Hey Sergio, thanks for a great tutorial. I've been looking for one covering both a backend and frontend connected to keycloak. I was wondering how you would implement redirect when logging out? As of this tutorial the logout button works but it doesn't take you back to the index page. I've been trying to use your solution for the signin callback, but with no luck. How would you implement the callback for logout?
Hi Rekishi, thanks for your interest. I didn't try to the logout, but it's a good question. Did you check the settings of the frontend oidc-client library post_logout_redirect_uri (github.com/IdentityModel/oidc-client-js/wiki)? Maybe just adding this configuration when creating the frontend client is enough. If that's the case, let me know your feedbacks.
@@TheDevWorldbySergioLema Thanks for the quick reply. I managed to solve it for now by adding the "post_logout_redirect_uri:" field to settings when creating the UserManager, then setting the same url in Keycloak and copying your signin-callback.html page and remaking it for using "signoutRedirectCallback()"
Hi, It seems, in this scenario, the role of the cloud gateway api is just to convey the request to different resource server(backend resources) endpoints? It has no contribution to the security. Here the first line of action takes place with the user requesting the react frontend, which redirects the user to keycloak login page if the user not logged in? In some scenarios where the cloud gateway is a part of the security and is the first line of action, and its called BFF(backend for front end) , if I am not mistaken. Is that right?
Yes, in this scenario the backend is acting as a BFF, you're right. The security is split between the frontend (as the client server) and the private backend (as the resources server). The API gateway is only there to redirect the requests
@@TheDevWorldbySergioLema I see but it wouldnt be better to configure api gateway as resource server and there provides configuration to secure some of services? It seems to be best solution if Spring Cloud Api Gateway is an entry point
Agree, I think resource server brings us too much overhead given microservices in reality hides behind the gateway and frontend cannot access it directly. So I would like to see a solution where we only parse the token in gateway once via some filter. And then pass the the resolved userId to microservcies through some http header(Not pass token, this way we don't need to set each and every micro-service as a resource server.
Thanks for the video. However, I have a question. Is there a way to login to keycloak without redirecting to the keycloak login page? I have a custom login screen in my ReactJS app and I want to make use of it instead.
How do you allow post requests using this keycloak flow? I am always getting back a missing csrf token error. Any idea how to configure this or to disable csrf?
To allow the POST requests, make sure to allow the CORS in the application.yml of the Gateway. About the CSRF, I din't anything particular, it was disable by defautl.
Hi! I have a doubt. I have a Web site that must access protected API. I have a Spring Cloud gateway and some microservices and here I implemented the authorization based on roles.. Now I followed the way to register the Gateway as confidential client on Keycloak and store in it client_id and secret_id. I was wondering if this way was better and what the differences were. Thanks
Using the authentication with Keycloak is very useful if you have many different applications (clients) which need this same authentication. If you only have one application (client), maybe putting all the authentication logic inside may reduce the complexity. But, using Keycloak is using a string authentication system, OAuth2. Which was tested for many years. Using you own authentication system means that you must take care of the security breaches. What I recommend? It depends on you (and your team): * if you need the same authentication system for many application -> use Keycloak * if you don't know much about security breaches or authentication systems -> use Keycloak * otherwise -> use a simple authentication system inside you already existing application Hope this will help you
It's not mandatory. You can let the value to profile, name, email or openid. It says what kind of information you want to fetch from the User's profile.
Great Video. It helped me a lot...We are planning to use Spring 3.1 Authorization server . I am tryin to use the React Code to connect to Spring Auth server. Login Screen is comming and the login is successful.. but in the end I am getting the following error in the signin-callback.html : No matching state found in storage. Could you please tell me how to fix this issue. With Keycloak it is fine....Thanks
Thank you Rajeev. I've been looking around and found this information (github.com/IdentityModel/oidc-client-js/issues/1044). It seems to be the cookies.
Do you use the Spring Cloud Api Gateway? Or directly Spring Security? If you use Spring Security, check this other video where I configure the CORS: ua-cam.com/video/phs90_s0Mjk/v-deo.html
Could gateway be also a resource server so it can validate tokens? In my case I get Cors error: Missing allow origin header in preflight request, I already tried several ways to enable Cors with no luck.
Yes, someone already told me about this alternative. I will try to make another video with this solution. About the CORS problem, you must configure them in both the api gateway and keycloak. Try with different browsers (sometimes they act differently).
@@TheDevWorldbySergioLema thank you i have last question You have installed keycloak legacy version . Would it be a problem if we use the release version?
@@TheDevWorldbySergioLema Like logout was working but it was not redirect back to app, I have to set post logout redirect url and it worked. Thanks for the video.
Yes, that's the goal of an SSO, you use keycloak just to sign, not to register. If you want to register the users in your application and manage their accounts, it's another authentication system you need
Some parts need more explanations, some parts are just coding. I explain while what I'm doing in a more dynamic way than just talking in front of a screen for 5 minutes I'm sorry, but that's my way to do videos
@@TheDevWorldbySergioLema the keycloak documentation is terrible and I've wasted weeks trying to figure out how to integrate a rails api with a react frontend with keycloak. One of the worst documented projects I've ever seen.
Finally, find what I looked for. Really thanks and perfect video. keep doing more please
Thank you for watching! I will keep doing more video. Don't forget to share to channel to your network 😅
Could you please make video to demo BFF pattern ( Backend for FrontEnd). BFF is thought more secure than PKCE flow.
I first need to investigate a little bit more about it
Thumbs up for this :)
I'm currently struggling regard this approach
Your videos are amazing! Keep doing this great job!
Thank you so much Camilo!
Thank you very much. You explain very complicated things in very clear language
Thank you! I try my best
Hey Sergio, thanks for a great tutorial. I've been looking for one covering both a backend and frontend connected to keycloak. I was wondering how you would implement redirect when logging out? As of this tutorial the logout button works but it doesn't take you back to the index page. I've been trying to use your solution for the signin callback, but with no luck. How would you implement the callback for logout?
Hi Rekishi, thanks for your interest.
I didn't try to the logout, but it's a good question. Did you check the settings of the frontend oidc-client library post_logout_redirect_uri (github.com/IdentityModel/oidc-client-js/wiki)? Maybe just adding this configuration when creating the frontend client is enough. If that's the case, let me know your feedbacks.
@@TheDevWorldbySergioLema Thanks for the quick reply. I managed to solve it for now by adding the "post_logout_redirect_uri:" field to settings when creating the UserManager, then setting the same url in Keycloak and copying your signin-callback.html page and remaking it for using "signoutRedirectCallback()"
Glad it worked so easily!
now i know how to implement pkce authorization with react ! thanks !
Glad it helped you!
Hi, It seems, in this scenario, the role of the cloud gateway api is just to convey the request to different resource server(backend resources) endpoints? It has no contribution to the security. Here the first line of action takes place with the user requesting the react frontend, which redirects the user to keycloak login page if the user not logged in? In some scenarios where the cloud gateway is a part of the security and is the first line of action, and its called BFF(backend for front end) , if I am not mistaken. Is that right?
Yes, in this scenario the backend is acting as a BFF, you're right. The security is split between the frontend (as the client server) and the private backend (as the resources server). The API gateway is only there to redirect the requests
Great tutorial! But I have one question, what if there is multiple backend resources? Do i need to add security config in each microservice?
Yes, all the resources servers you have need the configuration to be able to talk with Keycloak.
@@TheDevWorldbySergioLema ok but what if there is for example 50 resources that have to be secured? Copy paste code in each? 😅
Yes 😅. But you can also add a Config Server, ua-cam.com/video/p65u4t26BBc/v-deo.html
@@TheDevWorldbySergioLema I see but it wouldnt be better to configure api gateway as resource server and there provides configuration to secure some of services? It seems to be best solution if Spring Cloud Api Gateway is an entry point
You're right, i will try to implement this solution
in your project you're still on version 2.7.1; any update concerning spring 3.0.2 and keycloak? thanks
Oh, didn't see that. I will update it in the repository.
Agree, I think resource server brings us too much overhead given microservices in reality hides behind the gateway and frontend cannot access it directly. So I would like to see a solution where we only parse the token in gateway once via some filter. And then pass the the resolved userId to microservcies through some http header(Not pass token, this way we don't need to set each and every micro-service as a resource server.
Yes, I will try to implement this way. I've already done something similar, with a single JWT, but not with OAuth2 and Keycloak.
Hy! Any update on this? Sorry for bothering you.
It's planned, but i didn't started yet
Thanks for the video. However, I have a question.
Is there a way to login to keycloak without redirecting to the keycloak login page? I have a custom login screen in my ReactJS app and I want to make use of it instead.
Yes, you can configure a custom login page in Keycloak
@@TheDevWorldbySergioLema Ok. How do I go about it?
I didn't try it, but this seems to be what you're looking for: www.baeldung.com/keycloak-custom-login-page
How do you allow post requests using this keycloak flow?
I am always getting back a missing csrf token error. Any idea how to configure this or to disable csrf?
To allow the POST requests, make sure to allow the CORS in the application.yml of the Gateway.
About the CSRF, I din't anything particular, it was disable by defautl.
ITM - Всем здарова! Вам тоже сложно даются видосы на инглише?
Hi! I have a doubt. I have a Web site that must access protected API. I have a Spring Cloud gateway and some microservices and here I implemented the authorization based on roles.. Now I followed the way to register the Gateway as confidential client on Keycloak and store in it client_id and secret_id. I was wondering if this way was better and what the differences were. Thanks
Using the authentication with Keycloak is very useful if you have many different applications (clients) which need this same authentication. If you only have one application (client), maybe putting all the authentication logic inside may reduce the complexity.
But, using Keycloak is using a string authentication system, OAuth2. Which was tested for many years.
Using you own authentication system means that you must take care of the security breaches.
What I recommend? It depends on you (and your team):
* if you need the same authentication system for many application -> use Keycloak
* if you don't know much about security breaches or authentication systems -> use Keycloak
* otherwise -> use a simple authentication system inside you already existing application
Hope this will help you
@@TheDevWorldbySergioLema what the client scope is for? Is it mandatory?
It's not mandatory. You can let the value to profile, name, email or openid.
It says what kind of information you want to fetch from the User's profile.
Really great tutorial! Is there a way to create my own React login screen that could be used with keycloak? Thanks!
Thanks! Yes you can create your own React login page. Then, in Keycloak, you can select the login page where the user will be redirected.
Great Video. It helped me a lot...We are planning to use Spring 3.1 Authorization server . I am tryin to use the React Code to connect to Spring Auth server. Login Screen is comming and the login is successful.. but in the end I am getting the following error in the signin-callback.html : No matching state found in storage. Could you please tell me how to fix this issue. With Keycloak it is fine....Thanks
Thank you Rajeev. I've been looking around and found this information (github.com/IdentityModel/oidc-client-js/issues/1044). It seems to be the cookies.
Hello! i'm trying to replay this situation and i have a CORS issue. Any idea?
Do you use the Spring Cloud Api Gateway? Or directly Spring Security? If you use Spring Security, check this other video where I configure the CORS: ua-cam.com/video/phs90_s0Mjk/v-deo.html
what if my frontend request will be with https ?
This should change. You need to add the SSL certificate to Keycloak and the Gateway
Thank you, very useful!
Thank you!
Could gateway be also a resource server so it can validate tokens? In my case I get Cors error: Missing allow origin header in preflight request, I already tried several ways to enable Cors with no luck.
Yes, someone already told me about this alternative. I will try to make another video with this solution.
About the CORS problem, you must configure them in both the api gateway and keycloak. Try with different browsers (sometimes they act differently).
Hey , have you been able to mange that cors issue ?
great tutorial!!.
Thank you!
TUSM. Great content. Just one thing - you have been writing OIDC, Open ID Connect ... but you pronounce OI-SEE-d, lol xD
😂 Yes, I saw that when writing the subtitles
So can I login without redirecting?
Do you mean having a login form integrated inside the frontend without the redirection to the login page of Keycloak?
@@TheDevWorldbySergioLema just like you said
I don't if configuring a custom login page in Keycloak is enough. I never did it, so I can't tell you if it works.
@@TheDevWorldbySergioLema thank you i have last question You have installed keycloak legacy version . Would it be a problem if we use the release version?
I don't thing there is much difference
Thanks for video
Hope it helped you!
Good job keep going
Thank you!
logout redirect not working??
I didn't try the logout. Have you any message describing the error? Or nothing is shown?
@@TheDevWorldbySergioLema Like logout was working but it was not redirect back to app, I have to set post logout redirect url and it worked. Thanks for the video.
Thanks for your feedback!
Thank you so much :)
I'm so glad you liked it!
Hi sergio, have a question, what about registration?
It must be done directly in Keycloak.
You can see it in this video, ua-cam.com/video/YHWfJHKGYGI/v-deo.html
@@TheDevWorldbySergioLema thanks sergio, so every user that wants to use my application must first register on keycloak? let´s say an E-comerce
Yes, that's the goal of an SSO, you use keycloak just to sign, not to register. If you want to register the users in your application and manage their accounts, it's another authentication system you need
Video is nice, but if you had less content switched back and fort to your face - it would be way better.
Some parts need more explanations, some parts are just coding.
I explain while what I'm doing in a more dynamic way than just talking in front of a screen for 5 minutes
I'm sorry, but that's my way to do videos
If possible to rubyonrails
Oh no! Please, no, not rubyonrails
😅🙏
Why do all keycloak teachers think we all use java?
🤣 In fack, my channel is mainly about Java, and I've done a few videos with Keycloak. Which language are you looking for?
@@TheDevWorldbySergioLema I'm a Rails or Express guy so maybe JavaScript or Ruby.
@@TheDevWorldbySergioLema the keycloak documentation is terrible and I've wasted weeks trying to figure out how to integrate a rails api with a react frontend with keycloak.
One of the worst documented projects I've ever seen.
It's not well documented. But once you've started and configured Keycloak, what you need to know is the OAuth2 protocol with whatever language.