Goal : Configure OAuth2 Authentication for Magic xpi RESTful API Service using KeyCloak Identity Access Management
Prerequisites :
- Access to a Keycloak server https://www.keycloak.org/
- Apache tomcat
- Magic xpi
- Postman
1/ keyCloak Server Installation
Download and unzip keycloak server
install java version « 17.0.11 » 2024-04-16 LTS
Start Keycloak server (Dev environment) : kc start-dev
Browse : http://localhost:8080 and create Admin user
2/ Keycloak settings
Create Realm for Magic xpi
Create Magic xpi Client
3/ Enter an URL redirection to Magic xpi RESTFul API
Save the Client Secret
4/ Create a Client Scope (magicxpiscope)
Create 2 mapper (UserProperty (boolean) and UserAttribute (custom atrribute)) (Add mapper By Configuration)
4/ Add the client scope « magicxpiscope » to the client
4/ Deploy Magic xpi Tomcat requester (Magic xpi – RESTful API Provider Installation Instructions.pdf)
Copy the file xpiREST.war from<Magic xpi installation>\Runtime\addon_connectors\RESTfulAPI\servicefiles to <Magic xpi installation>\Runtime\apache-tomcat\webapps
We will use the Magic xpi Embedded Apache Tomcat (<Magic xpi installation>\Runtime\apache-tomcat).
Change the Apache Tomcat port to 6443 in the server.xml file and start the server
After starting the Apache server (<xpi installation>\Runtime\apache-tomcat\bin\startup.bat), xpiREST and rest-services will appear.
5/ Create a Magic xpi project including a RESTFul Service
Define 2 methods
Under <xpi project>\RESTful API\<ServiceNameFolder>. (ex: C:\MSE\Magicxpi414\Runtime\projects\OAuth2_Keycloak\OAuth2_Keycloak\RESTful API\MyRESTfulAPI)
you will find the Service Definition File (<Project Name>_<Service Name>_serviceDefinition.xml) (C:\MSE\Magicxpi414\Runtime\projects\OAuth2_Keycloak\OAuth2_Keycloak\RESTful API\MyRESTfulAPI\OAuth2_Keycloak_MyRESTfulAPI_serviceDefinition.xml)
Add the OAuth2 Issuer (http://localhost:8080/realms/Magicxpi) and the security role => client scope for each method
6/ Copy the Service Definition file from <xpi project>\RESTful API\<ServiceNameFolder> to <Magic xpi installation>\Runtime\apache-tomcat\rest-services
7/ Test using Postman
Make a POST on http://localhost:8080/realms/Magicxpi/protocol/openid-connect/token with these credentials with scope set to openid email address profile magicxpiscope
Check in the response that you get the clientscope that you want
In the response you will get the « access_token » and the « refresh_token » , if you want to test a call to the Magic xpi RESTFUl service, you can use access_token in the authorization header
(*) You got Status 201 because in the Magic xpi Flow, i put 201 in the response status (C.UserCode)
(**) if you set a wrong role in the service definition file, you get a 403 Forbidden
(***) If you pass a wrong Bearer token or if the token is expired then you get 401 Unauthorized
8/ By default, the Access token expired after 5min, you can change this setting in the KeyCloak console
