DEV Community: vidi42

Keycloak one-time link for resource access

vidi42 — Sat, 01 Feb 2020 17:15:16 +0000

The premise

Recently in one of the applications we are building, we wanted to give the users the possibility to create a one-time access URL for a resource, which they can then share with another user.

The context

We are building web-based applications, with an Angular frontend and a Java backend.
Our authorization is handled by Keycloak.

The success criteria

The link can be easily shared through any mean, typing or QR, so it cannot be extremely long
The link should only give access to that one user (consumer) and one resource and cannot be used by other users to access the same resource
And of course, the consumer user doesn't need to type his/her credentials to access the resources trough the received link

The solution

This is, of course, a stripped-down version of the final solution, meant to be used as a guideline.

Frontend part

Since we are using Angular on the frontend side we already had integrated keycloak-angular so not much work to be done there.

Backend side

This is where all the heavy lifting was done for the whole of the implementation.

There are two main entry points into the solution:

Trough an API endpoint for generating the one-time access URL for the consumer user and the resource
Trough the one-time access URL which points the right user to the right resource

1. Generating the one-time access URL

Nothing fancy here in regards to the API endpoint implementation, except maybe that is a REST endpoint.

So something like this: POST /oneTimeUrl/{consumerUserId}/{resourceId} and of course which is secured with an Authorization header.

Having such an endpoint then gives you all the information you need to create the one-time access URL.

Before we get to the one-time access URL, we need to find a way to allow the consumer user to be directly authenticated when accessing the URL (remember the success criteria). For that, we will need to get a hold of an access token for him.

In order to do that, I used one of Keycloak's not so known features, but an OAuth 2.0 standard Token Exchange.
Keycloak documentation here.

And it looks something like this

HttpPost httpPost = new HttpPost(keycloakBaseUrl + "/realms/MyRealm/protocol/openid-connect/token");

List<BasicNameValuePair> formData = new ArrayList<>();
formData.add(new BasicNameValuePair("client_id", resourceClientId));
formData.add(new BasicNameValuePair("grant_type", "urn:ietf:params:oauth:grant-type:token-exchange"));
formData.add(new BasicNameValuePair("subject_token", myAccessToken));
formData.add(new BasicNameValuePair("requested_subject", keycloakConsumerUser.getId()));

UrlEncodedFormEntity formEntity = new UrlEncodedFormEntity(formData, StandardCharsets.UTF_8);

httpPost.setEntity(formEntity);

CloseableHttpResponse response = client.execute(httpPost);

💡 your current user will have to have the impersonation role for this to work

And we will get the same response as when the authorization is concluded which contains an accessToken, refreshToken and other access token related data.

So using the consumer user's accessToken we just obtained and having the resourceId we can now store the pair and build a unique URL that points to them.

Something like GET /sharableUrl/{uniqueIdentifier}.

And with this we have our first 2 points from the success criteria covered:

link is short and can be easily shared ✔️
link points to a certain user and a resource ✔️

2. Accessing the one-time URL

Now that we have our one-time sharable URL which points to a valid consumer user access token and a resource we are halfway there because this is just a more friendly gateway for the user to use, but it has to do some background work as well.

And what the servlet behind this URL does is basically build a bit uglier URL which redirects the user to the resource he needs to access.

So basically using the identifier we can search for an access token and a resource in our storing system and if we find them we can begin constructing the real one-time access URL.

We will end-up with something like this GET /resourceUrl?accessToken={consumerUserAccessToken}.

This is uglier because if the access token is a JWT it will be a pretty long one.

But now, we have everything we need to redirect the user to the resource.
Looking at the success criteria it feels like we the last point as well, except that it won't really work as expected and the consumer user will still be required to input his/her credentials.

That's because the keycloak-angular package configured on the fronted side does not accept the access token as a query parameter so we will be redirected to the login screen.

Keycloak side

So yeah the Keycloak shares on that heavy lifting as well.

In order to login the user directly we will try and stop Keycloak from showing the login screen if it notices there is a valid access token somewhere in the redirect URL.

For that, we configured a new Browser Flow similar to the default one, but with an extra step.

💡 the new Access Token URI Flow will try to execute before the normal login form flow as an alternative login

In the script execution, we will try and validate the access token from the URL

function authenticate(context) {

    var accessToken = getAccessToken(context);
    var decodedAccessToken = context.getSession().tokens().decode(accessToken, AccessToken.class);
    if (!decodedAccessToken || decodedAccessToken === null) {
        LOG.error("Missing access token");
        context.attempted();
        return;
    }
    var username = decodedAccessToken.getPreferredUsername();
    var user = context.getSession().users().getUserByUsername(username, context.getRealm());

    if (!user) {
        LOG.error("No user found for username " + username);
        context.attempted();
        return;
    }


    context.getAuthenticationSession()
        .setRedirectUri(cleanTheAccessTokenFromTheRedirectUri(context));
    context.setUser(user);
    context.success();
}

A rundown of the script:

we get the access token from the URL
we try to decode it, which also runs a validation check on it to make sure is not expired or tempered with
we get a user based on the username from the access token and log it in
we cleanup the redirect URL of the access token parameter before redirecting

And with that, we have our latest success criteria point in place: not requiring the user to input his/her credentials ✔️.

Going to GOTO Berlin

vidi42 — Tue, 26 Nov 2019 17:58:18 +0000

Have you ever been to Berlin, or to a tech conference in Berlin, or at least curious how a tech conference in Berlin would be? Well I’m here to help you with the last one and hopefully, in the process, help you decide on the first two.

That’s because I have spent 4 days in Berlin, 3 of which were at the GOTO conference and I would like to share with you my experience, through some of the bestofs from the conference.

Before we dive right into them, I would like to make a few disclaimers: There were a lot of cool presentation, but I won’t have time to go through each so I hand picked those which represent different aspects of our working life. And second, I invite you to also have a look at the presentations by yourself and make you own opinion about the subjects presented.

Getting there

My plane landed in Berlin just 2 hours before the opening Keynote, but since there were no delays, thanks to Berlin’s great S-Bahn system and a little bit of planning ahead, not only I reached the conference in time, but I also managed to check-in at the hotel, grab a coffee and even some breakfast before the Keynote.

Start with a laugh

Starting off on the right foot, what more could I ask for that day.

Well, everything is better if you start with a laugh, isn’t it. Mostly everything. I’m sure a conference is one of those things.

The opening keynote, The importance of Laughter, was held by Aino Vonge Corry, one of the funniest speakers I’ve seen on a stage, who set the tone for me for the rest of the conference, because I learned a lot while also having a laugh and basically that’s exactly why I went to a conference in the first place.

For example I learned which is the funniest joke in the world, scientifically proven (exactly the content you don’t expect, but appreciate at a tech conference). Here’s the report, but I also recommend you watch Aino’s talk on Youtube.

Mob programming

>> Insert here expanding brain meme: Solo → Pair → Mob Programming <<

I’ve been doing solo programming, heard and seen pair programming, but honestly I’ve never heard about mob programming (and it felt like I was the only one). That’s why Woody Zuill’s presentation was so great, because it managed to present me with a concept I’ve never heard of before and made me wanna try it out. For those who, as me, didn’t heard about mob programming before, the picture bellow should explain pretty much the whole concept.

This is pretty much my desk at least once a week and not because we’re doing mob programming.

But the idea of Mob Programming is much more then fixing issues together, it’s actually implementing and delivering features like this. You have your Navigator or Navigators which come up with the ideas and next steps, then your Driver which is doing all the typing and you rotate so that everyone has the chance of being the Driver.

The pros are that you have everyone focusing on the same issue instead of all going at different speeds, waiting one for another, asking around and wasting too much time on communication channels.

As a personal thought of this, I can see this working in most of the projects (even if the teams are remote) for smaller periods of time of or per feature (maybe a complex feature) better then the traditional solo programming.

If the manager or programmer super star in you starts screaming, I feel you, but I also invite you to watch Woody Zuill’s presentation, because it addresses a lot of the questions your inner you has. (https://gotober.com/2019/sessions/843/mob-programming-and-the-power-of-flow)

Kubernetes

Ah, the cool “new” kid on the block with lots of toys, which you see everywhere you go, it’s following you until you have no other option but befriend him.

Even if it’s almost a decade old I’ve never had the chance to work with it, but given recent organizational changes and trends, it feels more like I’m on the brink of having to say “hi” pretty soon.

And if that’s the case I wanted to find out what working with Kubernetes is really like by joining a talk which present you with a list of tools you could use in your daily work and what you could do with them. Straight forward, right? Right?

Well, sort of. Ellen Köber really made a good summary of each tool and it’s pros and cons (a list you can see in the picture above), but to be honest it was kind of overwhelming. There’s no right answer for anything and it all depends on your way of working and you own organizational constraints. So if your like me and you don’t already use Kubernetes it might be difficult to see how all the pieces fall together, but then again looking at the picture above you can see a pretty traditional CI pipeline there.

If you are using already Kubernetes then I suggest you take a look at Ellen’s talk, you might find out about some tools you didn’t know and could use right away. If you are not already using Kubernetes, it’s just a matter of time until you will, so you might also want to check it so you can put some aces up your sleeves.

(https://gotober.com/2019/sessions/821/kubernetes-day-3-the-state-of-kubernetes-development-tooling)

Extreme Digitalization in China

If somebody would to ask me to explain to them how does extreme digitalization really manifests in China, I would tell them this: “Smile to the camera for 60 cm of toilet paper. Oh, and really fast trains.”

Maybe that’s the answer you were waiting for. Of course all the room started laughing when we heard Christina Boutrup present this example, but then it dawned on me, that’s one of the best examples for Extreme Digitalization. Because it’s not only about having you own Facebook, Whatsapp and Shopping app into one, or you own internet. It’s not event about fast trains (.. ok, it’s a bit also about having the fastest trains), but mostly it’s about digitalizing every basic aspect of you life in such a way that you have to trade you personal data for even the most mundane things.

During the Keynote Christina went into many details about what this means for the people of China and also for the rest of the world, because we must not forget, China has one of the biggest consumer market and everybody wants a piece of it.

I would like to invite you to watch her entertaining and eye opening presentation. I’ve also added her book to my Goodreads Want to Read list.

(https://gotober.com/2019/sessions/1061/extreme-digitalization-in-china *video also available in the GOTO Play app)

Sonic Pi

Now this, for me, was one of the coolest moments from the conference.

Have you ever wondered what would happen if you would take programmer and a DJ and not only combine them into one, but also have the put on a show. Well, neither did I, that’s why this presentation ( show / set you can call if whatever you like) blew me away, because from the schedule description I didn’t really know what to make of it so I went in there with low expectations and boy was I in for a surprise.

This guy, Sam Aaron, built this tool, Sonic Pi, which is basically an IDE for writing music trough code. This started from the desire to try and introduce more entertaining ways for kids and adults to get into coding and evolved in like a full fledged instrument for a DJs to drop some serious beats.

Oh yeah, Sam not only built this piece of software, he is also playing it like a total boss.

He turned the whole conference into a club with live music. There was something for everybody, great music (and I mean it, you wouldn’t guess it live programmed), live programming with proper indenting and naming and also comments, that’s just how programmers communicate with their code’s audience.

You can imagine that the first thing I did after my hangover was to download Sonic Pi and try it out. I don’t have any musical talent, but there are some Soundcloud songs which are described very technically, that you can use to make you very own Hello Worlds debut into the music industry.

Frontend Architecture

Of course there was Frontend at this conference as well. It wasn’t only idealistic discussions and entertainment.

It kind of was the same for this discussion as well, I mean, frontend architecture kind of falls into the general direction of idealistic.

But it’s not only frontend, we don’t want to single out anyone. Architecture in general is associated with a certain unconformable gut feeling that you cannot really put your finger on it.

So Monica tried to break down this “Architecture” stuff and see what really is that makes it so shady. And stuff started coming out, Technical Debt, Dependency Injection, Component Reusability. Scary stuff right there, lucky she is a great and funny speaker, so people didn’t just left the room instantly when they’ve seen yet another person going over same stuff everybody keeps lecturing about. And she also made some bold, but otherwise good points.

It seems an aspect of good architecture is resilience to changes over time. So yeah, the graph bellow might explain why.

To achieve this here are some things we can consider during development.

Let’s start with an easy one. All source code dependencies must point inwards, so from the most outer layer, like Router to the most inner one, like a model or service. That way you avoid a huge intertwined ball of mud. I think that’s a reasonable aspect. Let’s do another one.

I realize while typing that this contradicts every fiber in me, but, we don’t always need to generalize every component which we realize can be used in another place (oh, that hurt). It turns out sometimes you can even copy code and avoid the configurability hell you get in when you encounter small differences between two or more places a component is used in.

I won’t go trough the whole presentation stuff here, because, as you already know you can check it out online.

(https://gotober.com/2019/sessions/1119/building-resilient-frontend-architecture)

Conclusion

As Berlin is, GOTO is also a colorful, diverse, green and progressive conference, situated in one of the most important tech hubs in Germany. I took away with me some important learnings, contacts and experience from it and I can’t wait to what future editions will bring.

As I said in the beginning I want to help you decide if you should join GOTO in Berlin, so I’ll leave you with a personal rating for the conference:

Interesting: 3/5 👍
Usefulness or applicability from: 3/5 👍
Fun factor: 4/5 👍
Schmooz factor: 3/5 👍