How to configure webMethods Integration Server with Keycloak

Overview

Identity and Access Management applications are becoming increasingly common in the corporate landscape, and are used to provide a set of processes, policies, and tools for defining and managing the roles and access privileges of users within an organization. IAMs typically act as a layer between Identity Providers (or IdPs, such as LDAP, Active Directory, etc.) and the target applications themselves, support user federation, and can define which service scopes a particular user is authorized to use.

Keycloak is a popular IAM solution, and this is a simple tutorial highlighting the basic components and configurations to get it running with Integration Server. This tutorial focuses on using OAUTH2 and the Client Credentials grant type in order to execute a rest service residing on IS.

Prerequisites

  • Must have docker installed (e.g. Linux docker client or Rancher Desktop for Windows)
  • Must have a REST testing tool (e.g. Postman, SoapUI, etc)
  • Must have IS installed and running (normal install, IS Docker container or Service Designer are all valid)
  • Must have basic Integration Server Administration knowledge (able to install packages, access the IS Admin GUI, etc)

Keycloak Configuration

“Install” Keycloak

Run Keycloak as a docker image:

Open Keycloak GUI:

Via a browser open: http://localhost:8080/admin

… and login with the admin user/password created above.

Click the arrow next to the master realm and create a new realm named “MyRealm”

KC_CreateRealm1
KC_CreateRealm2

Leave all fields default, and only add “MyRealm” to the Realm Name field. After creation, select the realm drop list once more and choose the “MyRealm” realm.

Configure the Realm

Add Scope to Call IS Services

Choose “Client Scopes” from the nav bar, and create a new scope named “ISServiceScope”.

KC_CreateClientScope

Add IS Clients

Choose “Clients” from the nav bar, and create two new Clients named “ISServer” and “ISSvcConsumer”. Populate using the same values (below), with the exception of different descriptions.

KC_CreateClient1a

KC_CreateClient1b

KC_CreateClient2

KC_CreateClient3

For the “ISSvcConsumer” client, choose the Client Scopes tab and add the client scope created above as default:

KC_AddClientScope

NOTE: We will need various Keycloak URLs for the subsequent configuration. These values can be determined by opening the “OpenID Endpoint Configuration” link under the “Realm Settings” in the side nav bar.

Integration Server Configuration

IS Test Package

This tutorial uses a simple test package with a single service. The service will be executed via rest/post and accepts a firstName and lastName argument. The package looks like this:

IS_TestPackage

Download the package:
KcTestPkg.zip (10.1 KB)

Install and enable the package. (Copy package to replicate/inbound and install via the IS GUI)

Define the IS OAuth Scope

Open the Integration Server GUI.

Under “Administration > OAuth > Scope management” add a scope with the same name as the scope defined in Keycloak. The folder name defined matches the top-level folder name of our test package (but naturally this can be more granular in real-world use cases).

IS_AddScope

Set the External Authentication Server

Under “Administration > OAuth > Add external authorization server” add the Keycloak config.

Name: Keycloak

Introspection Endpoint: http://localhost:8080/realms/MyRealm/protocol/openid-connect/token/introspect

Client Id: ISServer

Client Secret:

User: Administrator

Example:

IS_AddExtAuthServer

Under “Administration > OAuth > Edit OAuth global settings” set the Authorization server to the Keycloak auth server we just configured:

IS_OAuthGlobalSettings

Test Integration via Postman

Create a new Postman collection and request.

In this example, the following values will be used:

Request URL (IS REST service): https://localhost:5543/rad/KcTestPkg.rs:kcTestRad/kctest

JSON Body:
PM_JsonBody

Under Authorization Tab:

Name: Keycloak IS Access Token

Grant Type: Client Credentials

Access Token URL: http://localhost:8080/realms/MyRealm/protocol/openid-connect/token _(can be found from the realm config endpoints discussed above, search for “token_endpoint”)_

Client ID: ISSvcConsumer

Client Secret:

Scope: ISServiceScope

PM_AuthConfig

Click the “Get New Access Token” button. You should get a success message, with a box showing your access token:

PM_GeneratedAccessToken

Click „Use Token“, then Send the request. Success!

PM_RestResults

Read full topic