-
Notifications
You must be signed in to change notification settings - Fork 15
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #41 from vzakharchenko/service-account-api
Service account api
- Loading branch information
Showing
24 changed files
with
3,136 additions
and
35 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
jest.mock('../../src/umaConfiguration'); | ||
jest.mock('../../src/clientAuthorization'); | ||
jest.mock('../../src/utils/optionsUtils'); | ||
|
||
const { clientAuthentication } = require('../../src/clientAuthorization'); | ||
|
||
const { serviceAccountJWT } = require('../../src/serviceAccount'); | ||
|
||
const keycloakJson = () => ({ | ||
realm: 'lambda-authorizer', | ||
'auth-server-url': 'http://localhost:8090/auth', | ||
'ssl-required': 'external', | ||
resource: 'lambda', | ||
'verify-token-audience': true, | ||
credentials: { | ||
secret: '772decbe-0151-4b08-8171-bec6d097293b', | ||
}, | ||
'confidential-port': 0, | ||
'policy-enforcer': {}, | ||
}); | ||
|
||
describe('testing umaConfiguration', () => { | ||
beforeEach(() => { | ||
clientAuthentication.mockImplementation(async () => ({ access_token: 'access_token' })); | ||
}); | ||
|
||
afterEach(() => { | ||
}); | ||
|
||
test('test serviceAccountJWT with keycloakJson', async () => { | ||
const token = await serviceAccountJWT(keycloakJson); | ||
expect(token).toEqual('access_token'); | ||
}); | ||
|
||
test('test serviceAccountJWT with options', async () => { | ||
const token = await serviceAccountJWT(null, { keycloakJson }); | ||
expect(token).toEqual('access_token'); | ||
}); | ||
}); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
# Example of Calling the Admin API Using User Permissions (Role or Resource) | ||
|
||
This example allow to get list of users and List of security clients (with secrets) using regular user permissions. | ||
|
||
## How it works | ||
User calls the service API using their own token, but the service API calls Keycloak using the service account token (service-to-service communication) | ||
- **user has no administrator roles!!!** | ||
- service Account has Admin Roles ![](../../docs/serviceAccountRoles.png) | ||
- FrontEnd does not have access to call Admin Api. | ||
![](../../docs/UserToAdminAPI.png) | ||
|
||
## 1. Start Keycloak | ||
|
||
### Docker | ||
Using the image from https://hub.docker.com/r/jboss/keycloak/ | ||
``` | ||
docker run -p 8090:8080 -e JAVA_OPTS="-Dkeycloak.profile.feature.scripts=enabled -Dkeycloak.profile.feature.upload_scripts=enabled -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true" -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin -v `pwd`/example/userToAdminAPI:/userToAdminAPI -e KEYCLOAK_IMPORT=/userToAdminAPI/example-realm-export.json jboss/keycloak | ||
``` | ||
### Standard | ||
``` | ||
sh bin/standalone.sh -c standalone.xml -b 0.0.0.0 -Djboss.bind.address.management=0.0.0.0 --debug 8190 -Djboss.http.port=8090 | ||
``` | ||
Open the Keycloak admin console, click on Add Realm, click on import 'Select file', select example-realm-export.json and click Create. | ||
|
||
## 2. Run Services Locally | ||
- Express Service | ||
```bash | ||
cd express-service | ||
npm i | ||
npm run start | ||
``` | ||
|
||
## 3. Run UI locally | ||
|
||
```bash | ||
cd frontend | ||
npm i | ||
npm run start | ||
``` | ||
|
||
## 4. Open UI | ||
[http://localhost:3001](http://localhost:3001) | ||
|
||
users: | ||
|
||
| User | Password | UserList Role | Client List Role | Client Secret Role | | ||
|:----------|:-----------|:-----------------|:-----------------|:-------------------| | ||
| user | user | X | X | X | | ||
| user1 | user1 | - | - | - | | ||
|
||
## 6. Results | ||
|
||
| User | Result | Description | | ||
|:----------|:-------------------------------------------------------------------------------------------------------|:------------------------------------------------------| | ||
| User | User List, Client List with secrets | All Access | | ||
| User1 | Client List with secrets | User has access to Client List and secrets | | ||
| User2 | Client List without secrets | User has access only to Client List | |
Oops, something went wrong.