This is an example CRUD-application written in Rust that showcases how to use OpenID Connect authentication with Keycloak as identity provider.
Used technologies:
- Actix-Web as web framework
- Diesel crate for Postgres operations
- openidconnect-rs for OpenID Connect protocol implementation
- Keycloak as identity provider
For Ubuntu
sudo apt install libssl-dev libpq-dev
Run Tresor Backend application locally (see local test setup first)
cargo run release
Note: Authentication via KeyCloak is activated by default. For testing purposes, it might make sense to disable
the authentication. This can be achieved by running the Tresor Backend with the following ENV
variable set:
TRESOR_BACKEND_RUNMODE=debug
This will enable the /testlogin
endpoint for an easy authentication. Technically it does not disable
the authentication, but makes it very easy to just # as a test user.
Note: application will be reachable on port 8084
by default
All routes except /#
and /testlogin
return a Httpstatus 401 - Unauthorized
by default without valid user login.
GET /#
performs an OpenId Connect authentication (Authentication Flow) via KeyCloakGET /testlogin
performs an automatic test-user login without credentials. Note: this endpoint is only available when the Tresor Backend is started indebug
run mode.GET /logout
performs logout operation (Keycloak & Cookie-Session state)GET /whoami
fetches the user's identity attributes as stored in KeyCloakGET /secrets
fetches all the secretsGET /secret/{id}
fetches the secret with givenid
PUT /secret/
stores the secret with givenid
- on success, returns the secret together with theid
DELETE /secret/{id}
deletes the secret with givenid
Note: the directory /postman contains a collection of Postman request for easy testing
Inside the directory local-testing
you will a preconfigured test setup that includes all three applications:
Tresor backend
Postgres
Keycloak
The only thing you have to do for setup is to run
./init.sh
This will start all three applications in a Docker environment. Available endpoints after statup are:
- Tresor backend:
127.0.0.1:8084
- Postgres:
127.0.0.1:5432
- Keycloak:
127.0.0.1:8080
The admin console login for Keycloak is
user: admin
password: aintsecure
There is a user for the realm tresor
preconfigured, which you can use for the Tresor login via 127.0.0.1:8084/#
:
user: holger@tresor.de
password: aintsecure
Note: The /testlogin
route is also available in the docker-compose setup, so you can also use Postman (see the postman
directory for a configuration file)
to test the routes. When using /testlogin
you are logged in as a different test-user. This works completely without Keycloak.
Note: State changes of Postgres and Keycloak are currently NOT persisted. Everytime you run ./init.sh
you will end up with the same, fresh test setup.
The tresor-backend application relies on two other services:
Postgres
instance for secrets storageKeycloak
for authentication via OpenId Connect
The following manual explains how to setup a local testing environment containing the two applications.
Spin up a local Postgres instance by running
docker run --name tresor-postgres -p 5432:5432 -e POSTGRES_PASSWORD=aintsecure -d postgres
Note: default user is postgres
Setup tresor database
This project uses the Diesel
crate for all Postgres interactions.
The database setup for the tresor-backend application can be done via the Diesel CLI.
(see http://diesel.rs/guides/getting-started/ for details).
The directory /migrations
contains all SQL migrations scripts necessary for the setup.
Install Diesel CLI first:
cargo install diesel_cli
Run migration
diesel migration run --database-url postgres://postgres:aintsecure@localhost/tresor
docker run -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=password --name tresor-keycloak -p 8080:8080 jboss/keycloak
Manual steps used for the local-tests setup:
1) create new client "tresor-backend"
1.1) set valid re-direct url http://127.0.0.1:8084/*
2) add client scope "tresor"
3) for each custom user field add a new mapper to the client scope
* mapper type == user attribute (NOT property!!!)
* claim JSON type == String
4) add user
5) set a non temporary password for the user
6) add attributes to the user e.g. tresor_id, tresor_role
7) add client scope "tresor" to client (to "Assigned Default Client Scopes")
The Keycloak realm export is only necessary for the docker-compose environment configuration. The whole realm tresor
is exported as JSON
and can be injected then during docker-compose init.
- Start a Keycloak docker instance that has the
/tmp
directory mounted to the host machine - this will be used for the JSON export
# The docker container must have a volume mapping to access the exports in the end
docker run -d -p 8080:8080 -e KEYCLOAK_USER=admin -e \
KEYCLOAK_PASSWORD=admin -v $(pwd):/tmp --name kc \
jboss/keycloak
- Configure the Keycloak instance manually the way you want it.
- Run the following command so the whole real is exported as JSON file.
# Execute this command to create a new JSON file containing the complete real export in the mounted directory
docker exec -it kc /opt/jboss/keycloak/bin/standalone.sh \
-Djboss.socket.binding.port-offset=100 -Dkeycloak.migration.action=export \
-Dkeycloak.migration.provider=singleFile \
-Dkeycloak.migration.realmName=tresor \
-Dkeycloak.migration.usersExportStrategy=REALM_FILE \
-Dkeycloak.migration.file=/tmp/tresor.json