Single Sign On using Keycloak

Keycloak is an authentication and authorization server created by JBoss. It runs separate from any particular application. It acts as the primary authentication/authorization database of record and can also provide social-login capabilities.

WildFly Swarm provides easy integration with Keycloak.

Currently, WildFly Swarm supports version 2.5.5.Final.

Adding Keycloak support

To bring Keycloak integration to your application, you need the following dependency:

<dependency>
  <groupId>org.wildfly.swarm</groupId>
  <artifactId>keycloak</artifactId>
</dependency>

Once this is added, you can use the Secured archive type to secure your application. The easiest way to integrate is by providing a keycloak.json file in your application classpath and use .as(Secured.class).

JAXRSArchive deployment = ShrinkWrap.create(JAXRSArchive.class);
deployment.as(Secured.class);

By default, this only adds support, but not a requirement, on Keycloak. Anonymous users can still access the entire application. If they are authenticated, the SecurityContext will be populated with the user’s information.

Protecting your application

You can also protect various aspects of your application after using .as(Secured.class) by chaining calls to .protect(path)

deployment.as(Secured.class)
  .protect( "/some-resource" )
    .withMethod( "GET" )
    .withRoles( "admin" );

If your appliction doesn’t have main(), you can do it with project-defaults.yml.

swarm:
  keycloak:
    security:
      constraints:
        - url-pattern: /some-resource
          methods: [GET]
          roles: [admin]

Configuration

Property Description

swarm.keycloak.json.path

External keycloak.json path. If this property specified, keycloak.json on classpath will be ignored.