Dumbonet: Add authentication to the application using Keycloak
After the introduction in the previous article and setting up the base, let’s do our first step. We decided to go from this point because this article also has value for those who build other applications, not only blockchain-based ones. So, our first step will be security on the frontend side of the application.
Authentication is a common way to handle security for all applications.
Authentication VS Authorization
Authentication is the process of verifying your log in username and password.
Authorization is the process of verifying that you can access to something.
Token-based authentication is gaining in popularity because of the rise in single-page applications(SPA) and statelessness(RESTful API’s) of the application. This is also our choice and we will use Keycloak for it.
Keycloak is an Open Source Identity and Access Management solution for modern Applications and Services.
Why are we using Keycloak for our application?
- Keycloak is a reliable solution, designed by following standard security protocols to provide a dynamic single sign-on solution. Red Hat SSO handles Red Hat’s entire authentication and authorization system. Also, Keycloak is licensed under Apache License Version 2.0 and has a strong and active open source community.
- Keycloak supports the following standard protocols: OAuth 2.0, OpenID Connect, SAML 2.0. This support means that any tool or application that supports integration with those protocols can be plugged into Keycloak.
- Keycloak is already being used in production.
Firstly, if you want to download Keycloak Server, check these requirements :
- Can run on any operating system that runs Java
- Java 8 JDK
- zip or gzip and tar
- At least 512M of RAM
- At least 1G of disk space
The Keycloak Server has two downloadable distributions:
- ‘Keycloak-9.0.2.[zip|tar.gz]’ — server only distribution
- ‘Keycloak-overlay-9.0.2.[zip|tar.gz]’ — WildFly add-on that allows you to install Keycloak Server on top of an existing WildFly distribution.
Because we need only the scripts and binaries to run the Keycloak Server, download it from here.
We will use standalone mode for our purpose. This mode is really only useful to test drive and play with the features of Keycloak and it is not recommended that you use standalone mode in production as you will have a single point of failure. If your standalone mode server goes down, users will not be able to log in.
So, to boot the Keycloak server, go to the bin directory of the server distribution and run the standalone boot script:
On Linux run:
bin/standalone.shOn Windows run:
bin/standalone.batAfter the server boots, open http://localhost:8080/auth in your web browser.
You can see the welcome page? That’s great! The server is running. 😊
Now, enter a username and password to create an initial admin user. You can use your own credentials.
This account will be permitted to log in to the master realm’s administration console, from which you will create realms, users and register applications to be secured by Keycloak.
What is actually a realm?
It is like a namespace that allows you to manage all of your metadata and configurations. You can have multiple realms based on your requirements. Generally, it is recommended to avoid using the master realm, which is for administration purposes only. So, we will make a new one for our application.
Put your mouse cursor over the dropdown menu in the upper left corner showing text Master and click on the Add realm button.
For the name of a new realm, write the name that you want, our is `dumbonet`, and click on the Create button.
Then, click on the Login tab and turn off Require SSL by choosing none from the dropdown menu next to Require SSL and click the Save button.
Clients VS Users
Client — Clients are entities that can request Keycloak to authenticate a user. Most often, clients are applications and services that want to use Keycloak to secure themselves.
Users — Users are entities that are able to log into your system.
Now, let’s add Client:
From the main menu on the left choose Clients and then click on the Create button in the upper right corner. ❗ Don’t forget to be inside your new realm — Dumbonet.
For the Client ID write `dumbonet-gui`(or however you want to call it) and click on the Save button.
After a successful client creation, you will be redirected to `dumbonet-gui` settings tab.
Input the `*` (i.e. an asterisk) as a value here ( don’t know why, but it works!😎).
Now, on the same page, next to the Settings tab there is the Roles tab.
By clicking on the Add Role tab you will be able to give a name and description (if you want) for this role and then save it.
We will need four roles, as you can see in the picture below:
You can name your roles however you want and we will need them later when we start blockchain network setup. For now, this is quite enough.
Two places on the right and you see the Mappers tab, click it!
Click on the Create button and set the following values for input fields and finish it with the Save button.
Name: User Client RoleMapper Type: User Client RoleToken Claim Name: rolesClaim JSON Type: String
Finally, we can proceed to add users for our Keycloak server database. We will add two users:
Mirko — who is going to be Orderer and will belong to Organization 1 from our network
Slavko — who is going to be Supplier and will belong to Organization 2 from our network
From the main menu on the left choose Users and then click on the Add user button.
Of all the details, just input a username mirko and Save it.
When the user has been created, you will be redirected to the Details tab for the newly created user.
Click on the Credentials tab, input the following credentials and click on the Save button.
New password: mirkopassPassword Confirmation: mirkopassTemporary: off
Now, click on the Reset password button and then confirm the changed password by clicking on the Change password button.
We should give the mirko user a role. Go to the Role Mappings tab next to the Credentials tab.
From the Client roles dropdown menu choose dumbonet-gui or your-different-named-client. Pick roles “Orderer” and “org1” from Available roles and then Add selected.
Do the same for the slavko user, but give him different roles: “Supplier” and “org2”.
Great! Now, when we have finished setting up the Keycloak Server, the next step should be connecting it with our Angular app. If you still want to learn how to do it, keep up with us.
