feature/Add property integrate_with_keycloak

2026-02-06 16:56:56 +00:00 · 2025-01-24 16:46:40 +01:00 · 2025-01-24 16:46:40 +01:00 · 54044cce69
commit 54044cce69
parent f08dbfa6ed
3 changed files with 40 additions and 16 deletions
--- a/obp-api/src/main/resources/props/sample.props.template
+++ b/obp-api/src/main/resources/props/sample.props.template
@ -764,14 +764,22 @@ display_internal_errors=false
 # URL of Public server JWK set used for validating bearer JWT access tokens
 # It can contain more than one URL i.e. list of uris. Values are comma separated.
 # oauth2.jwk_set.url=http://localhost:8080/jwk.json,https://www.googleapis.com/oauth2/v3/certs
+# ------------------------------------------------------------------------------ OAuth 2 ------
+
+# -- Keycloak OAuth 2 ---------------------------------------------------------------------------
+# integrate_with_keycloak = false
 # Keycloak Identity Provider Host
 # oauth2.keycloak.host=http://localhost:7070
+# Keycloak access token to make a call to Admin APIs
+# keycloak.admin.access_token =
+# Keycloak Identity Provider Realm (Multi-Tenancy Support)
+# oauth2.keycloak.realm = master
 # oauth2.keycloak.well_known=http://localhost:7070/realms/master/.well-known/openid-configuration
 # Used to sync IAM of OBP-API and IAM of Keycloak
 # oauth2.keycloak.source_of_truth = false
 # Resource access object allowed to sync IAM of OBP-API and IAM of Keycloak
 # oauth2.keycloak.resource_access_key_name_to_trust = open-bank-project
-# ------------------------------------------------------------------------------ OAuth 2 ------
+# ------------------------------------------------------------------------ Keycloak OAuth 2 ------

 # -- PSU Authentication methods --------------------------------------------------------------
 # The EBA notes that there would appear to currently be three main ways or methods
--- a/obp-api/src/main/scala/code/api/util/KeycloakAdmin.scala
+++ b/obp-api/src/main/scala/code/api/util/KeycloakAdmin.scala
@ -2,21 +2,23 @@ package code.api.util


 import code.api.OAuth2Login.Keycloak
+import code.model.{AppType, Consumer}
 import net.liftweb.common.{Box, Failure, Full}
 import okhttp3._
 import okhttp3.logging.HttpLoggingInterceptor
 import org.slf4j.LoggerFactory


-object KeycloakAdmin extends App {
+object KeycloakAdmin {

  // Initialize Logback logger
  private val logger = LoggerFactory.getLogger("okhttp3")

+  val integrateWithKeycloak = APIUtil.getPropsAsBoolValue("integrate_with_keycloak", defaultValue = false)
  // Define variables (replace with actual values)
  private val keycloakHost = Keycloak.keycloakHost
-  private val realm = "master"
-  private val accessToken = ""
+  private val realm = APIUtil.getPropsValue(nameOfProperty = "oauth2.keycloak.realm", "master")
+  private val accessToken = APIUtil.getPropsValue(nameOfProperty = "keycloak.admin.access_token", "")

  def createHttpClientWithLogback(): OkHttpClient = {
    val builder = new OkHttpClient.Builder()
@ -30,19 +32,29 @@ object KeycloakAdmin extends App {
  // Create OkHttp client with logging
  val client = createHttpClientWithLogback()

-  createClient(
-    "my-consumer-client",
-    "My Consume",
-    "Client for accessing API resources",
-    isPublic = false
-  )
-
+  def createKeycloakConsumer(consumer: Consumer): Box[Boolean] = {
+    val isPublic =
+      AppType.valueOf(consumer.appType.get) match {
+        case AppType.Confidential => false
+        case _ => true
+      }
+    createClient(
+      clientId = consumer.key.get,
+      secret = consumer.secret.get,
+      name = consumer.name.get,
+      description = consumer.description.get,
+      redirectUri = consumer.redirectURL.get,
+      isPublic = isPublic,
+    )
+  }
  def createClient(clientId: String,
+                   secret: String,
                   name: String,
                   description: String,
+                   redirectUri: String,
                   isPublic: Boolean,
                   realm: String = realm
-                  ): Unit = {
+                  ) = {
    val url = s"$keycloakHost/admin/realms/$realm/clients"
    // JSON request body
    val jsonBody =
@ -50,14 +62,15 @@ object KeycloakAdmin extends App {
        |  "clientId": "$clientId",
        |  "name": "$name",
        |  "description": "$description",
+        |  "redirectUris": ["$redirectUri"],
        |  "enabled": true,
        |  "clientAuthenticatorType": "client-secret",
        |  "directAccessGrantsEnabled": true,
        |  "standardFlowEnabled": true,
        |  "implicitFlowEnabled": false,
        |  "serviceAccountsEnabled": true,
-        |  "publicClient": false,
-        |  "secret": "$isPublic"
+        |  "publicClient": $isPublic,
+        |  "secret": "$secret"
        |}""".stripMargin

    // Define the request with headers and JSON body
--- a/obp-api/src/main/scala/code/snippet/ConsumerRegistration.scala
+++ b/obp-api/src/main/scala/code/snippet/ConsumerRegistration.scala
@ -27,9 +27,8 @@ TESOBE (http://www.tesobe.com/)
 package code.snippet

 import java.util
-
 import code.api.{Constant, DirectLogin}
-import code.api.util.{APIUtil, ErrorMessages, X509}
+import code.api.util.{APIUtil, ErrorMessages, KeycloakAdmin, X509}
 import code.consumer.Consumers
 import code.model.dataAccess.AuthUser
 import code.model.{Consumer, _}
@ -176,6 +175,10 @@ class ConsumerRegistration extends MdcLoggable {
          oAuth2Client
        })
      }
+
+      // In case we use Keycloak as Identity Provider we create corresponding client at Keycloak side a well
+      if(KeycloakAdmin.integrateWithKeycloak) KeycloakAdmin.createKeycloakConsumer(consumer)
+
      val registerConsumerSuccessMessageWebpage = getWebUiPropsValue(
        "webui_register_consumer_success_message_webpage", 
        "Thanks for registering your consumer with the Open Bank Project API! Here is your developer information. Please save it in a secure location.")