How to secure a Ratpack REST API via OpenID Connect with Keycloak and Pac4j

[tpea...@bkool.com]

Hi,

I'm currently developing a REST API with Ratpack. I have to secure it by integrating with a separate Keycloak server (http://www.keycloak.org/) via OpenID Connect.

The model I'd like to implement is as follows:

    An API client asks Keycloak for an access token it can use to invoke the API on behalf of the user. Keycloak authenticates the user and then asks the user for consent to grant access to the client requesting it. The client receives the access token. This access token is digitally signed by the realm. The client can then make calls to the API with the token. The API extracts the token, verifies its signature with Keycloak and decides whether or not to allow the request.

Keycloak has many adapter libraries but unfortunately Ratpack is not among them. As such I'm investigating Pac4j and the part highlighted in bold above is what I need to implement. I understand that I require a direct client but am unsure how exactly to go about it for OpenID Connect.

The relevant handler section of the the Ratpack app that I'd like to secure is as follows:

prefix('api') {
    // Add CORS headers to all api responses
    all new CORSHandler()
    // Index: list all endpoints
    all chain(registry.get(IndexEndpoint))
    // Specific endpoints
    prefix('users') {
        all chain(registry.get(UsersRestEndpoint))
    }

    ...
}

Any pointers/help on how best to do this with Pac4j would be very much appreciated!

Kind regards,

Tom

[Jérôme LELEU]

Hi,

The OpenID Connect client in pac4j (OidcClient) supports the authorization code flow and is an indirect client.

In your case, you have a token (generated by an OpenID Connect server) and need to verify it. You will pass the token every time you access your REST url. This is the definition of a direct client.

The kind of direct client depends on the way the token is passed; assuming it's a header, you can use the HeaderClient (pac4j-http module), properly configured to extract the token from the request and then, to validate it, you need an appropriate Authenticator. For a JWT token, you need to use the JwtAuthenticator (pac4j-jwt module).

Information about clients: https://github.com/pac4j/pac4j/wiki/Clients

Thanks.

Best regards,

Jérôme

--
You received this message because you are subscribed to the Google Groups "pac4j-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[tpea...@bkool.com]

Hi Jérôme,

Thanks for replying so quickly. 

Yes, it will passed over in the header and as a JWT token. 

I'll give what you've suggested a go! 

Cheers,