embesozzi
diff --git a/Diff for: ‎README.md
+11-20 b/Diff for: ‎README.md
+11-20
diff --git a/Diff for: ‎doc/images/kafka-kc-admin-events.png
49.4 KB b/Diff for: ‎doc/images/kafka-kc-admin-events.png
49.4 KB
diff --git a/Diff for: ‎doc/images/kc-admin-events.png
155 KB b/Diff for: ‎doc/images/kc-admin-events.png
155 KB
diff --git a/Diff for: ‎doc/images/legacy-solution-architecture.png
92.3 KB b/Diff for: ‎doc/images/legacy-solution-architecture.png
92.3 KB
diff --git a/Diff for: ‎doc/images/openfga-authz-model.png
-44.5 KB b/Diff for: ‎doc/images/openfga-authz-model.png
-44.5 KB
diff --git a/Diff for: ‎doc/images/openfga-tuples.png
457 KB b/Diff for: ‎doc/images/openfga-tuples.png
457 KB
diff --git a/Diff for: ‎doc/images/solution-architecture.png
-4.19 KB b/Diff for: ‎doc/images/solution-architecture.png
-4.19 KB
diff --git a/Diff for: ‎docker-compose-apps.yml
+2-1 b/Diff for: ‎docker-compose-apps.yml
+2-1
diff --git a/Diff for: ‎docker-compose-openfga.yml
+49 b/Diff for: ‎docker-compose-openfga.yml
+49
diff --git a/Diff for: ‎docker-compose.yml
+21-118 b/Diff for: ‎docker-compose.yml
+21-118
diff --git a/Diff for: ‎kafka-integration/README.md
+81 b/Diff for: ‎kafka-integration/README.md
+81
@@ -1,10 +1,12 @@
 # Keycloak integration with OpenFGA (based on Zanzibar) for Fine-Grained Authorization at Scale (ReBAC)
-This repository contains a PoC implemented with [Keycloak](https://www.keycloak.org/) integrated with [OpenFGA](https://openfga.dev/) on demostrating how to apply fine-grained access control in a high performance and flexible authorization.
+This repository contains a PoC implemented with [Keycloak](https://www.keycloak.org/) integrated with [OpenFGA](https://openfga.dev/) on demostrating how to apply fine-grained access (FGA) control in a high performance and flexible authorization.
+
+In this new version of the PoC we have a direct integration between the Access Manager platform and the OpenFGA solution thanks to the use of the [OpenFGA Java SDK](https://github.com/openfga/java-sdk) to publish the events.
 
 This workshop is based the following article [Keycloak integration with OpenFGA (based on Zanzibar) for Fine-Grained Authorization at Scale (ReBAC)](https://embesozzi.medium.com/keycloak-integration-with-openfga-based-on-zanzibar-for-fine-grained-authorization-at-scale-d3376de00f9a). You will find there full details about the authorization architecture guidelines and involved components.
 
 
-## Authorization Framework
+## Authorization Framework (New)
 
 The following diagram illustrates the solution architecture of this workshop:
 
@@ -13,23 +15,13 @@ The following diagram illustrates the solution architecture of this workshop:
 </p>
 
 * Core:
-
-    * Keycloak (A) is responsible for handling the authentication with the standard OpenID Connect and is managing the user access with his Role Model
-
-    * Keycloak is configure with a custom extension (B) [keycloak-openfga-event-listener](https://github.com/embesozzi/keycloak-openfga-event-listener) which listens to the Keycloak events (User Role Assignment, Role to Role Assignment, etc), parses this event into an OpenFGA tuple based on the [Keycloak Authz Schema](openfga/keycloak-authorization-model.json) and publishes the event to Kakfa Cluster (C)
-
-    * Kakfa OpenFGA Consumer (D) that using the OpenFGA SDK will publish the tuples to the OpenFGA Solution
-
-    * OpenFGA (E) is responsible for applying fine-grained access control. The OpenFGA service answers authorization checks by determining whether a relationship exists between an object and a user
-
+    * Keycloak is responsible for handling the authentication with the standard OpenID Connect and manages user access with its Role Model.
+    * Keycloak is configured with a new custom extension :rocket: [keycloak-openfga-event-publisher](https://github.com/embesozzi/keycloak-openfga-event-publisher) which listens to the Keycloak events (User Role Assignment, Role to Role Assignment, etc), parses this event into an OpenFGA tuple based on the [Keycloak Authorization Schema](model.dsl) and publishes them to OpenFGA over HTTP.
+    * OpenFGA is responsible for applying fine-grained access control. The OpenFGA service answers authorization checks by determining whether a relationship exists between an object and a user.
 * Other components
-
     * Store Web Application is integrated with Keycloak by OpenID Connect
-
     * Store API is protected by OAuth 2.0 and it utilizes the OpenFGA SDK for FGA
 
-So far we don’t have an official Java SDK OpenFGA client to publish the authorization tuples. This is why I decided to use an Apache Kafka cluster for managing the events. Nevertheless, the extension is prepared for the future to use an http client for publishing the events.
-
 # How to install?
 ## Prerequisites
 
@@ -46,7 +38,7 @@ So far we don’t have an official Java SDK OpenFGA client to publish the author
 2. Execute following Docker Compose command to start the deployment
 
    ```sh
-   docker-compose -f docker-compose.yml -f docker-compose-apps.yml up
+   docker-compose -f docker-compose.yml -f docker-compose-apps.yml -f docker-compose-openfga.yml up
    ```
 
 3. To be able to use this environment, you need to add this line to your local HOSTS file:
@@ -61,7 +53,6 @@ So far we don’t have an official Java SDK OpenFGA client to publish the author
     | ------------------------- |:-----------------------------:|:-----------:|:-----------:|:-----------:
     | Keycloak Console          |   http://keycloak:8081        |  admin      |  password   | quay.io/keycloak/keycloak:19.0.2 |
     | OpenFGA Playground        |   http://localhost:3000/playground       |             |             | openfga/openfga:latest           | 
-    | OpenFGA API               |   http://localhost:8080       |             |             | confluentinc/cp-zookeeper:7.2.2<br />confluentinc/cp-kafka:7.2.2|
     | Store Portal              |   http://store:9090           |             |             | Custom image                   |
     | Store API                 |   http://store-api:9091       |             |             | Custom image                   |
 
@@ -85,7 +76,7 @@ So far we don’t have an official Java SDK OpenFGA client to publish the author
     * Open [administration console](http://keycloak:8081)
     * Choose realm
     * Realm settings
-    * Select `Events` tab and add `openfga-events` to Event Listeners.
+    * Select `Events` tab and add `openfga-events-publisher` to Event Listeners.
 
     <img src="doc/images/kc-admin-events.png" width="80%" height="80%">
 
@@ -103,7 +94,7 @@ So far we don’t have an official Java SDK OpenFGA client to publish the author
 
     The password for all the users is `demo1234!`
 
-    Once these steps are finished, the Keycloak OpenFGA Event Listener extension has to proceed to publish these events to the Kafka topic called “openfga-topic”. Then, the Kafka consumer has published those events to the OpenGFA store using the SDK. Here are all tuples stored.
+    Once these steps are finished, the Keycloak OpenFGA Event Publisher extension has proceed to send these events over HTTP to the OpenFGA solution. Here, are all tuples stored.
 
     | User                      |  Relation                     |  Object               | 
     | ------------------------- |:-----------------------------:|:---------------------:|
@@ -116,7 +107,7 @@ So far we don’t have an official Java SDK OpenFGA client to publish the author
 
     The users are identified by the value of the claim sub in the [OpenFGA Playground](http://localhost:3000/playground), see the Tuples tab:
 
-    <img src="doc/images/openfga-kc-authz-model.png" width="50%" height="50%">
+    <img src="doc/images/openfga-tuples.png" width="50%" height="50%">
 
 
 3. Restart the apps (containers: `store` and `store-api`)
 
@@ -13,7 +13,8 @@ services:
       VUE_APP_CLIENT_ID: portal
     depends_on:
       keycloak:
-        condition: service_healthy  
+        condition: service_healthy
+          
   store-api:
     build: ./store-openfga-api
     image: embesozzi/store-openfga-api
 
@@ -0,0 +1,49 @@
+version: '3.8'
+
+services:
+  openfga-postgres:
+    image: postgres:14
+    container_name: openfga-postgres
+    command: postgres -c 'max_connections=100'
+    networks:
+      - default
+    ports:
+      - "5432:5432"
+    environment:
+      - POSTGRES_USER=postgres
+      - POSTGRES_PASSWORD=password
+    healthcheck:
+      test: [ "CMD-SHELL", "pg_isready -U postgres" ]
+      interval: 5s
+      timeout: 5s
+      retries: 5
+
+  migrate:
+    depends_on:
+      openfga-postgres:
+        condition: service_healthy
+    image: openfga/openfga:v1.3.1
+    container_name: migrate
+    environment:
+      - OPENFGA_DATASTORE_ENGINE=postgres
+      - OPENFGA_DATASTORE_URI=postgres://postgres:password@openfga-postgres:5432/postgres?sslmode=disable
+    command: migrate
+    networks:
+      - default
+  
+  openfga:
+    depends_on:
+      migrate:
+        condition: service_completed_successfully
+    image: openfga/openfga:v1.3.1
+    container_name: openfga
+    command: run
+    environment:
+      - OPENFGA_DATASTORE_ENGINE=postgres
+      - OPENFGA_DATASTORE_URI=postgres://postgres:password@openfga-postgres:5432/postgres?sslmode=disable
+      - OPENFGA_DATASTORE_MAX_OPEN_CONNS=100
+    networks:
+      - default
+    ports:
+      - "8080:8080" #http
+      - "3000:3000" #playground
@@ -5,24 +5,29 @@ volumes:
     driver: local
 
 services:
-  #
-  # Keycloak IAM 
-  #
+
   keycloak-postgres:
-    image: postgres:11
+    image: postgres:14
     container_name: keycloak-postgres
-    volumes:
-      - postgres_data:/var/lib/postgresql/data
+ #   volumes:
+ #     - postgres_data:/var/lib/postgresql/data
     environment:
       POSTGRES_DB: keycloak
       POSTGRES_USER: keycloak
       POSTGRES_PASSWORD: password
+    healthcheck:
+      test: [ "CMD-SHELL", "pg_isready -U keycloak" ]
+      interval: 5s
+      timeout: 5s
+      retries: 5        
     ports:
       - 5433:5432
+
   keycloak:
-    build: ./keycloak
-    image: embesozzi/keycloak
+    image: quay.io/keycloak/keycloak:19.0.2
     container_name: keycloak
+    command:
+      - start-dev
     environment:
       KEYCLOAK_USER: admin
       KEYCLOAK_PASSWORD: password
@@ -35,117 +40,15 @@ services:
       KC_DB_PASSWORD: password
       KC_HOSTNAME_STRICT: 'false'
       KC_HTTP_ENABLED: 'true'
-      KC_HOSTNAME_ADMIN: keycloak
-      KC_HOSTNAME: keycloak
-      KC_HEALTH_ENABLED: 'true'
-      # Keycloak OpenFGA Event Listener SPI configuration      
-      KC_SPI_EVENTS_LISTENER_OPENFGA_EVENTS_SERVICE_HANDLER_NAME: KAFKA
-      KC_SPI_EVENTS_LISTENER_OPENFGA_EVENTS_AUTHORIZATION_MODEL: '{"type_definitions":[{"type":"group","relationships":[{"relation":"assignee","object":"role"}]},{"type":"role","relationships":[{"relation":"assignee","object":"user"},{"relation":"parent","object":"role"},{"relation":"parent_group","object":"group"}]}]}'
-      KC_SPI_EVENTS_LISTENER_OPENFGA_EVENTS_CLIENT_ID: keycloak-producer
-      KC_SPI_EVENTS_LISTENER_OPENFGA_EVENTS_ADMIN_TOPIC: openfga-topic
-      KC_SPI_EVENTS_LISTENER_OPENFGA_EVENTS_BOOTSTRAP_SERVERS: PLAINTEXT://kafka:19092
-      KC_LOG_LEVEL: INFO,io.embesozzi.keycloak:debug
-    healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost:8080/health/ready"]
-      interval: 5s
-      timeout: 2s
-      retries: 15  
+      KC_HOSTNAME_ADMIN: localhost
+      KC_HOSTNAME: localhost
+      KC_SPI_EVENTS_LISTENER_OPENFGA_EVENTS_PUBLISHER_API_URL: http://openfga:8080
+      KC_LOG_LEVEL: INFO, com.twogenidentity.keycloak:debug,com.twogenidentity.keycloak.utils:debug
     ports:
       - 8081:8080
       - 8443:8443
+    volumes:
+      - $PWD/keycloak/lib/keycloak-openfga-event-publisher-1.0.0.jar:/opt/keycloak/providers/keycloak-openfga-event-publisher-1.0.0.jar
+      - $PWD/keycloak/initialize-poc.sh:/opt/keycloak/initialize-poc.sh
     depends_on:
-      - keycloak-postgres
-    networks:
-      default:
-        aliases:
-          - keycloak
-  #
-  # Kakfa Cluster
-  #
-  zookeeper:
-    image: confluentinc/cp-zookeeper:7.2.2
-    hostname: zookeeper
-    container_name: zookeeper
-    ports:
-      - "2181:2181"
-    environment:
-      ZOOKEEPER_CLIENT_PORT: 2181
-      ZOOKEEPER_SERVER_ID: 1
-  kafka:
-    image: confluentinc/cp-kafka:7.2.2
-    hostname: kafka
-    container_name: kafka
-    ports:
-      - "9092:9092"
-      - "19092:19092"
-      - "29092:29092"
-    environment:
-      KAFKA_ADVERTISED_LISTENERS: INTERNAL://kafka:19092
-      KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: INTERNAL:PLAINTEXT
-      KAFKA_INTER_BROKER_LISTENER_NAME: INTERNAL
-      KAFKA_ADVERTISED_HOST_NAME: kafka
-      KAFKA_AUTO_CREATE_TOPICS_ENABLE: 'true'
-      KAFKA_DELETE_TOPIC_ENABLE: 'true'
-      KAFKA_CREATE_TOPICS: openfga-topic:1.1
-      KAFKA_ZOOKEEPER_CONNECT: zookeeper:2181
-      KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 1
-      KAFKA_ADVERTISED_HOST_NAME: kafka
-    depends_on:
-      - zookeeper
-    healthcheck:
-      test: nc -z localhost 19092 || exit -1
-      start_period: 15s
-      interval: 5s
-      timeout: 10s
-      retries: 10  
-  #
-  # OpenFGA
-  #  
-  postgres:
-    image: postgres:14
-    container_name: postgres
-    networks:
-      - default
-    ports:
-      - "5499:5432"
-    environment:
-      - POSTGRES_USER=postgres
-      - POSTGRES_PASSWORD=password
-    healthcheck:
-      test: [ "CMD-SHELL", "pg_isready -U postgres" ]
-      interval: 5s
-      timeout: 5s
-      retries: 5
-  migrate:
-    depends_on:
-      postgres:
-        condition: service_healthy
-    image: openfga/openfga:latest
-    container_name: migrate
-    command: migrate --datastore-engine postgres --datastore-uri 'postgres://postgres:password@postgres:5432/postgres?sslmode=disable'
-    networks:
-      - default
-  openfga:
-    depends_on:
-      migrate:
-        condition: service_completed_successfully
-    image: openfga/openfga:latest
-    container_name: openfga
-    command: run --datastore-engine postgres --datastore-uri 'postgres://postgres:password@postgres:5432/postgres?sslmode=disable'
-    networks:
-      - default
-    ports:
-      - "8080:8080"
-      - "3000:3000"    
-  #
-  # Kafka OpenFGA Consumer
-  # 
-  kafka-consumer-openfga:
-    build: ./kafka-consumer-openfga
-    image: embesozzi/kafka-consumer-openfga
-    container_name: kafka-consumer-openfga
-    depends_on:
-      kafka:
-        condition: service_healthy
-    environment:
-      KAFKA_ZOOKEEPER_CONNECT: zookeeper:2181
+      - keycloak-postgres
@@ -0,0 +1,81 @@
+# Keycloak integration with OpenFGA via Kafka (Legacy)
+In this case the integration between [Keycloak](https://www.keycloak.org/) and [OpenFGA](https://openfga.dev/) is via Kafka. This was the first version of the PoC when it wasn't available an OpenFGA SDK for Java for publishing the event directly to OpenFGA - Luckly now there is :).
+
+Therefore If you can follow the new approach with the direct integration between Keycloak and OpenFGA with the new extension describe [here](../README.md)
+
+## Authorization Framework (Legacy)
+
+In this case the following diagram illustrates the solution architecture of this workshop when you use the Kafka integration:
+
+<p align="center">
+  <img width="70%" height="70%" src="../doc/images/legacy-solution-architecture.png">
+</p>
+
+* Core:
+
+    * Keycloak (A) is responsible for handling the authentication with the standard OpenID Connect and is managing the user access with his Role Model
+
+    * Keycloak is configure with a custom extension (B) [keycloak-openfga-event-listener](https://github.com/embesozzi/keycloak-openfga-event-listener) which listens to the Keycloak events (User Role Assignment, Role to Role Assignment, etc), parses this event into an OpenFGA tuple based on the [Keycloak Authz Schema](openfga/keycloak-authorization-model.json) and publishes the event to Kakfa Cluster (C)
+
+    * Kakfa OpenFGA Consumer (D) that using the OpenFGA SDK will publish the tuples to the OpenFGA Solution
+
+    * OpenFGA (E) is responsible for applying fine-grained access control. The OpenFGA service answers authorization checks by determining whether a relationship exists between an object and a user
+
+* Other components
+
+    * Store Web Application is integrated with Keycloak by OpenID Connect
+
+    * Store API is protected by OAuth 2.0 and it utilizes the OpenFGA SDK for FGA
+
+# How to install?
+## Prerequisites
+
+ * Install Git, [Docker](https://www.docker.com/get-docker) and [Docker Compose](https://docs.docker.com/compose/install/#install-compose) in order to run the steps provided in the next section<br>
+
+## Deploy the PoC
+
+1. Clone this repository
+    ````bash
+    git clone https://github.com/embesozzi/keycloak-openfga-workshop
+    cd keycloak-openfga-workshop
+    ````
+
+2. Execute following Docker Compose command to start the deployment
+
+   ```sh
+   docker-compose -f ./kafka-integration/docker-compose-kafka.yml -f docker-compose-openfga.yml -f ../docker-compose-apps.yml up
+   ```
+
+3. To be able to use this environment, you need to add this line to your local HOSTS file:
+
+   ```sh
+   127.0.0.1  keycloak openfga store store-api
+   ```
+
+4. Access the following web UIs using URLs bellow via a web browser.
+
+    Described [here](../README.md)
+
+## Post configuration steps
+
+### OpenFGA
+1. Import the [OpenFGA authorization schema for Keycloak](openfga/keycloak-authorization-model.json):
+    ```bash
+    cd openfga
+    ./import.sh
+    ```
+2. As the result you will see the following OpenFGA Authorization Model in the [OpenFGA Playground Console](http://localhost:8080/playground) :
+
+    ![openfga-keycloak-authorization-model](../doc/images/openfga-authz-model.png)
+
+### Keycloak
+1. Enable the Keycloak OpenFGA Event Listener extension in Keycloak:
+
+    * Open [administration console](http://keycloak:8081)
+    * Choose realm
+    * Realm settings
+    * Select `Events` tab and add `openfga-events-kafka` to Event Listeners.
+
+2. Proceed to initialize the PoC:
+
+    Follow the steps of the README.