Securing a Data Service API with Keycloak — Identity and Access Management (Part 2)

Securing a Data Service API with Keycloak — Identity and Access Management (Part 2)

Michael Olayemi Olawepo Michael Olayemi Olawepo

Michael Olayemi Olawepo

Software Test automation | Software engineering Management | Scrum | Data engineering| Rapid Application Development | Low Code Tools | Open Source

发布日期: 2024年12月25日
+ 关注

Summary of Part 1

In the previous article, we explored Keycloak’s identity and access management capabilities, focusing on generating JWT tokens for third-party application authentication.

In this article we will integrate the generated JWT token in part 1 with PostgREST.

Here is our setup in docker-compose: 

# docker-compose.yaml
networks:
  default:
    name: medium_demo
    external: true

services:
  server:
    image: postgrest/postgrest
    env_file:
      - .env
    ports:
      - "3000:3000"
    environment:
      # The standard connection URI format, documented at
      # https://www.postgresql.org/docs/current/static/libpq-connect.html#LIBPQ-CONNSTRING
      PGRST_DB_URI: postgres://postgres:${KC_DB_PASSWORD}@postgres:5432/InventoryDB
      # Overrides the base URL used within the OpenAPI self-documentation hosted at the API root path
      PGRST_OPENAPI_SERVER_PROXY_URI: https://127.0.0.1:3000
      # The name of which database schema to expose to REST clients
      PGRST_DB_SCHEMA: public
      # The database role to use when no client authentication is provided
      PGRST_DB_ANON_ROLE: web_anon
      PGRST_JWT_SECRET: ${ENV_PGRST_JWT_SECRET}
      PGRST_JWT_ROLE_CLAIM_KEY: ".resource_access.postgrest_api.roles[0]"
    depends_on:
      - postgres

  swagger:
    image: swaggerapi/swagger-ui
    ports:
      - "8080:8080"
    expose:
      - "8080"
    environment:
      API_URL: https://127.0.0.1:3000/

  postgres:
    image: postgres:17.0
    env_file:
      - .env
    restart: always
    volumes:
      - ./postgres-data:/var/lib/postgresql/data
    ports:
      - "5432:5432"
    environment:
      POSTGRES_PASSWORD: ${KC_DB_PASSWORD}
    command:
      - "postgres"
      - "-c"
      - "wal_level=logical"

  keycloak:
    image: quay.io/keycloak/keycloak:26.0.5
    env_file:
      - .env
    command: start
    environment:
      KC_HOSTNAME: localhost
      KC_HOSTNAME_PORT: 8080
      KC_HOSTNAME_STRICT_BACKCHANNEL: false
      KC_HTTP_ENABLED: true
      KC_HOSTNAME_STRICT_HTTPS: false
      KC_HEALTH_ENABLED: true
      KEYCLOAK_ADMIN: admin
      KEYCLOAK_ADMIN_PASSWORD: admin
      KC_DB: ${KC_DB_USERNAME}
      KC_DB_URL: jdbc:postgresql://postgres/${POSTGRES_DB}
      KC_DB_USERNAME: ${KC_DB_USERNAME}
      KC_DB_PASSWORD: ${KC_DB_PASSWORD}
    ports:
      - 8888:8080
    restart: always

  pgadmin:
    image: dpage/pgadmin4
    container_name: pgadmin4_oentity
    env_file:
      - .env
    restart: always
    ports:
      - "5555:80"
    environment:
      PGADMIN_DEFAULT_EMAIL: [email protected]
      PGADMIN_DEFAULT_PASSWORD: sejuba
    volumes:
      - pgadmin-data:/var/lib/pgadmin

volumes:
  pgadmin-data:

领英推荐

Example Application

We’ll build an API allowing users with two roles to perform specific operations:

  • Anonymous users can retrieve product lists.
  • Authenticated users can perform CRUD operations on products.

What is PostgREST?

PostgREST is a standalone web server turning PostgreSQL databases into RESTful APIs, leveraging database constraints and permissions.

Continue reading

要查看或添加评论,请登录

Michael Olayemi Olawepo的更多文章

社区洞察

其他会员也浏览了