 Well, hello and welcome to another Dev Nation Live. It is exciting to have you all here today. We have a very large crowd and I'm very happy to have Sebastian Blanc with us. He's coming to us from France. And I know you folks from our sessions here from several previous sessions, you guys come from all over the world. So I'm super excited about that. It's fun to see folks coming in from Africa and Asia and all parts of Europe and Latin America and all throughout the Americas in general. So I welcome you all to this session and we're gonna dive right in. He's gonna take us into the keycloak land and show us how to build secure based applications or secured applications on Spring Boot specifically. So let's get started. Sebastian, take it away. Hi everyone. So thank you very much for attending my session. As Burr said, it's really exciting to know that there are people all around the world here. And so let's get started. Let me share my screen. Okay, let's go and let's move to my slides. And here we go now. So let me just quickly introduce myself. I'm Sebastian Blanc. I'm working for Red Hat now for five years and I'm part of the keycloak team. You can follow me on Twitter here. You can see my Twitter handle. I'm based in the Southeast of France. Usually it's really hot and sunny, but since yesterday it's snowing though. You cannot imagine how crazy it is and I'm so happy to be a remote worker right now. Okay, so I'm going to talk to you about security. Yeah, security, well, it can sound a bit boring and complicated, but whatever project you will be building there will be a moment that you have to tackle security, that you have to add an authentication flow, that you have to manage users. And believe me, if you do that by yourself you will do it wrong. What we really want is to delegate our security. Just like how Kim does, she delegates her security to a bodyguard. So that is exactly what we want to do. We want to delegate all our security matters to a server that will handle that for us. And that is exactly what keycloak is. So keycloak is what we call an identity and access management solution. Okay, so it's a server that you deploy and then any app frontend app, backend app can connect to it and delegate its authentication flows, user management flows, and et cetera. Of course, it's open source like all the Red Hat products and you will see in the demo how easy it is to set it up and secure applications. But to give you the big picture of how keycloak works I have here this small, funny image. So the main concept of keycloak is to secure willms. So willms is always a word difficult for me to say in English. I talk about territories. So you say to keycloak here, here's a territory and you have to secure it. And on this territory you have different applications. Could be a microservice, a web app. And here on this picture we see that represented as cities. So here in the north we have GEE land or I should we name it Jakarta land. It's a place where people don't really want to go. We are not sure why. On the contrary here we have on the seaside angular land. That's the place to go. Everyone wants to go there. And here we have microservices land. We are not sure what is happening there. And of course in the middle we have the king of the world, Node.js land. And what happens you are the user and you arrive with your boat and you navigate to angular land. So basically you open your browser and you browse to a web app. And you arrive here and what happens? Well, you have border control. And we lost your screen share for about the last 20 seconds or so. So maybe 30 seconds. So if you wouldn't mind, try to exit screen share and reshare. And then go back in time about 45 seconds. Okay, okay. Let me do that again. Because I think you exited the slides and went to demo mode and we lost that. Okay, do you see the slides now? Yep, we see that. Okay, so let's hope it stays this way. Okay, so 30 seconds. So I was explaining that the user browse to a web app angular land here. Is that more or less where it was cut? And here you arrive and you have border control. And since I'm not authenticated, I get a redirect. And they say, hey, Mr. Sebastian, you are not authenticated. Please go to the key cloak island to get authenticated. And when I say you get a redirect, you really get an HTTP redirect. And you are redirected to key cloak. And there you are presented with a logging form. And here you enter your credentials. And if everything is okay, you get a stamp on your passport and you can go back to the island to visit all the cities. This stamp that you get on this passport is not just a randomly generated token. It's more than that. It's a token that contains payload. And we call this token a jot for JSON web token. So I won't spend too much time on that because I want to keep time for the demo. But basically a jot is a token that contains all the information that is needed by the different application to check if you have the correct wall, if you are still connected and stuff like that. A jot as always in header, that's not really an interesting part. The interesting part are the claims. So the claims, that is really the payload of your token. You have some mandatory fuels, but you can add any custom payload that you want. And once you have this, key cloak will sign this token. And how will it sign this token? Well, key cloak has a private key and a public key. He will use his private key to make the signature of the token. And that means that if anyone wants to take your token and change something to it, well, the signature won't be valid anymore. This is how the token looks like once it's compressed and when an app received this token, it has to verify the signature. And how does that happen? Well, the application has access to the public key of key cloak. And it will use this public key to verify the signature of the token. If it's okay, we can move on with the request. Okay, so that is basically how key cloak works. Quickly before moving to the demo, though key cloak is an out of the box solution, you can just unzip the server and you're ready to go. I already mentioned it's open source. By default, we try to push forward the open ID connect protocol, but in cases you still have apps working with SAML2 or Kerberos, we also support that. If you want to add some social login, like Facebook or GitHub, you can do that by clicking on the button on Facebook or GitHub or Twitter, whatever. It's just a matter of a few clicks. And you have that user federation. Imagine you have an LDAP server running in your organization. Well, with key cloak, you can bridge to this LDAP. SSO, a single sign-in, that means that if you are logged in into one app and you open an outer tab in the same room, you don't have to log in again. With SPIs, that means interfaces and classes that you can extend to create your own key cloak extensions. User account management, that means that a user that is connected has also access to his own profile to reset his password, change his user details, and et cetera. Besides that, we have public key rotation, bridge force detection. Another really cool is one-time password if you want to add an extra layer of security to your authentication process. And we have a complete authorization layer. I could talk a whole day about authorization, but just to you to know that if you want really fine-grained authorization, we have that, okay? Just a few words. We were recently added to the Tech Writer of Off Work. And we are really happy about that. That's a great sign. And that means that our product is popular and we can see it with the community really growing fast. I have my last slide for all the interesting stuff. I will come back to this slide at the end of my demo so you can read all the interesting stuff. So time for demo now. And what we are going to do is to secure a Spring Boot application, okay? A really simple Spring Boot application. And I want to bring you through the whole journey of someone that will discover Key Cloak for the first time. Where does it start? And how does it secure its application with it? So the journey starts on keycloak.org, simply. And you just go to the download tab and you just grab the latest Key Cloak server, the zip. You unzip it and you start it, okay? And that is what I did just before the session. I started my Key Cloak server here. You can see it's running. And I will access the admin console to configure our well. So I go, put a URL off of my Key Cloak. And since it's the really first time that I connect, I need to create an admin user. So let's make a really secure admin user. Here we go. And now I can access my Key Cloak console. Let me log in. Here we go. So this is my Key Cloak console. Here I can create realms. I can create my users, my walls. I can find my login screens. I can do everything I want. First thing we really want to do is to create a new realm, a new territory. So let's go here and let's create a territory called Dev Nation. Okay, here we go. And now the second thing I need to do is to declare to configure a client. So what is a client in Key Cloak? A client in Key Cloak is whatever app it will secure. So a client could be a backend app, a frontend app, a microservice, whatever. It's a client for Key Cloak. So here let's create a new one. And I will call it the product app because the Spring Boot app that we are going to secure is called the product app. I save it. And here I come on the detail screen and I can keep all the defaults. As you can see here, we are using OpenID Connect. It's a public client and there's just one field that I need to fill in is the redirect URL. So when my app will redirect to the Key Cloak login screen, it needs to redirect back to my app. And that is the field I need to enter here. So my app will be running on the local host, 8080. Okay, so my client is configured. Next step is we want to create a role for our users. So I go here in roles and all I need to do is click here at role and let's make a really simple role called user. Save it, okay. And last step, and then we can move to the application is to create a user. So let's go in the user tab and here I do add user and the only mandatory field here is the username. You can fill in the other stuff if you want, but for the demo, let's keep it to the username. Let's create a user called Sebi. We save it, Sebi is my nickname by the way. Credentials, by default, your user don't have any credentials. You need to create some default credentials. So let's create a default credential for him, password. And here I remove this tab. If I leave it so, the first time you connect, you have to change it. But here for demo purposes, I remove it. We set password, okay. And the last thing is to assign the role user to Sebi. Okay, we're good to go now. My key cloud server is configured. So you saw it took me four minutes to configure the wheel. Let's go now to the app. Let me show you the app that we are going to secure. So it's a really simple Spring Good app. It's a Spring MVC app with a landing page, really simple landing page. As you can see with one link to my products and my products, let's take a look here. It's a template and it will iterate through a list of products. And that is the page that we want to secure. If we take a look at the code, it's a really simple Spring Good app. As you can see here, I declare it as a Spring Good app and I have just one controller with a mapping, a get mapping to products where I put a hard-coded list of products in my model. Okay, and log out, we will see that later. And that's all I have. So before securing it, let's just run it and make sure it's working. Okay, so here my app is starting. Let me go to browser. Let me open in Konito window, for instance. And I just go to 8080. And here you can see my awesome landing page. You can see my CSS skills here as well. And if I go to my products, well, I have a list of products. Okay, fantastic, my app is working. Now let's secure this app. Let's go back to the code. So first thing I need to do if I want to secure my app with Key Cloak is to add a Key Cloak dependency. If you know a bit Spring Boot, you know that Spring Boot has the concept of starters which are maybe dependencies that bring it in a lot of functionality. The good news is that there is a starter for Key Cloak. So you can see here, all I need to do is add this Key Cloak Spring Boot starter. Just one moment, one, even better, if you are creating a new app from scratch, you probably will be using the Spring Initializer. Well, app really good news here because if you want an app with web, okay. But look, you can also add Key Cloak here. So Key Cloak is present on the start.spring.io. That was just to mention that. But of course, for demo purposes, I already built the app otherwise I won't be able to do that in 30 minutes. Okay, now we need to configure Key Cloak. Well, the Key Cloak starter. Let me go here. I can remove this because now I want Key Cloak. So here I want to add some fields and you can see that we also have some completion which is really nice. So the first thing I need to tell my app is where is my Key Cloak server running. So let me type here, look, you are well. But, and then I need to tell him on which realm my apps belong. Well, we had called this definition, okay. And then the resource is the client. How is my client called? Well, it's product app. And last thing we just want to mention it's a public client, it's true. Okay, these are the mandatory fields but now I haven't specified any security constraints. Now I need to tell the underlying servlet container what path it needs to secure. And just like how you will do it, it's a web.xmo and Java IE app where you define security constraints. Well, with Spring which you can do that here directly in the property files. And the really important line is this one here. Basically I define a security constraint and I say any call to this URL must be authenticated and it must have the whole user, okay. And I'm done. Now I can start my application again. And you saw, I didn't change a single line of my code. I just add properties. So let me go back to the application. Let me go back to my landing page. And now if I click on my product, you can see that I have been redirected to the Key Cloak server. Here I'm not on my app anymore. I am the login screen of Key Cloak. And well, here I can try to log in with the user I created before. Save, save, login. And here we go. Now I'm on my secured page. And if I log out and let me show you how the logout works because it's really easy. If you take at the logout here, well, it's just a matter of injecting the HTTP service request and do a logout, okay. So if I go back to my app now, let's take a look at this screen. Let's imagine we want to, it's a really basic login screen. We want to add some stuff to it. So let's go back to our console, which is here. And on my Wilm settings, there's this tab called login here. And here I can tweak my login screen. So imagine I want some user registration. I want a link to send my password. If I lost it, I want to remember me, okay. I just saved that. And if I go back here to my login screen and that I refresh it, you can see now I can register as a new user. I got to remember me. Okay, let's go a step further. I want some social login. So I guess that you all are developers. So you probably all have a GitHub account. So if I go here in user federation, I can add a provider, oh, sorry, identity provider, sorry. I can add a lot. You see, they're all there, Twitter, Facebook, Google. Let's add a GitHub provider. Here I just put dummy numbers, but you should put the real numbers of the client that you create in GitHub. Save that. And if I go back to my login screen here, here you see, I can now use a GitHub. Okay, so let me check the time. Okay, I'm running a bit late. I want to move forward. So you saw how easy it is to secure a Spring Boot app. Now, if you are a Spring Boot user and that you are using doing security, there's a big chance that you want to use Spring Security. Right? Well, I have some good news because Keyclog has also a really good integration with Spring Security. So if I go to my thumb here, I just need to add one dependency and it's not just a dependency from Spring Boot itself. It's the security starter. That's why I'm bringing the Spring Security source, okay? That is all I needed to do. And if you know a bit about Spring Security, you know that you have to write your own security config class that configures your security. The good news is that Keyclog has his own security class that extends already the one from Spring Security, okay? So you just have to extend this Keyclog web security configurator adapter and that's it. I won't go through the details here. It's not really exciting. The interesting part here is the configured method and here just the same as we did in the properties. Yeah, I just say, well, any call to products should be authenticated with the whole user, okay? And that's pretty much all I need to do. What I can also do here is remove this constraint because it's now Spring Security that is handling that. Let me restart this app and the result should be not that exciting. It will be just the same as before but the difference now is that Spring Security has been handling my authentication flow. So here if I log in, you can see again that I'm logged in. Okay, so let me show you how I can really easily, for instance, inject my principle. Imagine I want to print out the username that is logged in. Okay, so how could I do that? Well, here in my getProduct method, I could just inject my principle and here I put that in my model at attribute and I call it username and then it's my principle and it's getName, okay? And then by default, it will show me the ID of my user because you have to specify otherwise if you want something, the username itself. So let me just change the template here, the product template and here instead of my products, it's hello and here I call my user a name, okay? So I save that and if I restart my app and I go back to my landing page, you can see hello, well, here it's ID but it's just a matter of adding a property in the config file to specify that you want to use the name to be printed out. I'm running a bit out of time, so I skip this part. I have five minutes to show you something really, something really exciting. It's what we're doing here, we're trimming a hard-coded list that is bad. What we would like here instead of this is another service, a microservice that return us a list of products, okay? And I'm going to try to show you that, how a Spring Boot app can call another app, in this case a microservice, in a secure way. And again, it's pretty easy to achieve. So first let's take a look at the other app, how the other app is also a Spring Boot app. Just for the fun, I made it in Kotlin because it's really easy to create apps in Kotlin. And here, again, it's just one mapping that returns products. And here, just to make sure it's different products, it returns a window phone and the blackberry. And I define here the same security constraints as you saw before, and it's running on the other port. Okay, so I'm running my app here and just let's make sure if I go on the local host 8080. Whoa, it was freezing. Come on, local host 8081 slash products. Okay, that's good news because I got an authorized here. That means that my service is secured. It shoots only work if it's called with a valid token. So let's change our product app. So it calls this service. If you are used to Spring Security and Spring Boot apps, you know probably about the REST template. REST template is a class that makes it it makes easy to create REST calls. Well, the good news again is that we have just the same. We have a key cloak template that you can use for this. So if I go here and I cloak REST template and I put here my template, I can inject my template. And now instead of doing that, I will, so what I will do here is calling my Kotlin service winning here and put the result with fun body here. Okay, so let me restart this app. And now if you understand, well, what all happened, I should make a call to my Kotlin app passing the token that I got when I authenticated myself. But because of the key cloak, REST template, I don't have to do with it. I just do a get here. Okay, so let's make sure, let's log out. Let's go to my products and here you go, you see, I got here my window phone and blackberry. That means that I've been able to make a call to my Kotlin service that was running here and that is secured by default. Okay, so I have pretty much what I wanted to show you. I know it's a lot of stuff, but if I go back here to my last slide here, so if you want to, I have a blog post about what I just show here. So if you go here, you will see the whole story that I just show you in a blog post. I have a GitHub repo that shows that, that you can just fork and play with it. More generally, if you want to start with key cloak, as I show you, you should start on the key cloak.org page. We have a download page to download the key cloak server. Of course, we have an awesome documentation. And if you have any question, we are doing that the old school way, but it's the best way, in my opinion, we have a mailing list. We don't have any chat or something like that. Just subscribe to the mailing list and ask us questions there. If you want to see other quick starts, not only Spring Boot or maybe Java EE or Node.js or whatever, we support a lot of technologies. Just go to the quick start repo and you will have some repo you just can fork to play with different use cases. And I think I'm done. So let me go back to here. Let me stop my screen share and I... Awesome, that is super cool. Actually, I provided the link to your slide deck, which means dozens of people have already jumped on it. But let's do this. There's a lot of questions, but we're gonna just rapid fire them. You just give a quick answer. OAuth, right? That's good. No problem there? No problem, yeah. OpenID Connect is just a layer above OAuth 2. So yeah, we provide... Yeah, a key cloud can act as an OAuth 2 server. Okay, Spring Boot 2, any concerns there? Oh yeah, I forgot. Yeah, so maybe people knew that today Spring Boot 2 was released, that was big news. Well, I have some good news because we have a pull request hanging since a few weeks. And each time that there's a new release candidate, I'm updating the pull request. And this morning I used the final release and it's still working. So there's more polishing to do, but expect in the next key cloud release also the Spring Boot 2 adapter. And I think it's in three weeks that we will make a release, so yeah. Okay, so we gotta go a little faster. The answers have to be like two words. Where does key cloud store data? Whatever you want, MySQL or Postgres by default. Okay, fantastic. And if I use social login, does that user get created in that database? You can choose to, yes or no, you can choose that, you can configure that if you want. Okay, what about FIDO-UTF? FIDO, okay. To be honest, I can not tell anything about it, but yesterday we have the team meeting and there was some discussion on this topic. So we are doing stuff around it. I cannot tell more. You should reach out on the mailing list for more information. And how about PAM, P-A-M? PAM, P-A-M. What is that again? I don't remember, sorry. I don't know that one either. I was hoping you did. I don't know that one either, all right. Again, we can reach out on the mailing list then. Yeah, we're out of time, unfortunately. We did add the presentation link on the chat. Also, there were some questions around, how do I theme the login screen and all that? We added those URLs to the chat so you guys can see how to theme it. We also added the URL to the LDAP and AD integration because that was a common question. Please do hit Sebi up on Twitter. That's where you can find them. Hit me up on email or Twitter and we'll try to get more of your answers to you in the future. But thank you so much for your time today, all of you. We had several hundred of you on this call and I know there were some bandwidth issues for some of you watching, but also dozens joined the slide deck so I know that that actually went through. Sebi, awesome job on the demonstrations as always. Thank you so much for that. Thank you. All right, and thank you all and have a great day.