Securing Jakarta EE Applications with OIDC and Keycloak

Security

Introduction

Security is a paramount concern for modern web applications. Protecting sensitive data and user access necessitates a standardized approach. The OpenID Connect (OIDC) protocol, in conjunction with Identity Providers (IdPs) like Keycloak, and the Jakarta Security API integrated into Jakarta EE, offer a reliable solution. Together, they help streamline authentication and authorization in your Jakarta EE applications.

Understanding OpenID Connect (OIDC)

  • Origins: OIDC builds on the foundation of OAuth 2.0 (an authorization protocol) to provide a streamlined authentication layer. It simplifies login processes without you needing to reinvent the security wheel.
  • Benefits:
    • Standardisation: Promotes interoperability and predictable integration among systems.
    • Security: Employs token-based authentication for enhanced protection.
    • SSO: Single Sign-On capabilities improve user experience.
    • Rich Identity Data: Simplifies retrieving details about the logged-in user.

Keycloak: An Open-Source Identity Provider

Keycloak is an open-source Identity and Access Management (IAM) solution. It allows you to easily secure any kind of applications by providing comprehensive authentication and authorization services.

Advantages

Keycloak streamlines security management with its intuitive admin console, simplifying tasks like user management, role definition, and protocol configuration. It supports a wide range of authentication options, including social logins (Google, Facebook, etc.) and multi-factor authentication (MFA), for enhanced security. Beyond that, Keycloak introduces Single Sign-On (SSO) capabilities, enabling users to access multiple applications seamlessly with a single set of credentials. As an open-source project, Keycloak benefits from an active community dedicated to improving and extending its capabilities.

Integrating Keycloak with Jakarta EE

The Jakarta Security 3.0 specification, introduced in Jakarta EE 10, makes working with OpenID Connect (OIDC) a natural fit within your Jakarta EE applications. The central piece here is the @OpenIdAuthenticationMechanismDefinition annotation, which allows you to declare and configure your OIDC settings. MicroProfile Config adds flexibility, enabling you to tailor your security setup based on the deployment environment.

Securing Resources

Keycloak integrates with Jakarta EE for fine-grained authorization. The @RolesAllowed annotation allows you to protect specific classes or methods based on user roles. For legacy applications or more general protection, you can use the traditional web.xml configuration mechanisms.

Example: Securing a REST Endpoint

@Path("/rating")

@RolesAllowed("CAN_VOTE")
public class SessionVoteResource {

}

Accessing User Information

  • Injected Beans:
    • OpenIdContext: Provides token details and user claims.
    • SecurityContext: Offers programmatic security checks (roles, etc.).
@RequestScoped

public class AuthController {

   @Inject 
    OpenIdContext openIdContext;

   public String getCurrentUserName() {
        return openIdContext.getClaims().getName().orElse(null); 

    }

}

Conclusions

OIDC, Keycloak and Jakarta Security form a great trio for application security in the Jakarta EE ecosystem. The streamlined integration and flexibility offered by this combination make it an excellent choice for protecting your applications. To dive deeper into these concepts and implement best practices, be sure to grab a copy of our free guide, “Securing Jakarta EE Applications with OIDC and Keycloak.”

Also, download Payara Community, start exploring, and enhance the security of your applications today!

 

Comments (0)

Post a comment

Your email address will not be published. Required fields are marked *

Payara needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, please review our Legal & Privacy Policy.

Related Posts

Blue background with coral and fish. Left text: 'MONTHLY CATCH'. Right: laptop screen with tech tabs and Payara Community logo. 3 minutes
Community

The Payara Monthly Catch -September 2025

Welcome aboard the September issue of The Monthly Catch! With summer holidays wrapping up, the Java world is back […]

Payara Qube-Cloud Light banner 4 minutes
Security

Zero Trust Security in Enterprise Java: What it is and How to Implement it

Cybersecurity isn’t just about building walls, fortresses, moats or any other external barrier anymore. Nowadays, it’s important to check […]

JBoss ELS Decoded 5 minutes
Migration

JBoss ELS Decoded: What Extended Lifecycle Support Really Means for Your Java Applications​

If your Java EE 8 applications run on Red Hat JBoss Enterprise Application Platform (EAP) 7, you can’t afford […]