Skip to content

sdoxsee/merry-microservices

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits

.mvn/wrapper

.mvn/wrapper

 
 

gateway

gateway

 
 

note

note

 
 

realm-config

realm-config

 
 

.gitignore

.gitignore

 
 

README.md

README.md

 
 

docker-compose.yml

docker-compose.yml

 
 

keycloak.yml

keycloak.yml

 
 

mvnw

mvnw

 
 

mvnw.cmd

mvnw.cmd

 
 

pom.xml

pom.xml

 
 

Repository files navigation

Merry Microservices: Part 3 ‘Policy Service’–Application authorization management based on identity and permissions

This is the repository corresponding to Part 3 of the blog series Merry Microservices. It demonstrates the place for a “policy service” to manage the identity permissions (or policies) specific to each application in the architecture rather than overloading the JWT, at the Identity Provider level, with irrelevant permissions. Here, you'll find the following files and folders:

  • docker-compose.yml spins up a Keycloak instance on port 9080 and a "policy service" on port 8080 that note and gateway will also use
  • keycloak.yml and realm-config folder are from https://github.com/jhipster/jhipster-sample-app-oauth2/blob/master/src/main/docker
  • note folder is a Spring Boot OAuth2 resource server app using Webflux and R2DBC that stores Note entities
  • gateway folder is a Spring Cloud Gateway app with a React CRUD UI that handles the OAuth2/OIDC dance and relays requests to resource servers (e.g. note)

Quickstart

  1. Start keycloak (port 9080) and policyservice (port 8080)
docker-compose up

Of course, if you want users to be granted permissions for, say, CanRead, CanReadConfidentialNotes or Snowing, you'll need to configure the "policy service" as per the Part 3 blog post. See "Dealing with an identity provider in Docker" below for challenges with Dockerized identity providers.

  1. Start note on port 8081
(cd note && ./mvnw spring-boot:run)
  1. Start gateway on port 8082
(cd gateway && ./mvnw clean package spring-boot:run -DskipTests)

Gateway in development

Rather than just build and start the UI gateway on port 8082, we can split the frontend and backend for a better developer experience.

In one terminal, start the backend on port 8082

(cd gateway && ./mvnw clean spring-boot:run)

In another terminal, start the frontend on port 3000

(cd gateway && npm start)

Now, whenever you save your TypeScript files, you'll get hot-reloading in the browser.

Dealing with an identity provider in Docker

In order to sign in to the Dockerized "policy service" using Keycloak, you'll need to add the following to your machine's hosts file (details):

127.0.0.1	keycloak

If you're on a Mac, this will automatically append the line to your /etc/hosts file:

sudo -- sh -c "echo '127.0.0.1	keycloak' >> /etc/hosts"

This is needed because you will access your application with a browser on your machine (which name is localhost, or 127.0.0.1), but inside Docker it will run in its own container, which name is keycloak. Other than the extra configuration, another downside is that when you connect other services outside of docker, they won't be able to leverage the existing identity provider session (i.e. "SSO") since it's on "keycloak" rather than "localhost".

About

Merry Microservices

sdoxsee.github.io/blog/2019/12/17/merry-microservices-an-introduction

Topics

oauth2 microservices typescript keycloak create-react-app authorization spring-security openid-connect oauth2-client oauth2-resource-server spring-webflux spring-cloud-gateway react-hooks spring-data-r2dbc

Resources

Readme
Activity

Stars

9 stars

Watchers

3 watching

Forks

3 forks
Report repository

Releases

3 tags

Packages

No packages published

Languages