Securing Jakarta EE Applications with OIDC and Keycloak

Introduction

Security is a paramount concern for modern web applications. Protecting sensitive data and user access necessitates a standardized approach. The OpenID Connect (OIDC) protocol, in conjunction with Identity Providers (IdPs) like Keycloak, and the Jakarta Security API integrated into Jakarta EE, offer a reliable solution. Together, they help streamline authentication and authorization in your Jakarta EE applications.

Understanding OpenID Connect (OIDC)

• Origins: OIDC builds on the foundation of OAuth 2.0 (an authorization protocol) to provide a streamlined authentication layer. It simplifies login processes without you needing to reinvent the security wheel.
• Benefits:
  • Standardisation: Promotes interoperability and predictable integration among systems.
  • Security: Employs token-based authentication for enhanced protection.
  • SSO: Single Sign-On capabilities improve user experience.
  • Rich Identity Data: Simplifies retrieving details about the logged-in user.

Keycloak: An Open-Source Identity Provider

Keycloak is an open-source Identity and Access Management (IAM) solution. It allows you to easily secure any kind of applications by providing comprehensive authentication and authorization services.

Advantages

Keycloak streamlines security management with its intuitive admin console, simplifying tasks like user management, role definition, and protocol configuration. It supports a wide range of authentication options, including social logins (Google, Facebook, etc.) and multi-factor authentication (MFA), for enhanced security. Beyond that, Keycloak introduces Single Sign-On (SSO) capabilities, enabling users to access multiple applications seamlessly with a single set of credentials. As an open-source project, Keycloak benefits from an active community dedicated to improving and extending its capabilities.

Integrating Keycloak with Jakarta EE

The Jakarta Security 3.0 specification, introduced in Jakarta EE 10, makes working with OpenID Connect (OIDC) a natural fit within your Jakarta EE applications. The central piece here is the @OpenIdAuthenticationMechanismDefinition annotation, which allows you to declare and configure your OIDC settings. MicroProfile Config adds flexibility, enabling you to tailor your security setup based on the deployment environment.

Securing Resources

Keycloak integrates with Jakarta EE for fine-grained authorization. The @RolesAllowed annotation allows you to protect specific classes or methods based on user roles. For legacy applications or more general protection, you can use the traditional web.xml configuration mechanisms.

Example: Securing a REST Endpoint

@Path("/rating")

@RolesAllowed("CAN_VOTE") 
public class SessionVoteResource {

}

Accessing User Information

• Injected Beans:
  • OpenIdContext: Provides token details and user claims.
  • SecurityContext: Offers programmatic security checks (roles, etc.).

@RequestScoped

public class AuthController {

    @Inject 
    OpenIdContext openIdContext;

    public String getCurrentUserName() {
        return openIdContext.getClaims().getName().orElse(null); 

    }

}

Conclusions

OIDC, Keycloak and Jakarta Security form a great trio for application security in the Jakarta EE ecosystem. The streamlined integration and flexibility offered by this combination make it an excellent choice for protecting your applications. To dive deeper into these concepts and implement best practices, be sure to grab a copy of our free guide, "Securing Jakarta EE Applications with OIDC and Keycloak."

Also, download Payara Community, start exploring, and enhance the security of your applications today!