNAME: localhost
@@ -33,4 +45,29 @@ services:
       KC_HTTPS_CERTIFICATE_FILE: /opt/keycloak/certs/tls.crt
       KC_HTTPS_CERTIFICATE_KEY_FILE: /opt/keycloak/certs/tls.key
     volumes:
-      - ./docker/keycloak:/opt/keycloak/certs
+      - ./docker/keycloak/certs:/opt/keycloak/certs
+    depends_on:
+      - keycloak-database
+    healthcheck:
+      test: ["CMD-SHELL", "exec 3<>/dev/tcp/127.0.0.1/9000;echo -e 'GET /health/ready HTTP/1.1\r\nhost: http://localhost\r\nConnection: close\r\n\r\n' >&3;if [ $? -eq 0 ]; then echo 'Healthcheck Successful';exit 0;else echo 'Healthcheck Failed';exit 1;fi;"]
+      interval: 5s
+      timeout: 10s
+      retries: 10
+    networks:
+      - spring_keycloak
+
+  keycloak-database:
+    image: postgres:14.18-alpine3.22
+    container_name: keycloak-database
+    environment:
+      POSTGRES_USER: postgres #⚠️ DO NOT USE IN PRODUCTION
+      POSTGRES_PASSWORD: password #⚠️ DO NOT USE IN PRODUCTION
+    ports:
+      - "5432:5432"
+    volumes:
+      - ./docker/keycloak/backups/oidc_auth_db_backup.sql:/docker-entrypoint-initdb.d/init.sql
+    networks:
+      - spring_keycloak
+
+networks:
+  spring_keycloak: