Switch Keycloak Integration to NGINX Proxy for Flexible Authentication Setup (#718)

* Update example to use nginx setup instead of keycloak plugin

* Uncomment keycloak fixed uri instance to check which test is using it

* Fix aas repository registry integration tests

* Update keycloak reference for test cases

* Update aas environment test

* Trigger build

* Update submodel service example

* Use the real token instead of a mock for testing

---------

Co-authored-by: Aaron Zielstorff <aaron.zi@web.de>

Author: geso02

basyx.aasenvironment/basyx.aasenvironment-client/src/test/java/org/eclipse/digitaltwin/basyx/aasenvironment/client/TestAuthorizedConnectedAasEnvironment.java

@@ -93,7 +93,7 @@ public static void cleanUpContext() {
 
 	@Before
 	public void setup() throws IOException {
-		TokenManager mockTokenManager = new TokenManager("http://localhost:9096/realms/BaSyx/protocol/openid-connect/token", new ClientCredentialAccessTokenProvider(new ClientCredential("workstation-1", "nY0mjyECF60DGzNmQUjL81XurSl8etom")));
+		TokenManager mockTokenManager = new TokenManager("http://localhost:9098/realms/BaSyx/protocol/openid-connect/token", new ClientCredentialAccessTokenProvider(new ClientCredential("workstation-1", "nY0mjyECF60DGzNmQUjL81XurSl8etom")));
 
 		aasEnvironment = new AuthorizedConnectedAasEnvironment(mockTokenManager);
 	}

basyx.aasenvironment/basyx.aasenvironment-client/src/test/java/org/eclipse/digitaltwin/basyx/aasenvironment/client/TestAuthorizedConnectedAasManager.java

@@ -63,8 +63,8 @@ public class TestAuthorizedConnectedAasManager extends TestConnectedAasManager {
 	protected final static String AAS_REGISTRY_BASE_PATH = "http://localhost:8051";
 	protected final static String SM_REGISTRY_BASE_PATH = "http://localhost:8061";
 
-	private final static TokenManager TOKEN_MANAGER = new TokenManager("http://localhost:9096/realms/BaSyx/protocol/openid-connect/token", new ClientCredentialAccessTokenProvider(new ClientCredential("workstation-1", "nY0mjyECF60DGzNmQUjL81XurSl8etom")));
-	private final static TokenManager TOKEN_MANAGER_REGISTRY = new TokenManager("http://localhost:9097/realms/BaSyx/protocol/openid-connect/token", new ClientCredentialAccessTokenProvider(new ClientCredential("workstation-1", "nY0mjyECF60DGzNmQUjL81XurSl8etom")));
+	private final static TokenManager TOKEN_MANAGER = new TokenManager("http://localhost:9098/realms/BaSyx/protocol/openid-connect/token", new ClientCredentialAccessTokenProvider(new ClientCredential("workstation-1", "nY0mjyECF60DGzNmQUjL81XurSl8etom")));
+	private final static TokenManager TOKEN_MANAGER_REGISTRY = new TokenManager("http://localhost/realms/BaSyx/protocol/openid-connect/token", new ClientCredentialAccessTokenProvider(new ClientCredential("workstation-1", "nY0mjyECF60DGzNmQUjL81XurSl8etom")));
 
 	private static AuthorizedConnectedAasRepository connectedAasRepository;
 	private static AuthorizedConnectedSubmodelRepository connectedSmRepository;

basyx.aasenvironment/basyx.aasenvironment-client/src/test/resources/application-authorization.properties

@@ -37,7 +37,7 @@ basyx.feature.authorization.enabled = true
 basyx.feature.authorization.type = rbac
 basyx.feature.authorization.jwtBearerTokenProvider = keycloak
 basyx.feature.authorization.rbac.file = classpath:rbac_rules.json
-spring.security.oauth2.resourceserver.jwt.issuer-uri= http://localhost:9096/realms/BaSyx
+spring.security.oauth2.resourceserver.jwt.issuer-uri= http://localhost:9098/realms/BaSyx
 
 ####################################################################################
 # Operation Delegation

basyx.aasrepository/basyx.aasrepository-client/src/main/java/org/eclipse/digitaltwin/basyx/aasrepository/client/internal/AssetAdministrationShellRepositoryApi.java

@@ -1089,7 +1089,6 @@ private void addAuthorizationHeaderIfAuthIsEnabled(HttpRequest.Builder localVarR
 	    	try {
 	    		localVarRequestBuilder.header("Authorization", "Bearer " + tokenManager.getAccessToken());
 			} catch (IOException e) {
-				e.printStackTrace();
 				throw new AccessTokenRetrievalException("Unable to request access token");
 			}
 	    }

basyx.aasrepository/basyx.aasrepository-feature-registry-integration/src/test/java/org/eclipse/digitaltwin/basyx/aasrepository/feature/registry/integration/AuthorizedAasRepositoryRegistryLinkTest.java

@@ -27,18 +27,22 @@
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertThrows;
+
 import java.io.FileNotFoundException;
 import java.io.IOException;
+import java.util.List;
 
 import org.eclipse.digitaltwin.basyx.aasregistry.client.ApiException;
 import org.eclipse.digitaltwin.basyx.aasregistry.client.api.RegistryAndDiscoveryInterfaceApi;
 import org.eclipse.digitaltwin.basyx.aasregistry.client.model.AssetAdministrationShellDescriptor;
 import org.eclipse.digitaltwin.basyx.aasregistry.main.client.AuthorizedConnectedAasRegistry;
+import org.eclipse.digitaltwin.basyx.client.internal.authorization.AccessTokenProviderFactory;
 import org.eclipse.digitaltwin.basyx.client.internal.authorization.TokenManager;
+import org.eclipse.digitaltwin.basyx.client.internal.authorization.grant.AccessTokenProvider;
+import org.eclipse.digitaltwin.basyx.client.internal.authorization.grant.GrantType;
 import org.junit.AfterClass;
 import org.junit.BeforeClass;
 import org.junit.Test;
-import org.mockito.Mockito;
 import org.springframework.boot.SpringApplication;
 import org.springframework.context.ConfigurableApplicationContext;
 import org.springframework.http.HttpStatus;
@@ -51,7 +55,7 @@
 public class AuthorizedAasRepositoryRegistryLinkTest extends AasRepositoryRegistryLinkTestSuite {
 
 	private static final String AAS_REPO_URL = "http://localhost:8081";
-	private static final String AAS_REGISTRY_BASE_URL = "http://localhost:8051";
+	private static final String AAS_REGISTRY_BASE_URL = "http://localhost:8052";
 	private static ConfigurableApplicationContext appContext;
 	private static AasRepositoryRegistryLink aasRepositoryRegistryLink;
 
@@ -70,21 +74,26 @@ public static void tearDown() {
 		appContext.close();
 	}
 
+	
 	@Test
 	public void sendUnauthorizedRequest() throws IOException {
-		TokenManager mockTokenManager = Mockito.mock(TokenManager.class);
-
-		Mockito.when(mockTokenManager.getAccessToken()).thenReturn("mockedAccessToken");
+		String clientId = "workstation-1";
+		String clientSecret = "nY0mjyECF60DGzNmQUjL81XurSl8etom";
+		
+        AccessTokenProviderFactory factory = new AccessTokenProviderFactory(GrantType.CLIENT_CREDENTIALS, List.of());
+        factory.setClientCredentials(clientId, clientSecret);
+        AccessTokenProvider provider = factory.create();
+        //issuer will also have the port number and will not match the registry issuer -> 401 invalid token, unauthorized
+		TokenManager tokenManager = new TokenManager("http://localhost:9098/realms/BaSyx/protocol/openid-connect/token", provider);
 
-		RegistryAndDiscoveryInterfaceApi registryApi = new AuthorizedConnectedAasRegistry(AAS_REGISTRY_BASE_URL, mockTokenManager);
+		RegistryAndDiscoveryInterfaceApi registryApi = new AuthorizedConnectedAasRegistry("http://localhost:8051", tokenManager);
 
 		AssetAdministrationShellDescriptor descriptor = new AssetAdministrationShellDescriptor();
 		descriptor.setIdShort("shortId");
 
 		ApiException exception = assertThrows(ApiException.class, () -> {
 			registryApi.postAssetAdministrationShellDescriptor(descriptor);
 		});
-
 		assertEquals(HttpStatus.UNAUTHORIZED.value(), exception.getCode());
 	}
 

basyx.aasrepository/basyx.aasrepository-feature-registry-integration/src/test/resources/application-authregistry.properties

@@ -36,7 +36,7 @@ basyx.externalurl=http://localhost:8081
 
 # Authorized registry integration
 basyx.aasrepository.feature.registryintegration.authorization.enabled=true
-basyx.aasrepository.feature.registryintegration.authorization.token-endpoint=http://localhost:9097/realms/BaSyx/protocol/openid-connect/token
+basyx.aasrepository.feature.registryintegration.authorization.token-endpoint=http://localhost/realms/BaSyx/protocol/openid-connect/token
 basyx.aasrepository.feature.registryintegration.authorization.grant-type = CLIENT_CREDENTIALS
 basyx.aasrepository.feature.registryintegration.authorization.client-id=workstation-1
 basyx.aasrepository.feature.registryintegration.authorization.client-secret=nY0mjyECF60DGzNmQUjL81XurSl8etom

basyx.submodelrepository/basyx.submodelrepository-feature-registry-integration/src/test/resources/application-authregistry.properties

@@ -36,7 +36,7 @@ basyx.externalurl=http://localhost:8081
 
 # Authorized registry integration
 basyx.submodelrepository.feature.registryintegration.authorization.enabled=true
-basyx.submodelrepository.feature.registryintegration.authorization.token-endpoint=http://localhost:9097/realms/BaSyx/protocol/openid-connect/token
+basyx.submodelrepository.feature.registryintegration.authorization.token-endpoint=http://localhost/realms/BaSyx/protocol/openid-connect/token
 basyx.submodelrepository.feature.registryintegration.authorization.grant-type = CLIENT_CREDENTIALS
 basyx.submodelrepository.feature.registryintegration.authorization.client-id=workstation-1
 basyx.submodelrepository.feature.registryintegration.authorization.client-secret=nY0mjyECF60DGzNmQUjL81XurSl8etom

basyx.submodelservice/basyx.submodelservice.component/example/auth/application-rbac.yml

@@ -11,4 +11,4 @@ spring:
     oauth2:
       resourceserver:
         jwt:
-          issuer-uri: http://keycloak:9102/realms/BaSyx
+          issuer-uri: http://keycloak.basyx.localhost/realms/BaSyx

basyx.submodelservice/basyx.submodelservice.component/example/docker-compose.yml

@@ -3,6 +3,21 @@ networks:
     driver: bridge
 
 services:
+
+  # nginx reverse proxy to support dns lookup
+  nginx-proxy:
+    image: nginxproxy/nginx-proxy:1.6.0-alpine
+    container_name: proxy
+    restart: always
+    ports:
+      - "80:80"
+    volumes:
+      - /var/run/docker.sock:/tmp/docker.sock:ro
+    environment:
+      DEFAULT_HOST: keycloak.basyx.localhost
+    networks:
+      - auth
+
   submodel-service:
     image: eclipsebasyx/submodel-service:${REVISION}
     container_name: submodel-service
@@ -23,12 +38,13 @@ services:
       - ./sources/:/application/sources/:ro
       - ./jars/HelloWorld.jar:/application/jars/HelloWorld.jar:ro
       - ./application-mappings.yml:/application/config/application-mappings.yml/:ro
+
   submodel-service-auth:
     image: eclipsebasyx/submodel-service:${REVISION}
     container_name: submodel-service-auth
     pull_policy: missing    
-    # extra_hosts:
-    # - "host.docker.internal:host-gateway"
+    extra_hosts:
+    - "keycloak.basyx.localhost:host-gateway"
     environment:
       # add the mounted jar file file:submodel.json or submodel.json
       BASYX_SUBMODELSERVICE_SUBMODEL_FILE: submodel.json
@@ -55,24 +71,23 @@ services:
         condition: service_completed_successfully
 
   keycloak:
-    image: test/keycloak-submodel:24.0.4
-    build: 
-      context: ../../../ci/keycloak
-      dockerfile: Dockerfile.keycloak
+    image: keycloak/keycloak:24.0.4
     container_name: keycloak
-    command: ["start-dev", "--import-realm"]
-    ports:
-      - 9102:9102
     environment:
-      KC_HTTP_PORT: 9102
-      KC_HTTP_ENABLED: "true"
-      KC_HTTPS_ENABLED: "false"
-      KC_HEALTH_ENABLED: "true"      
-      KC_HOSTNAME: localhost
-      KC_SPI_INITIALIZER_ISSUER_BASE_URI: http://keycloak:9102
+      VIRTUAL_HOST: keycloak.basyx.localhost
+      VIRTUAL_PORT: "8080"
+      KC_HOSTNAME: keycloak.basyx.localhost
       KEYCLOAK_ADMIN: admin
       KEYCLOAK_ADMIN_PASSWORD: keycloak-admin
+      KC_HTTP_ENABLED: "true"
+      KC_HTTPS_ENABLED: "false"
+      KC_HEALTH_ENABLED: "true"
       KC_IMPORT: /opt/keycloak/data/import/
+    command: ["start-dev", "--import-realm"]
+    ports:
+      - 9097:8080
+    volumes:
+      - ./keycloak/realm:/opt/keycloak/data/import
     networks:
       - auth   
 
@@ -81,7 +96,7 @@ services:
     command: >
       sh -c "
         echo 'Waiting for Keycloak to become ready...';
-        until curl -sf http://keycloak:9102/health/ready; do
+        until curl -sf http://keycloak:8080/health/ready; do
           sleep 5;
         done;
         echo 'Keycloak is ready!'"