Skip to content

wfnuser/gcloak

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits

example

example

 
 

gcloak

gcloak

 
 

.gitignore

.gitignore

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

go.mod

go.mod

 
 

go.sum

go.sum

 
 

Repository files navigation

Gcloak

The gin middleware implementation for Keycloak.

Prerequisite

  • keycloak should provide service

How to use?

Token Exchange

In gcloak/service, we provide a gin token handler. You can get token by send GET request with parameter code in URL. If the code you send is valid, IDToken and AccessToken will be set in cookies with key ${IDTokenCookieName} and ${AccessTokenCookieName} which are two parameters you should send to the token handler function.

Auth Middleware

In gcloak/gcloak, we provide an auth middleware. You can easily integrate it with your gin application by adding the following code.

a := v1.Group("")
a.Use(gcloak.KeyCloakAuth(conf, accessMap))

You should provide following fields in gcloak configuration. RedirectURL is the redirect url you allowed to jumpback. Endpoint is the keycloak service endpoint. ClientID is the client id you config in Keycloak. ClientSecret is the client secret key you config in Keycloak. TTL is the token's time to live. IDTokenCookieName and AccessTokenCookieName are the keys of cookies you set idtoken and accesstoken.

You should also provide a mapping from url to roles. Following is a sample:

    var accessMap map[string][]string = map[string][]string{
		"/v1/ping": {"dev"},
	}

If gin request's cookies don't contain a valid idtoken and accesstoken, the middleware will return 401 or 403.

Sample code

you should create realm with name cloud

func setupRouter() *gin.Engine {
	// Initialize the gin entity
	r := gin.Default()

	configURL := "http://localhost:8080/auth/realms/cloud"
	ctx := context.Background()
	provider, err := oidc.NewProvider(ctx, configURL)
	if err != nil {
		panic(err)
	}
	clientID := "myclient"
	clientSecret := "FZu9jL7sG7A1lYvjTO9D7RzXkbNBAGa4"
	redirectURL := "http://localhost:8181/v1/token"
	// Configure an OpenID Connect aware OAuth2 client.
	oauth2Config := oauth2.Config{
		ClientID:     clientID,
		ClientSecret: clientSecret,
		RedirectURL:  redirectURL,
		Endpoint:     provider.Endpoint(),
		Scopes:       []string{oidc.ScopeOpenID, "profile", "email", "roles"},
	}

	conf := gcloak.GCloakConf{
		Endpoint:              "http://localhost:8080/auth/realms/cloud",
		RedirectURL:           "http://localhost:8181/v1/token",
		IDTokenCookieName:     "KeyCloakCloudID",
		AccessTokenCookieName: "KeyCloakCloudAccess",
		ClientID:              "myclient",
		ClientSecret:          "FZu9jL7sG7A1lYvjTO9D7RzXkbNBAGa4",
		TTL:                   120,
	}

	var accessMap map[string][]string = map[string][]string{
		"/v1/ping": {"dev"},
	}

	v1 := r.Group("v1")
	{
		// routes with authorization
		a := v1.Group("")
		a.Use(gcloak.KeyCloakAuth(conf, accessMap))
		// ping for testing
		a.GET("/ping", func(c *gin.Context) {
			c.String(http.StatusOK, "pong")
		})
	}

	v1.GET("/token", gcloak.TokenHandler(conf))
	v1.GET("/login", func(c *gin.Context) {
		c.Redirect(http.StatusFound, oauth2Config.AuthCodeURL("state"))
	})
	return r
}

func main() {
	r := setupRouter()
	r.Run(":8181")
}

About

The gin middleware implementation for Keycloak.

Resources

Readme

License

Apache-2.0 license
Activity

Stars

1 star

Watchers

3 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages