Here is schema to get an overview of what you can do easily with this bundle to securized your API Symfony apllication with OAuth2.0.
Client Application Keycloak Resource Web API (Symfony)
| 1 | |
| -------------------> | |
| 2 | |
| <------------------- | |
| 3 |
| -----------------------------------------------> |
| 4 |
| <----------------------------------------------- |
- Ask for a JWT token with your Client ID and your Client secret
- Get the JWT token
- Request API resource using the Bearer token in the request header
- Retrieve resource API data (if the token is valid and the client application has the right permissions)
First of all, a realm named demo must exists and you have to create a client.
You can use our tutorial to help you to create your client dedicated to an Api provider application
We are going to create role "ROLE_API" for our Api provider client application.
Click on Create role:
Fill Role name and click on Save:
Your role has been created successfully!
To allow you client application to request your Api, you need to configure your Api consumer with the role "ROLE_API" of the Api provider application. In your Api consumer, assign role "ROLE_API" of Api provider.
Click on Filter by clients, search name-of-your-api-provider, check "ROLE_API" and click on Assign:
For KEYCLOAK_SERVER_BASE_URL, you need to put your keycloak URL (something like https://keycloak/auth).
For KEYCLOAK_CLIENT_SECRET, you need to copy secret present in your client name-of-your-api-provider-application for example:
In .env file, update:
###> idci/keycloak-security-bundle ###
KEYCLOAK_SERVER_BASE_URL=https://keycloak/auth
KEYCLOAK_SERVER_PUBLIC_BASE_URL=${KEYCLOAK_SERVER_BASE_URL}
KEYCLOAK_SERVER_PRIVATE_BASE_URL=${KEYCLOAK_SERVER_BASE_URL}
KEYCLOAK_REALM=demo
KEYCLOAK_CLIENT_ID=name-of-your-api-provider
KEYCLOAK_CLIENT_SECRET=client_secret
###< idci/keycloak-security-bundle #### config/packages/security.yaml
imports:
# Import Keycloak security providers
- { resource: '@IDCIKeycloakSecurityBundle/Resources/config/security.yaml' }
security:
enable_authenticator_manager: true
firewalls:
# Here is an example to protect your application (API) using OAuth 2 Client Credentials Flow (JWT with Bearer token authentication)
api:
pattern: ^/api
provider: idci_keycloak_bearer_security_provider
entry_point: IDCI\Bundle\KeycloakSecurityBundle\Security\EntryPoint\BearerAuthenticationEntryPoint
custom_authenticators:
- IDCI\Bundle\KeycloakSecurityBundle\Security\Authenticator\KeycloakBearerAuthenticator
access_control:
# This following ROLES must be configured in your Keycloak client
- { path: ^/api, roles: ROLE_API }In Postman, create new GET request.
Select Oauth 2.0 as Authorization Type.
In section Configure New Token, fill:
- Token Name: token
- Grant Type: Client Credentials
- Access Token URL: KEYCLOAK_SERVER_BASE_URL (put in .env file) + realms/demo/protocol/openid-connect/token
- Client ID: client ID of your Api consumer application client (can be getted from your Keycloak)
- Client Secret: client Secret of your Api consumer application client (can be getted from your Keycloak)
After filling all these fields, click on Get New Access Token button and copy token generated.
In Postman, create second new GET request. Fill:
- Request URL: https://api_provider_application_url/api
- Authorization Type: Bearer Token
- In field Token, paste token generated previously.