Magic xpi and KEYCLOAK IAM for RESTFulAPI with OAuth2

Goal : Configure OAuth2 Authentication for Magic xpi RESTful API Service using KeyCloak Identity Access Management

Prerequisites :

1/ keyCloak Server Installation

Download and unzip keycloak server

install java version “17.0.11” 2024-04-16 LTS

Start Keycloak server (Dev environment) : kc start-dev

Browse : http://localhost:8080 and create Admin user

2/ Keycloak settings

Create Realm for Magic xpi

Create Magic xpi Client

3/ Enter an URL redirection to Magic xpi RESTFul API

Save the Client Secret

4/ Create a Client Scope (magicxpiscope)

Create 2 mapper (UserProperty (boolean) and UserAttribute (custom atrribute)) (Add mapper By Configuration)

4/ Add the client scope “magicxpiscope” to the client

4/ Deploy Magic xpi Tomcat requester (Magic xpi – RESTful API Provider Installation Instructions.pdf)

Copy the file xpiREST.war from<Magic xpi installation>\Runtime\addon_connectors\RESTfulAPI\servicefiles to <Magic xpi installation>\Runtime\apache-tomcat\webapps

We will use the Magic xpi Embedded Apache Tomcat (<Magic xpi installation>\Runtime\apache-tomcat).

Change the Apache Tomcat port to 6443 in the server.xml file and start the server

after starting the Apache server (<xpi installation>\Runtime\apache-tomcat\bin\startup.bat), xpiREST and rest-services will appear.

5/ Create a Magic xpi project including a RESTFul Service

Define 2 methods

Under <xpi project>\RESTful API\<ServiceNameFolder>. (ex: C:\MSE\Magicxpi414\Runtime\projects\OAuth2_Keycloak\OAuth2_Keycloak\RESTful API\MyRESTfulAPI)

you will find the Service Definition File (<Project Name>_<Service Name>_serviceDefinition.xml) (C:\MSE\Magicxpi414\Runtime\projects\OAuth2_Keycloak\OAuth2_Keycloak\RESTful API\MyRESTfulAPI\OAuth2_Keycloak_MyRESTfulAPI_serviceDefinition.xml)

Add the OAuth2 Issuer (http://localhost:8080/realms/Magicxpi) and the security role => client scope for each method

6/ Copy the Service Definition file from <xpi project>\RESTful API\<ServiceNameFolder> to <Magic xpi installation>\Runtime\apache-tomcat\rest-services

7/ Test using Postman

Make a POST on http://localhost:8080/realms/Magicxpi/protocol/openid-connect/token with these credentials with scope set to openid email address profile magicxpiscope

Check in the response that you get the clientscope that you want

In the response you will get the “access_token” and the “refresh_token” , if you want to test a call to the Magic xpi RESTFUl service, you can use access_token in the authorization header

(*) You got Status 201 because in the Magic xpi Flow, i put 201 in C.UserCode

(**) if you set a wrong role in the service definition file, you get a 403 Forbidden

(***) If you pass a wrong Bearer token or if the token is expired then you get 401 Unauthorized

8/ By default, the Access token expired after 5min, you can change this setting in the KeyCloak console

Laisser un commentaire

Votre adresse e-mail ne sera pas publiée. Les champs obligatoires sont indiqués avec *

Retour en haut