DEV Community: OUMERZOUG Haïtham

Coders, Software Engineers & AI: Building the Future Together

OUMERZOUG Haïtham — Wed, 18 Jun 2025 17:01:23 +0000

Introduction:

In today's fast-moving tech world, the line between coders and software engineers is becoming increasingly blurred, and AI is at the heart of this shift.

Whether you're building simple scripts or architecting entire platforms, AI tools like GitHub Copilot, ChatGPT, Claude and other intelligent assistants are transforming how we write code, design systems, and solve problems. These tools are not just helping with automation; they're reshaping the very nature of software development.

As companies race to innovate faster and more efficiently, it's crucial to understand the difference between coders and software engineers, and how AI is bridging the gap, elevating both roles into something more powerful and collaborative than ever before.

1. Who is a Coder?

A coder is someone who writes code, and often focusing on solving specific tasks or implementing distinct functionalities. Their primary strength is in syntax, logic, and understanding programming languages.

Example: A coder may be asked to build a login form, landing page or automate a repetitive task using Python.

2. Who is a Software Engineer?

A software engineer takes a broader, more strategic approach to building software systems. They apply engineering principles to design, develop, test, and maintain scalable and robust software solutions, solve complex problems, manage large codebases and ensure reliability and performance.

Example: A software engineer may design and build the entire authentication system for a platform, considering scalability, security, and maintainability. Basically creating their own version of Keycloak, but with just enough features to regret not using Keycloak in the first place.

3. The Role of AI: Friend or Foe?

AI is rapidly transforming both roles, especially tools like GitHub Copilot, Claude, and other AI coding assistants.

Impact on Coders

AI can accelerate a coder's productivity by:

Suggesting code completions.
Writing boilerplate or repetitive code.
Automating bug fixes.

Impact on Software Engineers

AI becomes a collaborator, not a replacement and :

Helps with code review and documentation.
Assists in prototyping and testing.
Enables focus on higher-level design and problem-solving.

The New Relationship: Coder & Software Engineer & AI

The future of software development is about working together, not replacing people. Coders who learn to think about the bigger picture can grow into engineers, while engineers who use AI can work faster and smarter. AI boosts productivity and accuracy, but it can't replace human creativity, intuition, or deep design skills.

Conclusion:

AI is changing how we build software, bringing coders and engineers closer together. By working with AI, everyone can get more done and focus on what matters most which is creating great software. The future is about people and AI working as a team, not one replacing the other.

The real challenge isn't to fear AI, but to learn how to use it effectively in your work, whether you're writing code or designing complex systems.

About the Author

Created by OUMERZOUG Haitham

Keycloak MCP: Simplifying Keycloak Management Through Model Context Protocol

OUMERZOUG Haïtham — Tue, 27 May 2025 21:44:01 +0000

Have you ever wished for a more streamlined way to manage your Keycloak users and realms? Today, I'm excited to introduce Keycloak MCP, a Model Context Protocol server implementation that makes Keycloak management more accessible and standardized than ever before.

Like i always say if you're new to Keycloak, check out my previous articles:

Getting Started with Keycloak: Understanding the Basics to understand how to set up and configure Keycloak.
Secure Your RESTful API Using Keycloak Role-Based Access Control to secure you API using RBAC.
Going Deeper with Keycloak: Understanding Authorization Services to understand the basics of Keycloak Authorization Services and how to set up all the necessary configurations.
Integrating KC Authorization Services into NestJS API to apply fine-grained, policy-based access control using Keycloak's authorization features inside a NestJS backend.

So let's get started!

Understanding the Foundations

What is MCP (Model Context Protocol)?

Before diving into Keycloak MCP, let's quickly understand MCP. The Model Context Protocol (MCP) is a standardized communication protocol that enables AI models to interact with external tools and services. Think of it as a universal translator that allows AI models to:

Discover what tools are available
Execute operations with proper validation
Receive standardized responses
Handle errors consistently

An MCP server, therefore, acts as a bridge between AI models and real-world applications, providing a structured way to expose functionality to AI systems.

What is Keycloak MCP?

Keycloak MCP is a specialized server implementation that bridges the gap between Keycloak's administrative capabilities and the Model Context Protocol (MCP). It provides a standardized interface for managing Keycloak users and realms, making it easier to integrate Keycloak management into various development workflows.

Key Features

🚀 User Management: Create and delete users with ease
👥 Role Management: Assign client roles to users
🌐 Realm Operations: List and manage realms effortlessly
👪 Group Management: Handle user groups efficiently
🔑 Client Management: List clients and their roles

Available Tools

Here's what you can do with Keycloak MCP:

User Management

Create new users with full profile information
Delete existing users
List all users in a realm
Add users to groups

Role and Client Management

List available realms
View all clients in a realm
List client roles
Assign client roles to users

Group Operations

List all groups in a realm
Manage user group memberships

and more tools are comming...

Getting Started

Prerequisites

Node.js (Latest LTS version)
npm
A running Keycloak instance

Quick Installation

You can install Keycloak MCP in two ways:

1. Via Smithery (Recommended)

npx -y @smithery/cli install @HaithamOumerzoug/keycloak-mcp --client claude

2. Via NPM

# Direct usage with npx
npx -y keycloak-mcp

# Or global installation
npm install -g keycloak-mcp

Configuration

To configure Keycloak MCP in your environment, add the following to your MCP configuration file:

{
  "mcpServers": {
    "keycloak": {
      "command": "npx",
      "args": ["-y", "keycloak-mcp"],
      "env": {
        "KEYCLOAK_URL": "http://localhost:8080",
        "KEYCLOAK_ADMIN": "admin",
        "KEYCLOAK_ADMIN_PASSWORD": "admin"
      }
    }
  }
}

Feature Demo

Your browser does not support the video tag, check this url : [demo](https://github.com/user-attachments/assets/4b02a049-b8d6-4cc5-a7b4-564a0e758dd8)

Benefits of Using Keycloak MCP

Standardization: Consistent interface for Keycloak operations
Simplification: Reduces complexity in managing Keycloak
Integration: Easy to integrate with existing tools and workflows
Automation: Perfect for automated user management scenarios
Developer-Friendly: Clean API with TypeScript support

Technical Stack

TypeScript for type safety
@keycloak/keycloak-admin-client for Keycloak integration
Model Context Protocol SDK for standardized communication
Zod for robust schema validation

Future Development

The project is actively maintained and welcomes contributions. Some planned features include:

Enhanced role management capabilities
Extended user management features
Extended group management features

Conclusion

Keycloak MCP brings a new level of simplicity to Keycloak management through standardized protocols and intuitive tooling. Whether you're managing a small application or a large enterprise system, Keycloak MCP can help streamline your identity and access management workflows.

What's Coming Next?

Stay tuned for my upcoming articles in this series where I'll cover:

Real-time Updates with SSE:
- Implementing Server-Sent Events (SSE) communication between Keycloak MCP server and clients
- Setting up /sse endpoints for live updates
MCP Security Best Practices:
- Secure credential management
- Safe storage of sensitive information
- Authentication and authorization patterns
- Environment-based configuration strategies

These upcoming articles will help you build more robust and secure implementations with Keycloak MCP.

Resources

Stay tuned, the real fun is just getting started!

About the Author

Created by OUMERZOUG Haitham, Keycloak MCP is an open-source project under the MIT license.

Integrating KC Authorization Services into NestJS API

OUMERZOUG Haïtham — Wed, 30 Apr 2025 22:09:32 +0000

In this article, we are going to connect between Keycloak Authorization Services and a real NestJS API. After setting up all the resources, scopes, policies, and permissions in Keycloak, it's time to see it in action.
We'll integrate Keycloak into our NestJS backend, protect specific endpoints based on permissions not just roles and test everything using Insomnia.

Like i always say if you're new to Keycloak, check out my previous articles:

Getting Started with Keycloak: Understanding the Basics to understand how to set up and configure Keycloak.
Secure Your RESTful API Using Keycloak Role-Based Access Control to secure you API using RBAC.
Going Deeper with Keycloak: Understanding Authorization Services to understand the basics of Keycloak Authorization Services and how to set up all the necessary configurations.

So let's get started!

Application configuration

In this article, we'll build on the API code created in the Secure Your RESTful API Using Keycloak Role-Based Access Control article.

First let's define some constants :

resouces.ts : In this file, we define a list of resources that our application will work with.

export const RESOURCES = {
  USER: 'user',// user resource for /users/* endpoints
};

scopes.ts: In this file, we define all the scopes that represent the actions users can perform on our resources.

export const SCOPES = {
  READ: 'read',
  WRITE: 'write',
  DELETE: 'delete',
};

Now let's update our user.controller.ts file to stop relying on roles and instead use fine-grained permissions with scopes.

import {
  Body,
  Controller,
  Delete,
  Get,
  Param,
  Post,
  Put,
} from '@nestjs/common';
import { Resource, Scopes } from 'nest-keycloak-connect';
import { RESOURCES } from './constants/resources';
import { SCOPES } from './constants/scopes';
import { User } from './models/user';
import { UserService } from './user.service';

@Controller('users')
@Resource(RESOURCES.USER)
export class UserController {
  constructor(private readonly userService: UserService) {}

  @Post('create')
  @Scopes(SCOPES.WRITE)
  createUser(@Body() payload: User) {
    return this.userService.createUser(payload);
  }

  @Put(':userId/update')
  @Scopes(SCOPES.WRITE)
  updateUser(@Param('userId') userId: number, @Body() payload: User) {
    return this.userService.updateUser(userId, payload);
  }

  @Delete('delete/:id')
  @Scopes(SCOPES.DELETE)
  deleteUser(@Param('id') id: number) {
    return this.userService.deleteUser(id);
  }

  @Get('all')
  @Scopes(SCOPES.READ)
  findAllUsers() {
    return this.userService.findAllUsers();
  }
}

Test in Insomnia (or Postman)

Viewer User:

The viewer user, who has the viewer role, is granted access only to the /users/all endpoint, which is protected using the read scope.

If the viewer user tries to access other endpoints, they will receive a Forbidden error.

Manager User:

The manager user, who has the manager role, is allowed to access endpoints protected by the read and write scopes — like viewing all users and creating new ones.

However, if the manager tries to access an endpoint that requires the delete scope, they’ll receive a Forbidden error.

Admin User:

The admin user, with the admin role, has full access to all user-related endpoints, including those protected by the read, write, and delete scopes.

As expected, all authorized requests from the admin user will succeed without any Forbidden errors.

Conclusion

And that's it! In this article, we've integrated Keycloak Authorization Services into a NestJS API and used fine-grained permissions to protect our endpoints. By replacing static role checks, we've unlocked a more powerful and flexible way to handle authorization.

Now your API can enforce access rules more cleanly, and users only get access to what they truly need. Much cleaner, much safer.

If you think the Keycloak series ends here, you're wrong! Next, we'll explore testing additional policy types, moving beyond just roles to enhance authorization flexibility even further.

Feel free to reach out if you have questions or feedback!

About the Author

Created by OUMERZOUG Haitham

Thanks for reading and stay tuned!

Going Deeper with Keycloak: Understanding Authorization Services

OUMERZOUG Haïtham — Tue, 22 Apr 2025 09:56:19 +0000

In the first two parts of this Keycloak series, we covered the fundamentals, how to install Keycloak and get it up and running, and how to secure your RESTful API using Role-Based Access Control (RBAC).

Now we're going to take it one step further.
In this article, we'll explore Keycloak Authorization Services, what they are, how they differ from simple role checks, and how to use them to define fine-grained access control using policies, permissions, and resources.

If RBAC is the "Who can do what", then Authorization Services answer the more complex "Who can do what, under which conditions." Let's get into it.

Recap

If you've been following along, you already know:

Why not just stick with RBAC?

RBAC is a great solution for many use cases due to its simplicity, ease of implementation and understanding. You assign roles to users (like admin, user, or viewer) and control what each role can access.

However, RBAC starts to show its limitations when your access control needs become more dynamic or context-aware like :

You need to restrict access based on ownership (users can only see/edit their own projects).
You want to allow access only during certain times (like working hours).
Access should depend on user attributes (like department or region).
You need to apply different policies to the same role based on context.

If you want to use RBAC to handle that, you'll need to create roles like: access-weekdays-only, admin-si-department, owner-or-manager-except-fridays. That leads to a spaghetti mess of roles, and congrats, you're accidentally reinventing what an Authorization Services was made for.

What Is a Keycloak Authorization Services?

The Keycloak Authorization Services is a feature in Keycloak that helps you control who can access what in your application, but in a smarter way than just using roles.

It does this using four simple building blocks:

Resources: What you're protecting (page, API, file, ...).
Scopes: What actions someone can do (read, write, delete, ...).
Policies: Rules that decide who's allowed (based on roles, groups, time of day, ...).
Permissions: The final rule that puts everything together (combination of resources, scopes, and policies).

So instead of writing all your access rules in your app code, you manage them in Keycloak, so it' clean, organized, and easy to update.

Enough talk, Let's get to the fun part. Time to switch gears and bring those permissions to life in your app!

Enabling Authorization on a Client

In our demo, we'll use the same client from the previous article Secure Your RESTful API Using Keycloak Role-Based Access Control.
To enable authorization go to your client settings in Keycloak and:

Navigate to the Capability config section.
Enable Authorization.
Click on Save.

Boooom!! Your client is now equipped to define advanced access controls.

Defining Scopes

Scopes in Keycloak Authorization represent what can be done to a resource. You can define scopes like:

read
write
delete

These are later used in permissions to grant access selectively.
To create those scopes go to your client settings and :

Navigate to the Authorization tab.
Select Scopes sub-tab.
Click on Create authorization scope.
Set the scope name, (e.g. read).
Click on Save.

Repeat the same actions for all other scopes.

Defining Resources

Think of resources as the actual entities you're protecting. This could be:

An API endpoint.
A Web page.
A Document.

W'll create a new resource named user to protect all user-related endpoints like /users/*.
To create a resource, go to your client settings and follow these steps:

Navigate to the Authorization tab.
Select Ressources sub-tab.
Click on Create ressource.
Set the resource name to something like user
Add a URI pattern for user endpoints, such as /api/users/*.
Select the previously created scopes (read,write and delete).
Click on Save.

In this demo, we'll use a simple role-based policy, which means access will be granted based on user roles we've already defined (like admin, manager, viewer, etc.).

If you’re not familiar with how to create a client role, feel free to check out the previous article: Secure Your RESTful API Using Keycloak Role-Based Access Control, It walks you through the process step-by-step.

To create a role-based policy:

Go to your client settings and navigate to the Authorization tab.
Click on the Policies sub-tab.
Hit Create client policy and select Role as the policy type.
Give your policy a meaningful name, for example:
- admin-role-policy: Includes the admin role (full access).
- manager-role-policy: Includes the manager role (read, create, and update access).
- viewer-role-policy: Includes the viewer role (read-only access).
Under the Roles section, select the matching role for each policy.
Click Save.

Policies can be configured with positive or negative logic. Briefly, you can use this option to define whether the policy result should be kept as it is or be negated.

For example, suppose you want to create a policy where only users not granted with a specific role should be given access. In this case, you can create a role-based policy using that role and set its Logic field to Negative. If you keep Positive, which is the default behavior, the policy result will be kept as it is.

Defining Permissions

A permission associates the object being protected and the policies that must be evaluated to decide whether access should be granted.
For example:

Allow users with manager role to edit users.

In this demo, we'll create permissions associated with the defined scopes (read, write, and delete). Permissions are used to link resources, scopes, and policies together, they define who can do what on which resource.

To create a permission:

Go to your client's Authorization tab.
Select the Permissions sub-tab.
Click on Create permission and choose Scope-Based as the type.
Give your permission a meaningful name (e.g., User Read Permission).
Under Resources, select the resource you created earlier (user).
Under Scopes, choose the relevant scope (read, write, or delete).
Under Policies, select the policy that matches the role allowed to perform this action (e.g., viewer-role-policy for read access).
Set the Decision strategy to Affirmative.
Click Save.

Repeat this process for each scope and link it with the appropriate policy:

read => viewer-role-policy
write => manager-role-policy or admin-role-policy
delete => admin-role-policy

When associating policies with a permission, you can also define a decision strategy to specify how to evaluate the outcome of the associated policies to determine access.

Unanimous : The default strategy if none is provided. In this case, all policies must evaluate to a positive decision for the final decision to be also positive.
Affirmative : In this case, at least one policy must evaluate to a positive decision for the final decision to be also positive.
Consensus : In this case, the number of positive decisions must be greater than the number of negative decisions. If the number of positive and negative decisions is equal, the final decision will be negative.

This setup ensures only the right roles can perform specific actions on the user resource.

Evaluating and Testing Policies

When designing your policies, you can simulate authorization requests to test how your policies are being evaluated.

You can access the Policy Evaluation Tool by clicking the Evaluate tab when editing a resource server. There you can specify different inputs to simulate real authorization requests and test the effect of your policies.

For example, we want to test and evaluate whether a viewer user has access to the read scope of the user resource.

The result :

Conclusion

And that's it! You've now seen how powerful Keycloak's Authorization Services can be, no more spaghetti roles or complex permission logic scattered across your codebase. Instead, you have a clean, centralized way to manage access, based on real-world rules.

In the next article, we'll take this setup and integrate it with a NestJS app, so you can see how everything works together in action.

Stay tuned, the real fun is just getting started!

About the Author

Created by OUMERZOUG Haitham

Secure Your RESTful API Using Keycloak Role-Based Access Control

OUMERZOUG Haïtham — Thu, 13 Mar 2025 23:20:28 +0000

When building a REST API, security is a top priority. One of the best ways to manage authentication and authorization is by using Keycloak, an open-source Identity and Access Management (IAM) solution. In this guide, we will walk through how to secure a REST API using Keycloak's Role-Based Access Control (RBAC).

If you're new to Keycloak, check out my previous article: Getting Started with Keycloak: Understanding the Basics to understand how to set up and configure Keycloak.

What is Keycloak RBAC?

Role-Based Access Control (RBAC) is a method in which users are assigned roles, and these roles determine the resources they can access. A resource can be a set of one or more application endpoints or a traditional web page (HTML page).

By integrating this method into your RESTful API ecosystem, you can ensure that only authorized users have access to your resources and protect sensitive data.

In this article, we will walk through a step-by-step process to secure a Nest.js RESTful API using Keycloak. This includes setting up an application client and configuring authentication and RBAC for your API endpoints.

Keycloak Configuration

After installing Keycloak in your local environment, it's time to get started. Let's begin by creating our first realm.

Create Realm:

A realm in Keycloak is an isolated environment where you manage clients, users, roles, and authentication settings. It allows multiple realms to exist independently within the same Keycloak instance.

When you first enter into keycloak, a predefined realm is created. This initial realm is called the master realm and is the king of all realms. Admins in this realm have permissions to view and manage any other realm created on the server instance. When you define your initial admin account, you are creating an account in the master realm. Your initial login to the admin console will also be through the master realm.

It is recommended not to use the master realm for managing users and applications in your organization. Instead, keep it reserved for super admins who create and manage other realms, ensuring a clean and organized setup.

Now, we need to create our demo realm. To do this, hover over the dropdown menu in the top-left corner, which is labeled master, and click the Create realm button (or Add realm in older versions).

Create Realm

After creating your realm, you will be automatically redirected into it, and you'll be ready to proceed to the next step.

Create Client:

Clients are entities that can request user authentication. They can represent an application or a service.

To create an client go to the Clients left menu item. On this page you’ll see a Create button on the top.

This will bring you to the Create Client page.

First step is to set the client name and client id. For this demo the client id is nestjs-sso-demo.

Since we have a server-side application, we need to enable Client Authentication. This involves setting the Access Type to confidential, which allows us to access the secret key. Leave the other options as they are.

The last step is to set the URLs of your application. In my case, I set the Valid Redirect URIs to http://localhost:3000, which is the URL for my NestJS app. Make sure to update this with the correct URL for your app and click on Save.

Create Client Roles:

After creating the client, you will be redirected into it. Now, it's time to define the app roles.

Client roles serve as granular definitions of access privileges within a specific client application or service. These roles delineate the actions and permissions that users associated with the client can perform within the application.

Client roles are distinct from realm roles, which apply globally across all clients within a Keycloak realm. Instead, client roles are scoped to individual clients, allowing for fine-grained control over access within each application or service.

To create a client role, go to the Roles tab inside the client details and click on Create role button.

In this demo, we will define some CRUD roles:

CREATE_USER: Allows us to create a new user using the NestJS API.
READ_USERS: Allows us to read user data.
UPDATE_USER: Allows us to update user data.
DELETE_USER: Allows us to delete user data.

Here we go ;)

Create User

For demo purposes, we will create a demo user and assign specific roles to each one.

To create an user go to the Users left menu item. On this page you’ll see a Create new user button.

The first user is a viewer user with the username read-user.

After creating the read-user, we will assign them the READ_USERS role.

Similarly, we will create another user with the username admin-user and assign all available roles to this user, including:

CREATE_USER
READ_USERS
UPDATE_USER
DELETE_USER

Here we go ;)

The beast has been tamed after we struggled with Keycloak configurations for some time! Now, let’s jump into the application configuration and put these roles to the test inside our NestJS app. It's time to check if all that setup was worth it!

Application Configuration

I’m assuming you have basic knowledge of how to create a NestJS application with a basic setup. If not, no worries! You can check out the NestJS documentation, it’s very simple and easy to get started with.
We are using nest-keycloak-connect client adapter to communicate with Keycloak server.

Keycloak client adapters are libraries that make it very easy to secure applications and services with Keycloak. We call these adapters rather than libraries as they provide a tight integration to the underlying platform and framework. This makes adapters easy to use and require less boilerplate code than what is typically required by a library.

Installation:

First let install those libraries

npm i @nestjs/config keycloak-connect nest-keycloak-connect

Usage:

We need to add Keycloak configuration to Nest.js.

import { Module } from "@nestjs/common";
import { ConfigModule, ConfigService } from "@nestjs/config";
import { APP_GUARD } from "@nestjs/core";
import {
  AuthGuard,
  KeycloakConnectConfig,
  KeycloakConnectModule,
  ResourceGuard,
  RoleGuard,
} from "nest-keycloak-connect";
import { AppController } from "./app.controller";
import { AppService } from "./app.service";
import { UserModule } from "./user/user.module";

@Module({
  imports: [
    ConfigModule.forRoot({
      isGlobal: true,
    }),
    KeycloakConnectModule.registerAsync({
      inject: [ConfigService],
      useFactory: (configService: ConfigService): KeycloakConnectConfig => ({
        authServerUrl: configService.get("KC_AUTH_SERVER_URL"),
        realm: configService.get("KC_REALM"),
        clientId: configService.get("KC_CLIENT_ID"),
        secret: configService.get("KC_SECRET"),
        useNestLogger: true,
      }),
    }),
    UserModule,
  ],
  controllers: [AppController],
  providers: [
    AppService,
    // This adds a global level authentication guard,
    // you can also have it scoped
    // if you like.
    //
    // Will return a 401 unauthorized when it is unable to
    // verify the JWT token or Bearer header is missing.
    {
      provide: APP_GUARD,
      useClass: AuthGuard,
    },
    // This adds a global level resource guard, which is permissive.
    // Only controllers annotated with @Resource and
    // methods with @Scopes
    // are handled by this guard.
    {
      provide: APP_GUARD,
      useClass: ResourceGuard,
    },
    // New in 1.1.0
    // This adds a global level role guard, which is permissive.
    // Used by `@Roles` decorator with the
    // optional `@AllowAnyRole` decorator for allowing any
    // specified role passed.
    {
      provide: APP_GUARD,
      useClass: RoleGuard,
    },
  ],
})
export class AppModule {}

Here we are using nest-keycloak-connect’s AuthGuard, ResourceGuard and RoleGuard to protect our endpoints.

For the environment variables :

KC_AUTH_SERVER_URL=http://localhost:8080/ # Keycloak Instance
KC_REALM=DEMO
KC_CLIENT_ID=nestjs-sso-demo
KC_SECRET=Pvbc37M7ThncsenGa71Xrj52eLLLHsM2 # Client secret from `Credentials` tab

Now we add following endpoints to our User Controller.

import {
  Body,
  Controller,
  Delete,
  Get,
  Param,
  Post,
  Put,
} from "@nestjs/common";
import { UserService } from "./user.service";
import { User } from "./models/user";
import { Roles } from "nest-keycloak-connect";
import { ROLES } from "./models/roles.enum";

@Controller("user")
export class UserController {
  constructor(private readonly userService: UserService) {}

  @Post("create")
  @Roles({ roles: [ROLES.CREATE_USER] })
  createUser(@Body() payload: User) {
    return this.userService.createUser(payload);
  }

  @Put(':userId/update')
  @Roles({ roles: [ROLES.UPDATE_USER] })
  updateUser(@Param('userId') userId: number, @Body() payload: User) {
    return this.userService.updateUser(userId, payload);
  }

  @Delete("delete/:id")
  @Roles({ roles: [ROLES.DELETE_USER] })
  deleteUser(@Param("id") id: number) {
    return this.userService.deleteUser(id);
  }

  @Get("all")
  @Roles({ roles: [ROLES.READ_USERS] })
  findAllUsers() {
    return this.userService.findAllUsers();
  }
}

Also, we’ll create a simple "Hello World" endpoint inside the App Controller that does not require authentication, using the @Unprotected decorator (You can also use @AllowAnyRole decorator that allow access for any role.).

import { Controller, Get } from "@nestjs/common";
import { AppService } from "./app.service";
import { Unprotected } from "nest-keycloak-connect";
@Controller()
export class AppController {
  constructor(private readonly appService: AppService) {}
  @Get()
  @Unprotected()
  getHello(): string {
    return this.appService.getHello();
  }
}

Endpoint Tests

After setting up our endpoints, it's time to test them using Insomnia or any API tool.

Admin User:

First, we tested accessing the endpoint to create a new user, using the admin-user attached with the JWT token in the Authorization header.

Same for update or delete user and read all users.

Get all users:

Update User:

Viewer User:

The viewer user has only the READ_USERS role, which gives them access to the /api/users/all endpoint.

However, if the same user tries to access other protected endpoints, such as the create user endpoint, the Keycloak guard will throw a forbidden error. This means the user doesn't have the necessary permissions to access that ressource.

Conclusion

Using Keycloak with RBAC makes securing your REST API easy and scalable. You can manage users, roles, and permissions without hardcoding them into your application. By following this guide, you have set up authentication and role-based authorization for your API.

However, RBAC has some limitations:

Resources and roles are tightly coupled, meaning changes to roles can impact multiple resources.
Security requirement changes may require deep modifications to application code.
Managing roles in large applications can become complex and error-prone.
RBAC lacks contextual information, means that if you have a role, you have access, regardless of the specific context.

In our next article, we will explore Keycloak Authorization Services, which provide:

Fine-grained authorization policies and various access control mechanisms.
Centralized resource, permission, and policy management.
REST security using Keycloak’s authorization services.
An infrastructure to reduce code replication and quickly adapt to security changes.

About the Author

Created by OUMERZOUG Haitham

Getting Started with Keycloak: Understanding the Basics

OUMERZOUG Haïtham — Thu, 09 Jan 2025 21:07:41 +0000

In today's interconnected digital landscape, securing APIs (Application Programming Interfaces) is paramount. APIs serve as the gateway for communication between different software applications, enabling seamless data exchange. However, with this connectivity comes the risk of unauthorized access, data breaches, and other security threats.

Enter Keycloak - an open-source identity and access management solution that provides robust security for your APIs and applications. Developed by Red Hat, Keycloak simplifies user authentication, authorization, and user management, allowing you to focus on building and deploying your applications with confidence.

Keycloak Architecture

Keycloak is a flexible and scalable identity and access management solution that provides a single point of access for all your applications. It offers a wide range of features, including:

User registration and management
User authentication and authorization
Role-based access control
Social login integration
Single sign-on (SSO) and single log-out (SLO)
API security
API management
Real-time event monitoring

Description of the Diagram:

User: Represents the end-user interacting with the system.
Keycloak: The central authentication server managing user sessions and authentication flows.
Identity Providers: External systems like Google, Facebook, or LDAP used for federated identity.
Applications: The apps (frontend and backend) that integrate with Keycloak for authentication.
Keycloak Database: The storage system for Keycloak, holding user data, configurations, and session information.

Keycloak Components

Keycloak is composed of several components that work together to provide a comprehensive identity and access management solution. These components include:

Keycloak Server: The core component of Keycloak, responsible for user authentication, authorization, and user management.
Keycloak Admin Console: A web-based user interface for managing Keycloak, including user registration, authentication, and authorization.
Keycloak Realm Management: A web-based user interface for managing Keycloak realms, which are logical groupings of users, applications, and other resources.
Keycloak Client Management: A web-based user interface for managing Keycloak clients, which represents an application or service that interacts with the Keycloak server for authentication and authorization.
Keycloak REST API: A RESTful API for managing Keycloak, including user registration, authentication, and authorization.
Keycloak JavaScript Adapter: A JavaScript library for integrating Keycloak with web applications.
Keycloak Node.js Adapter: A Node.js library for integrating Keycloak with Node.js applications.
Keycloak Docker Image: A Docker image for running Keycloak in a containerized environment.

Keycloak Installation: A Step-by-Step Guide

Keycloak is an open-source Identity and Access Management (IAM) solution that simplifies securing applications and services with features like Single Sign-On (SSO), social login, and more. You can install Keycloak using various methods, including direct installation, Docker, and Docker Compose. Below, I'll explain the steps for each method.

1. Installing Keycloak Locally

To install Keycloak locally, you typically need to download the Keycloak server distribution.

Steps to Install Keycloak Locally:

Download Keycloak :
Go to the Keycloak Downloads page and download the latest version of Keycloak (Distribution powered by Quarkus).
Extract the Archive :
Extract the downloaded files to a directory of your choice.
```
tar -xvf keycloak-<version>.tar.gz
cd keycloak-<version>
```
Start Keycloak :
We used the start-dev command to start the Keycloak server in development mode. This command starts the server with the default configuration to try out Keycloak for the first time to get it up and running quickly.
In the command below, we used the --bootstrap-admin-username and --bootstrap-admin-password options to specify the username and password for the default administrator account. You can change these values to match your requirements.
```
./bin/kc.sh start-dev --bootstrap-admin-username=admin --bootstrap-admin-password=admin
```

Do not use this configuration in production. Instead, use the start command to start the server with a custom configuration.

For more information on the start-dev command and other available commands, refer to the Keycloak Server Documentation.

2. Installing Keycloak with Docker

Keycloak can also be installed using Docker, a containerization platform that simplifies the deployment and management of applications. Docker allows you to package your application and its dependencies into a container, which can then be deployed and run on any system that has Docker installed.

Steps to Install Keycloak with Docker:

Install Docker:
Follow the official Docker documentation to install Docker on your system. You can find the installation instructions for your operating system here.
Pull the Keycloak Docker Image:
To pull the Keycloak Docker image, run the following command:
```
docker pull quay.io/keycloak/keycloak:26.0.7
```
Run the Docker Container:
To run the Keycloak Docker container, use the following command:
```
docker run -p 8080:8080 -e KC_BOOTSTRAP_ADMIN_USERNAME=admin -e KC_BOOTSTRAP_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:26.0.7 start-dev
```
This command starts the Keycloak container and maps port 8080 on the host machine to port 8080 in the container. It also sets the KC_BOOTSTRAP_ADMIN_USERNAME and KC_BOOTSTRAP_ADMIN_PASSWORD environment variables to admin and admin, respectively.
Access the Keycloak Admin Console:
Once the container is running, you can access the Keycloak Admin Console by opening your web browser and navigating to http://localhost:8080/. You will be prompted to enter the username and password for the admin user.

Note: You can replace 26.0.7 with the desired version of Keycloak.

Conclusion

In this article, we explored the basics of Keycloak, a powerful identity and access management solution. We covered the architecture of Keycloak, its components, and how to install it locally and with Docker. The next article will dive deeper into the features and capabilities of Keycloak, including users, clients, roles, and more.

Resources

About the Author

Created by OUMERZOUG Haitham