This example demonstrates how to configure an Apache Camel application that uses camel-spring-security for route authorization and integrates with OpenID Connect (OIDC) for authentication using JWT tokens.
-
Authentication: OpenID Connect (OIDC) with Keycloak identity provider.
-
Authorization: Spring Security with role-based access control for Camel routes.
-
JWT Support: Decode and validate JWT tokens in the application.
-
Route Protection: Restrict access to specific Camel routes based on user roles.
-
Java 17+
-
Keycloak OIDC Identity Provider (but, with some modifications, you can use another OIDC Identity Provider e.g. Okta, Auth0, etc.)
-
Maven for building the project
-
Set up a client in your OIDC provider (e.g., Keycloak, Okta).
-
Configure the following settings:
-
Client ID:
expenses-api -
Client Secret:
<your-client-secret> -
Allowed Scopes:
openid,profile,roles -
Enable JWT token generation and ensure roles are included in the token.
-
Alternatively you can import the realm configuration file expense-realm.json. The resulting realm after importing the configuration contains the following users:
| Name | Username | Password | Realm Role | Client Role |
|---|---|---|---|---|
Alejandro Garnacho Ferreyra |
agarnacho |
ManchesterUnited |
manager |
supervisor |
James Burns Wesley |
wjburns |
Ipswich |
employee |
consultant |
Richard Rios Montoya |
rrios |
Palmeiras |
manager |
supervisor |
Ronald Federico Araújo da Silva |
rfaraujo |
Barcelona |
employee |
consultant |
and the following client:
Client id |
Client secret |
expenses-api |
YIQvHh3ny8T7thPu3HKgJXX3VvEhlxY6 |
Is possible to run the entire project with keycloak pre-configured using docker maven plugin. In order to do it, you need to have a running docker daemon on your machine, then in a shell you can run:
mvn clean package docker:build docker:start docker:watch -Ddocker.watchMode=run docker:stop -P dockerGet the access token (change the username and password is needed):
TOKEN=$(curl -d 'client_id=expenses-api' -d 'client_secret=YIQvHh3ny8T7thPu3HKgJXX3VvEhlxY6' -d 'username=agarnacho' -d 'password=ManchesterUnited' -d 'grant_type=password' 'http://localhost:8080/realms/expenses/protocol/openid-connect/token' | jq -r '.access_token')and use it in the requests:
curl -H 'Accept: application/json' -H "Authorization: Bearer ${TOKEN}" http://localhost:8081/api/v1/expenseThere is an embedded Swagger UI provided by springdoc available at http://localhost:8081/openapi/swagger-ui/index.html
For the protected methods, you have to get the JWT token, click on Authorize button
and paste the token on the input text box of the dialog:
If you hit any problem using Camel or have some feedback, then please let us know.
We also love contributors, so get involved :-)
The Camel riders!