clevermicro/user-management
clevermicro/user-management
14
0
Fork 0
Code Issues 9 Pull requests Projects Releases Packages 1 Wiki Activity Actions

Create Auth Microservice for Keycloak Token Operations #1

New issue
Closed
opened 2025-04-22 21:31:42 +00:00 by abed.alrahman · 2 comments
abed.alrahman commented 2025-04-22 21:31:42 +00:00
Member
Copy link

Ref epic: #13

Goal: Develop a new microservice (auth-service) to provide simple REST endpoints for handling Keycloak authentication tasks: user login (username/password), token verification, and user logout.

Background:
While Keycloak and Traefik handle UI logins and request authentication, we need a way for applications or scripts to programmatically log in users and validate tokens without going through complex browser-based OAuth2 flows. This auth-service will act as a simplified interface to Keycloak for these specific tasks.

Requirements / What needs to be done:

Choose Technology: Decide on a language/framework for the microservice (e.g.,  Java/Kotlin with Spring Boot). 
Design API Endpoints: Define and implement the following REST endpoints:
    POST /login
        Purpose: Authenticate a user with username and password to get tokens.
        Request Body: {"username": "user", "password": "password"}
        Action: Use Keycloak's token endpoint with the Resource Owner Password Credentials (ROPC) grant type.
            Security Note: ROPC should only be enabled in Keycloak for trusted clients, as it handles user passwords directly. This service acts as that trusted client.
        Success Response (200 OK): {"access_token": "...", "expires_in": 300, "refresh_expires_in": 1800, "refresh_token": "...", "token_type": "Bearer", ...} (Return standard Keycloak token response).
        Error Responses: 400 Bad Request (missing fields), 401 Unauthorized (invalid credentials).
    POST /verify
        Purpose: Validate an access token and retrieve user information.
        Request Header: Authorization: Bearer <access_token>
        Action: Use Keycloak's token introspection endpoint or the userinfo endpoint.
        Success Response (200 OK): {"active": true, "username": "user", "email": "...", "groups": ["group1", ...], "realm_access": {"roles": [...]}, ...} (Return relevant user metadata from Keycloak).
        Error Responses: 401 Unauthorized (invalid/expired token).
    POST /logout
        Purpose: Log out the user by invalidating their session/tokens.
        Request Body: {"refresh_token": "..."} (Using the refresh token is standard for ending the session).
        Action: Use Keycloak's logout endpoint or token revocation endpoint with the provided refresh token.
        Success Response (204 No Content): No body content needed.
        Error Responses: 400 Bad Request (missing refresh token), 401 Unauthorized (invalid refresh token).
Keycloak Integration:
    Configure the service to connect to Keycloak using environment variables or configuration files:
        Keycloak base URL (e.g., http://keycloak.dev.localhost/)
        Realm name (e.g., myrealm)
        Client ID for this auth-service (needs to be created in Keycloak, likely confidential, ROPC grant enabled).
        Client Secret (if using a confidential client).
    Use a robust OAuth2/OIDC library for the chosen language to handle interactions.
Ref epic: [#13](https://git.cleverthis.com/clevermicro/user-management/issues/13) Goal: Develop a new microservice (auth-service) to provide simple REST endpoints for handling Keycloak authentication tasks: user login (username/password), token verification, and user logout. Background: While Keycloak and Traefik handle UI logins and request authentication, we need a way for applications or scripts to programmatically log in users and validate tokens without going through complex browser-based OAuth2 flows. This auth-service will act as a simplified interface to Keycloak for these specific tasks. Requirements / What needs to be done: Choose Technology: Decide on a language/framework for the microservice (e.g., Java/Kotlin with Spring Boot). Design API Endpoints: Define and implement the following REST endpoints: POST /login Purpose: Authenticate a user with username and password to get tokens. Request Body: {"username": "user", "password": "password"} Action: Use Keycloak's token endpoint with the Resource Owner Password Credentials (ROPC) grant type. Security Note: ROPC should only be enabled in Keycloak for trusted clients, as it handles user passwords directly. This service acts as that trusted client. Success Response (200 OK): {"access_token": "...", "expires_in": 300, "refresh_expires_in": 1800, "refresh_token": "...", "token_type": "Bearer", ...} (Return standard Keycloak token response). Error Responses: 400 Bad Request (missing fields), 401 Unauthorized (invalid credentials). POST /verify Purpose: Validate an access token and retrieve user information. Request Header: Authorization: Bearer <access_token> Action: Use Keycloak's token introspection endpoint or the userinfo endpoint. Success Response (200 OK): {"active": true, "username": "user", "email": "...", "groups": ["group1", ...], "realm_access": {"roles": [...]}, ...} (Return relevant user metadata from Keycloak). Error Responses: 401 Unauthorized (invalid/expired token). POST /logout Purpose: Log out the user by invalidating their session/tokens. Request Body: {"refresh_token": "..."} (Using the refresh token is standard for ending the session). Action: Use Keycloak's logout endpoint or token revocation endpoint with the provided refresh token. Success Response (204 No Content): No body content needed. Error Responses: 400 Bad Request (missing refresh token), 401 Unauthorized (invalid refresh token). Keycloak Integration: Configure the service to connect to Keycloak using environment variables or configuration files: Keycloak base URL (e.g., http://keycloak.dev.localhost/) Realm name (e.g., myrealm) Client ID for this auth-service (needs to be created in Keycloak, likely confidential, ROPC grant enabled). Client Secret (if using a confidential client). Use a robust OAuth2/OIDC library for the chosen language to handle interactions.
abed.alrahman added reference feat#1_creating_service 2025-04-27 23:15:03 +00:00
stanislav.hejny commented 2025-04-29 10:33:02 +00:00
Member
Copy link

depends on / is blocked by 'have independent keycloak instance deployed' in CleverThis company context, as a DEVELOPMENT env instance (identity-management project task)

depends on / is blocked by 'have independent keycloak instance deployed' in CleverThis company context, as a DEVELOPMENT env instance (identity-management project task)
abed.alrahman changed reference from feat#1_creating_service to feat#1_creating_service 2025-05-04 23:54:08 +00:00
abed.alrahman changed reference from feat#1_creating_service to Create-Auth-Microservice#1 2025-05-05 00:48:23 +00:00
freemo commented 2025-05-05 01:10:24 +00:00
Owner
Copy link

@stanislav.hejny @aleenaumair

This ticket has no milestone. Please fix this.

I will MosCoW this ticket anyway.

@stanislav.hejny @aleenaumair This ticket has no milestone. Please fix this. I will MosCoW this ticket anyway.
aleenaumair added this to the V.01 milestone 2025-05-05 10:03:16 +00:00
Sign in to join this conversation.
Create-Auth-Microservice#1
Branches Tags
Clear current reference
master
feat/authz-scaffolding
develop
Clear current reference
No results found.
Labels
Clear labels
  
Blocked

A ticket in a blocked state and unable to complete until some other task is completed first.

  
Bounty
$100
A bounty of $100 for any open-source contributor who provides a MR that solves this issue

  
Bounty
$1000
A bounty of $1000 for any open-source contributor who provides a MR that solves this issue

  
Bounty
$10000
A bounty of $10000 for any open-source contributor who provides a MR that solves this issue

  
Bounty
$20
A bounty of $20 for any open-source contributor who provides a MR that solves this issue

  
Bounty
$2000
A bounty of $2000 for any open-source contributor who provides a MR that solves this issue

  
Bounty
$250
A bounty of $250 for any open-source contributor who provides a MR that solves this issue

  
Bounty
$50
A bounty of $50 for any open-source contributor who provides a MR that solves this issue

  
Bounty
$500
A bounty of $500 for any open-source contributor who provides a MR that solves this issue

  
Bounty
$5000
A bounty of $5000 for any open-source contributor who provides a MR that solves this issue

  
Bounty
$750
A bounty of $750 for any open-source contributor who provides a MR that solves this issue

  
MoSCoW
Could have
Could have feature in order to satisfy the epic/legendary.

  
MoSCoW
Must have
Must have feature in order to satisfy the epic/legendary.

  
MoSCoW
Should have
Should have feature in order to satisfy the epic/legendary.

  
Needs feedback

There are questions in the ticket that can not be completed until the project owner provides clarity.

  
Points
1
1 man-hours worth of work for an expert with no learning curve.

  
Points
13
13 man-hours worth of work for an expert with no learning curve.

  
Points
2
2 man-hours worth of work for an expert with no learning curve.

  
Points
21
21 man-hours worth of work for an expert with no learning curve.

  
Points
3
3 man-hours worth of work for an expert with no learning curve.

  
Points
34
34 man-hours worth of work for an expert with no learning curve.

  
Points
5
5 man-hours worth of work for an expert with no learning curve.

  
Points
55
55 man-hours worth of work for an expert with no learning curve.

  
Points
8
8 man-hours worth of work for an expert with no learning curve.

  
Points
88
88 man-hours worth of work for an expert with no learning curve.

  
Priority
Backlog
This ticket has backlogged priority and is not to be worked on yet

  
Priority
Critical
The priority is critical

  
Priority
High
The priority is high

  
Priority
Low
The priority is low

  
Priority
Medium
The priority is medium

  
Signed-off: Owner

When an epic or legendary is in review it must be signed off by owner, tech lead, and scrum master before being marked as completed.

  
Signed-off: Scrum Master

When an epic or legendary is in review it must be signed off by owner, tech lead, and scrum master before being marked as completed.

  
Signed-off: Tech Lead

When an epic or legendary is in review it must be signed off by owner, tech lead, and scrum master before being marked as completed.

  
Spike

A ticket for learning a tool or technology that is needed to be able to do future planning and design.

  
State
Completed
The ticket has been fully implemented, completed, and merged with the source code. This label should only be applied once a ticket is closed.

  
State
Duplicate
A ticket that represents the same content as an existing ticket.

  
State
In Progress
A ticket that is actively being developed.

  
State
In Review
A ticket that has had some code completed to implement but is waiting to pass peer review and is not yet merged in.

  
State
Paused
This ticket's work started but wasn't finished. It's on hold (likely in a feature branch) and will be resumed later, either due to a blocker or a delay.

  
State
Unverified
All new tickets start in this state. A developer may set it to show the ticket is unverified. This means we haven't agreed to work on it. It will either move to a verified state or be closed as wontdo.

  
State
Verified
The issue has been verified by a developer as legitimate. It will be worked on and verified tickets are now considered part of the backlog.

  
State
Wont Do
This ticket has been decided it wont be done. This may mean the bug has been determined to not be real (cant verify) or the feature is one we have decided we dont want to adopt.

  
Type
Bug
Something that doesnt work as intended.

  
Type
Discussion
Anytime a ticket represents a discussion about a subject and doesnt fall into one of the other categories.

  
Type
Documentation
An error or improvement needed in the documentation.

  
Type
Epic
Any first tier epic. That is, an epic which contains only issues as children and will not have sub-epics.

  
Type
Feature
Some new functionality not present.

  
Type
Legendary
A type of Epic which will contain other Epics.

  
Type
Support
Someone needs help using the project.

  
Type
Task
A generic task that doesnt fit into the other type categories.

  
Type
Testing
Work exclusively focusing on fixing or expanding testing.

No labels
Blocked
Bounty
$100
Bounty
$1000
Bounty
$10000
Bounty
$20
Bounty
$2000
Bounty
$250
Bounty
$50
Bounty
$500
Bounty
$5000
Bounty
$750
MoSCoW
Could have
MoSCoW
Must have
MoSCoW
Should have
Needs feedback
Points
1
Points
13
Points
2
Points
21
Points
3
Points
34
Points
5
Points
55
Points
8
Points
88
Priority
Backlog
Priority
Critical
Priority
High
Priority
Low
Priority
Medium
Signed-off: Owner
Signed-off: Scrum Master
Signed-off: Tech Lead
Spike
State
Completed
State
Duplicate
State
In Progress
State
In Review
State
Paused
State
Unverified
State
Verified
State
Wont Do
Type
Bug
Type
Discussion
Type
Documentation
Type
Epic
Type
Feature
Type
Legendary
Type
Support
Type
Task
Type
Testing
Milestone
Clear milestone
No items
No milestone
V.01
Projects
Clear projects
No items
No project
Sprint May 1st- 14th
Assignees
Clear assignees
No assignees
abed.alrahman
3 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Blocks
You do not have permission to read 1 dependency
Reference: clevermicro/user-management#1
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?