Keycloak - Open Source Identity and Access Management

1. Introduction: Hi guys. Welcome to this course. This is on key clock. My name is Shani yellow dots. I work as an enterprise architect. In this course, I am going to give you a basic introduction to key clock. This is specially for the developer, system administrator, security engineers, or anyone who wants to leverage geek lock and its capabilities to secure applications. Basically, what is key clock, it is an IAM tool. So looking at the problems that is existing today, if you'll see, will take you to the next page where you will see that there are no centralized IAM located at this point in time. You will see the requirements are coming from the user federations hashing algorithms. Then there is a multi-Cloud environment. You will see that the Salesforce or aplasia and kind of things I wanted every integration to happen for you on monolithic application for the new cots product. They are, the solutions are direct, but what is happening there are splitted across in different dominance and different technologies. What key block has provided us today? It is more of a single centralized solution where you can do your IAM things in one place. You can define your realm. You can define your clients, the configurations, how you will be managing the events, the federations, the ylab or Active Directory Integration, user management. Everything sitting at one place is what we're looking through key clock. Now I will be going in details of the architecture in production, right? Why we need good luck in this course? This is a, basically a basic goals, but what I will be doing here is I will be taking you through the key clock configurations out2 set of realms, how to set up a user's, how to set up groups, how to define integrations between different systems. We will also do hands-on and starting up your application or how to start off with the key clock. Then we will also go through our application, which is built on simple JavaScript. You don't need to learn on load JavaScript or NodeJS. And as we will see, NodeJS backend and how the integration is happening between front-end and back-end through this key clock is something what we will be discussing in this course. Then we will be taking a look into the multi-factor authentication kind of things. Not multi-factor, at least two factor authentication where you will be putting your again your password. And then you also can set up your mobile application to get the password through that. So that is in the second section. We will be also discussing about that. Then we will take one Tomcat application server, which is, instead, if you think of any other applications over the configurations are relatively similar kind I will take an Tomcat adopter and show you how the configuration you can do. And in the process, you will learn that where you're storing things, how you are interacting between the application and how this can be working as a single solution for your IMs problems. That is what? It is stored in this course for anyone who wants to learn the basic of key clocks, Gan, egg discourse are definitely, you will learn lots of things and especially you'd really don't need to go through Google or different sides to understand that. I have integrated most of the things here from the basic viewpoint. So please take this course if you want to learn about the basic of the IAM implementation using good luck. Thank you and hope to see you inside the course. 2. Why Keycloak?: Hi guides in the identity and access management space, what are the problems exist today? We will start our interaction from there. If you'll see that there is a problem in a single IAM implementation. We don't see a single IAM implementation. There are many available in our organization. But what it is not, having somebody is doing through a left somebody going through I didn't. Providers different authorization modules and different kind of services. What we're taken today, you have, you must have seen that password research, forget password or create account is always a challenge. Then you may have seen that updating their account assigning roles are changing the password when a button is coming inside the organization and leaving the organization, you must have observed the roles and responsibilities has to be taken out, but that is not going. You may have access to some projects which you have lived two years back. So those sort of problems are existing. Then hashing algorithms, salting or password policies are very common here. You keep on updating those. You must have also observed that today Facebook, Twitter, Instagram, LinkedIn, Google Plus, is a common thing. You may have a goal or login to the system. From there, you want to come back to your real project solution systems and you'd really don't want to logout of those solutions and want to do a single sign-on on those. The in-depth Active Directory, everything hard in splitted manner. So you don't have a user federation from where you directly get into your solutions and what are the problems. If you see, if you have monolithic or layered applications, you want to do a single login from there, but that is also missing today. You have rest services, microservices, authentication, which are handling separately. You are writing your basic authentications in the different service program. You're writing your soap services value or purporting your authentication separately. Then there are requirements were in the multi-Cloud environment, people want a single store of users so that they can login to the system easily. That is what, which is not happening today directly in one solution. And that's why the solutions, what people are looking around his law where we can generalize this kind of solution in most of the cases we want to distribute. Things about here in the IBM's business centralized solution is missing. If you see in Gita confluence, our sales force, they want they don't want to store password inside the dinner systems. How to solve this problem? That is where the clock is pitching on and we will slowly move into K clock. Let's move to the next section. Now, I have taken some snapshots from the Gartner Magic Quadrant for the Access Management, how it is looking like. If you see by 20 2260% of the access management implementation will leave reducer and NDT behavior analytics, UEBA, which is coming up very quickly, and other controls to provide continuous authentication, authorization and online fraud detection. And this is going to be really very important by 20 2260% of all Single Sign-On transaction will leverage all the modern IT NTT protocols like Samuel ought to. Why DC over all the appropriately approaches and up from 30% of what it is today. By 2024. The use of the multi-factor authentication for the application, access through the AM solution will be livers don't 70% of all application access are from 10% what it is today. So this is very important to remember that it's the primary reason why we are looking. What are the opportunities available? If you'll see the opportunities, we know that authentication is becoming everything now, the acceleration of the digital business is driving investment in the new architectures and creating lot of identity and access management. When I see all these, what does that mean? You are getting inside your mobile system, your laptop, your Cloud system. You have social media platforms. You have a bank account, you have your different accounts where you want to retrieve detail from. All right. Those things is falling into the bracket of authentication. So you need to rapidly change things, but at the same time you need to manage it well, when I'm saying authentication is everything and then they either had been split it into a 100 and you have a master password. The solution also available, but that is not sufficient because how many integration you want to do that is where we have to pick and choose our solution which is fit for all sizes isn't DNS, then fraud detection and identity proofing is becoming very important for that reason. And if you see anything in the emerging technologies, there are a lot of vendors, competitors which are coming up with the different kinds of solution. B, why I schemes are available. But these requests are going to grow really fast and in a very rapid manner. In fact, your IoT devices needed authentication to collect some data. If you are going for a blocked in solution, then holds authentication is degraded. If you are going for a Cloud solution, authentication, so regret they have their own identity providers inside the Cloud today. But what we are talking about is whether that is centralized, whether it can be managed easily from one single solution for all, considering your legacy, considering your identity. Management in the use of iterations in the social banking in every space we are talking about how users are looking into the solutions are completely different, very different from how it was five years back. So the market size and growth is also very great at the moment. What we can see that it is going from 14.5% to 20.7624 USD billion. By 2026, it has a huge potential to grow in this subspace. And apart from that, if you see what are the aliens were had these IM can pick up it is BFSI, telecom, retail, government, energy, utilities, education, manufacturing, healthcare everywhere. Basically, I will see everywhere this will be required. And for that reason, the web to choose a tool and start picking up as an architect or as a solution provider, you need to choose, pick and choose the proper tool and then injected as a solution. If you'll see the high-level architecture, how key clock has been designed. Provided a centralized one. It is going to the social media section are able to, in this diagram it is talking about signing into Google, GitHub, facebook. You will be also able to achieve identity brokering where you can use SAML, OpenID Connect Kerberos, Use the federations open Active Directory. And then you directly able to send your tokens from your mobile or laptop and then get your API services getting connected to the centralized key clock. That is the high level architecture, what has been defined by glyco, even Julie in this course, although it is a basic course, but I just need to put things into consideration that why we are doing this kind of courses these days while solutioning, it will be very useful if you know the basics of this kind of solution. Now, what is the problem with this solving? We have seen that in all the spaces it will be, it will be really useful in the regulatory or compliance in the governance. You will see that security protections, any kind of fraud detection, security analytics, adaptive for risk in the business systems. For the MDM, master data management system, business intelligence, you will see that it is interconnected for the customer. Experienc will see all the customer. I mean, whether you were in the insurance space weather, in the banking space, weather in technology space, anywhere, you will be in need of an only general support. For those kinds of experiences. You need an identity and access management system, which can be taken into consideration from the centralized place rate. That is where this key clock is picking up. And then let us look at a high-level approach, how the clock works. You may not find these diagrams and Google or something. This is a pure liquid by me. If you're going to do in a very high level, very sensitive. A thousand feet. The top level, you have a business services, which is used by the business actor, which is having a business role in the organization. Through business processes, it is achieving some value. Now, this, you have some applications. These are the business components or they have the big debt. This at the application components, what is application components are doing? You are coming to our system through an application into this. And when you were coming through that. So this actors who has a business role accessing this application through an application, the indices fast indoors and authentication authorization collaboration section right here that you will be having a key clock adopters and Aggie clock. So there's no, every time the whole business, whether you are one business we're talking about or maybe a 100 of business we are talking about. If we add collectively coming through an application interface, it will be always by passing through this. Now, this is where we are blending to put key clock and the key clock adopter AGI clock service will be having our goal through an application service. And there will be application component. And these application component in turn will be residing in an infrastructure. Let's not go in details of this, but this application component will achieve certain application function which will be having data object, which means the data base. And this in turn, will be solving a business problem and provide value Buddha solution. This is how the key clock in a very highly bill can provide us some solution for the whole enterprise. Although it is providing a solution, but how it is provided when I say that geek lock adapter from the application in diverse, you are coming and there isn't good luck adopted Cloud services, the mean. So this switch will be providing authentication, authorization or single-sign-on, whatever we are talking about. But remember these adapters are ready-made adopters which are made by key clock and is available for whom? For Android, for JavaScript, for dotnet, for a budget, for iOS, for NodeJS for Apache Tomcat springboard, OpenID Connect, Spring Security, bitumen, whitefly sample and many, many steel, which is ongoing development. And because this is open source, so you will be getting more and more the coming years. But at the moment this adopters are available. And what do you need to do? You need to take this adopters and start using those adopted. Remembered. This, you can scale up from just few users to millions and millions of users. So it is not very new to the market. This is 14 years that development is going on from 14 years and it's a very stable version at the moment. If you take this kind of solution and start implementing, then you really get a lot of benefit out of a single solute, single IAM solution. That is a high level approach. I will be showing you in this particular course certain how to kickstart with your key clock. And then Node.js and JavaScript adopters in a very high level. And then we will go in the bottom level with Apache. You don't get that, how you can configure those. And we'll see if anything else we can do in this course. But to give you the basic idea, this should be sufficient to understand how key clock can be used and what are the basic things you want to do with good luck. Thank you. And let's move to the next section. Thank you very much. 3. Getting Started with Keycloak: Hi guys, welcome back. In this section we're going to try out key clock. We will be installing a sample in stamps of key clock, create a real man, the user, and secured the sample application. This is directly taken from the spec, but you don't have to really read through the spec. Rather you directly come here and try it. This is the key clock server which I have installed and created by user and Realme. I'm just logging into the server. Just to show you are the basic things what we will be doing here. It will be creating realm, we'll be creating our users, and we will be setting up those users and how to create a realms and all those things we, I will be showing you in this demo. We will be creating, after creating the demo realm, how to attach the users and what will be the configuration from the URL viewpoint, those things also, I am going to show you here in this particular end of the demo. Now, to do this, you need a sample application that has been provided by those big directly the connection and all the links are there. I will be showing you step-by-step guide and you don't need to really go back to the speak and read it through. Rather you follow through after whatever I am doing over here, I will be following every step the spec has followed, and I am taking a sample application, and here is a login button. When you click on the Login, it takes you to that key clock server, which is directly connected. I have connected it and I end up the session. You will be also able to connect it. And then you put your username and password, and then you sign in and it will be signing through the key clock server. That is what we are going to do in this particular section of the demo. And I will be also showing all the installations and whatever is necessary in the next particular section. So hope that clears you and why we're doing this directly from the speakers to startup. And as a warm-up lesson, it will be really helpful for you guys. Rather than going and reading through hundreds of pages or 50 pages or five pages, it makes sense that I showed you directly and you just follow through this and you will be able to configure everything on the key clock server to connect to the wild fly server. The sample application of the wild fly has been provided by this big. And I will also giving you all the links end of this lesson. Let's move to the next section now. You're ready for that. Thank you. 4. Installation: Hi guys. To start with, the first thing I want you to do is you should go to the key clock dot orgy. This is an STD with his site. So it may be depending upon your browser, it mask you to add some certificates and all those, but it's okay, you can just type this and go to this particular site. Now, in this sec, I will just start by showing the minimum requirements. Key clock will require for you to run and installing. Reading. Java eight is something you need. What I did is before I started this table or this particular session what I did this, I have already installed Java and my machine. So you can take fashion, download the Java part of it. So it can be JDK 1.8 or something above that. So take that JDK, you should be requiring GIF or GIF and dark if you are downloading some data files to extract that or however you want to extract those files depending upon what you are downloading, you may require one of these. You should have at least 251 to offer lamp. That is what you minimum required and at least one GB of disk space. So I think everyone should have this much or this space. Apart from that, one more thing you need to remember, you should be having the madman installation. So what do you need to basically do is after you are installing Java, you need to go to your environment variable section so you can just type it in here. Go to the environment where the bill, Jake, your part, whether it is in the pattern notes, so you add the Java part of it. Then we will be using in this particular section. So you may need to add a madman. Also. Like that. I have already added exactly. What I need to do is environment system variables. I will go to the environment variables, look good to Java home, so I have saved my Java home. You guys also can set this and check. Your Java is installed properly. Also, Jake, that in the pot, just need to check in your part. 11 is added, so I have installed apache Maven 3.8.2 is what I have installed, depending upon your whatever is available when you are doing this course, you can download that particular version of model that if you are running a modern script, at some point, you really don't need to be an expert in Montana at this point in time. Let me tell you. You just need to run some commands to and understand those commands to run. Now, apart from this, the latest stages, there are few other things which you may need to have to configure. But the basic is you are going to the environmental variables section. You're setting up your Java and box. After installing the JDK. Then you are installing your Apache Maven and how to download them. You can just go to download, go to Apache Maven side 3.8 to select any of these depending upon how you will be extracting those. You can download the zip file. I have downloaded the zip file. You can download. Once you click that it will start downloading. You take that, you will get that. You extract that zip file and keep it. I will just quickly show you how it will be looking like once you this is my Apache. No, not this one. Apart him 14.8.2, which I have downloaded. And basically this was the one which I have downloaded from that particular site, extracted it. And then I have said, just now I have showed you my oven has been sick till. Okay, let me again show you that there is no coefficient because these are the silly things, but based upon this, it may work or it may not work. So I think most of you is working with all these, must be knowing what I have done in the key clock folder path I have downloaded Melvin, just not what I have shown you. Good luck pot. I have downloaded and extracted them oven over here. So this is extraction, but This is extraction path. This moment when I was right-clicking, I was doing extract files. It has extracted me more than 3.8.2. And this I have taken and set it in the class, but I went to the class, but in the glass in the butt I have just added by cleared clicking New. I have added this. Apart from that, what is the other thing I told you to get your Java, so I have installed Java, you need to download JDK. Jdk version 1.8 or onwards. Just download it said The been handling folder, so it is executable. It will get Java in the glass, but it will get 11 and the glass but the pot. So that's why you need to editing the system variables added. Those who don't have a Java, they can directly go to the Java and download. For Windows, you will be downloading this Windows version for salaries or Mac or any other thing you will be getting in the Oracle side. So you can just download depending upon your choice and then set up the environment variables. Just not what I have shown here. After you said that, what do you need to do? You have to go to the key clock side. You go to download dot loc dot orgy, download dot HTML. There you take the first one key clock distribution powered by wild fly. So this is now called wildfire earlier it used to be called as j goes, isn't it? You just go to this section and download the zip file. Just click on this and it will start downloading the zip file. Once you download the zip file, I will not download it again because I have downloaded that already. So if I go back, what I can show you is this is the key clock which I have downloaded. Basically, you will be getting key o'clock 15.2. After that, your extraction, you will be getting 15.2 inside that they all the modules, beans, dogs, everything you will be getting. This is the first step. First they've done. Now. After you do this, now how to start the key clock server? It's a very simple step. What do you have to do is you will be going here inside the clock. I will go there. I will go inside the bin. I am inside the geek lock inside. I'm just opening a cmd. You can open a shell window or liberating upon where you are working. You will be opened in New York. If you type here directory, you will be seeing some stand-alone is available. Right? Now. What do you do is you type standalone dot, but what it will do is it will start your key clock server. One more thing while this is getting up and running. Remember, before you start this, you have to, Jake, whatever I was telling you, you need to check your Java is installed. Your Java C command is going fine. You're fine. I haven't haven't version of 3.812. Hyphen SiO. Java is up and running. Once you see these things are already there, you just go inside this particular folder of the beam and the standalone dot back. We will be taking a backup of standalone bad later when we will be modifying this. Or if you have an existing standalone wet mixture, you're starting bond itself is standalone dot bedtime. You have a wildfire flight server already in place. Then make sure that you are taking a back-off even before doing anything directly on the server. Once you have started this, you have to create an admin account. Where will you create the admin account? You have to now go. And they don't all go. We can close this moment. We can close Server installation. The download is over, but for time being, we will keep because there are other things which we may need to download. Go to the download section. To keep things open, I will tell you what needs to be downloaded as and when required. Just don't download everything. All of a sudden, wait for that for my instruction while we are going to redownload and according to our requirements now, one more thing, I want you to make change. See, when you are running Keq. Look, you need to understand that while flying o'clock, everybody will try to run in the port local host 8080, because we are doing in the local machine, we are not turning it into a Docker or we are not running anywhere else. At the moment. However, thing is running and the local machine. Now when I'm running it in the local machine, it tends to capture the work. Now how will that work? That later, there is no conflict and I should be able to work with white flight. So why I am saying that this later we will be in a position where you have to install Wildflower. Now when you are installing whitefly, it will be also trying to occupy these 8080. So the safer way to come out of business, we will be changing the port. Now how to change that particular port? I will give you a command how to do that. 5. Create Realm & User: Hi guys. In continuation to the last session, the first thing which we need to do is we have to create an admin user because good clock does not come with a default admin user. Which means before you can start using key o'clock, you need to create an admin user. To do that, I will show you where do you have to go. And then eventually I will go to the point where I said the port needs to be changed in the last session. Let's first see how to create the admin user. What do you have to do is, we have already started the server. The last section, what we have done this, we went here to the bin folder and then we have run this command standalone. Standalone dot back has resulted in starting the server. The server is running. And now we will just open it. What you need to do is you need to go to local host. As I said, you, it by default it will run in localhost 8080. Then slash, you need to write the moment you enter this, it will come to this screen. This is the key clock screen. And in this screen you will get the administrative console, the documentation, some key clock Project milling less than some issue reporting. What do you need to do is you need to click on the admin console. Now what this one is asking, you have to do exactly how you will be going inside the key clock server. Right? One thing I need to mention here, because I have graded the admin use in the first place before I am showing this demo to you guys. That's why I'm not getting the first screen which you may get. If you are trying this for the first time, what will you get? You will get something like this. Well, after opening the server localhost 8080, you will be prompted with this welcome page where you have to create the initial admin to get started. You may get this and you need to click on the Create button in the first place. Don't forget this one. Remember whatever username you will be putting here. You have to remember that. I'm just showing that while I was creating, I have taken but for my case that we name is Administrator. What I have put you can put according to your June, choose a name. Once you create that, then you will be prompted with this green. The moment you again hit this local host 8080 port, it will be asking you, OK, now you can put whatever you have created in this previous steep when you are creating the initial admin user. Now, I have graded it as admin, nice trade. I will put my password and I will sign it. The moment I Sign-in, it will go inside the realm. Now, question is, what is real? It is managed set of users. Basically, when you are dealing with this kind of operations, the first thing you need to build through this kind of tea Glaucus. You have to create a lot of users, right? That is what users authentication or the authorizations, all these process are related to any group of users or user rate. You will be dealing with fast. It will be having some users. And for those users, you will be creating a process of authentication authorization. There will be credentials, there will be rules, there will be user RoleMapping, composite rule groups and all those. Just for now, what you can remember, this realm manages a set of users. Credentials are roles and groups. And what is the new user a user belongs to and locks into a particular rooms? What is real? Managers, the set of users, that is the first thing to remember. And rims are isolated from one another and can only manage and authenticate the user that they control. If you are creating demo reel. Inside the master reality, whenever you are loading the key clock server, there will be a master ghrelin, which will be created in the first place. Then what do you need to do is you need to click on Erin. Say for example, for you to understand the whole concept, I will be clicking on the address part, and I will show you. How to create the realm inside it. If that is clear, let us move to the next step. Let us now move and create our own realm and then uses a particular user. We will be what you will do. The first use of Git log admin console is to create the realm. In general. Here we can see mastered lymph, which is by default provided by the cake lock server. Now we want to create one more example. We will be actually working with the moral mean this particular section. But for you to understand, let me create a rim so you will be clicking on Advil. The moment you click on that address, you will be asked to name that room. You have to name anything. It's dependent upon what you want to give for that real name and then associated users and applications. You can give a particular good name for us. In this case, it will be a demo user or IT moral modes, something like that. But for you, if you are working in a real project, you can choose the name accordingly. Now. But remember this realm is again associated with your mastering. The realm masterless was created by the clock and it contains the admin account already in the fast login when we were creating the admin realm. This was getting added to the master realm. You use this rule only to create other realm. So in our case, the master limb is getting used to create demo realm or demo or whatever you are giving them. Let us put some realm and show you how to create that. Let us name it as demo again, because I have already created. I'm just keeping this as demo again so that you can actually create a demo reel instead of demo again. But just to show you, if I create this, the revenue will be immediately created. The demo again has been created for me from the master menu. Click, sorry. What do you need to do is after the dermal them is created, you need to create the US. From here, you need to come back to the user section. We are in the demo, again real. And you have seen the room setting where it is talking about the open endpoint configuration is all we will be talking about. Then SAML, identity provider metadata, endpoint configuration and all those things we will see later. These are the login keys, email teams, localized, client registration policy is Security Defense. A lot of things are there. Let us not get confused at this point in time. And create our user under the demo. Again, how will you create a new user? Is again, a simple process. You just click on that ad user and then you put a username several example. Hi, I'm putting re-check. So this week is the name of the user who will be added to the demo again. And then you can just make sure that the e-mail verified is on. You can on it depending upon your choice, you can make it switched on or switched off. At the moment, we don't have a group, so we're not going to put anything. And we will save this. What happened? The user has been created and when you click and if you want to see the users receive has been created under the demo. Again, let us go back to the demo. We, in our tutorial, what we will be doing, we will be using the t mode and you know now how to create a real, how to create user under the realm. So you haven't you, so you can put another 100 user under this, but all the users will get added to the demo. That is what in our case, it is demo. I will showing you the demo again, so don't get confused with this. I was just trying to show you that how to create deck. So don't get confused. Now, after creating this user, you can go to the Credential tab of that user. User. You click on this, go to the credentials and put the credentials, the password. Here, you need to type the password, okay? So type it and you need to remember that password. Next time when these users will login, these credentials will be getting used. So don't forget that. I will also put a password for this user. You can put off your own choice. Once this is done, you can give up a label. The label I'm just giving chance to do for the moment. And that's it. Then save it. Once this is saved, the credentials has been created under the demo from your user is already dead. You are good with it. I hope you understand this. Now. What you need to do is you need to do login to the app town console. How can you log into the account console? You have just now created the user, right? You need to log out of the server, get logged out. And now I want to get inside the user account. You have seen that it was an administrative login. Now, out of the administered I mean, we have signed out of the administrative system now we want to log in as Shannon. Shannon is a username and password is what I have given there. And I will try to sign in. So I'm doing a mistake here. What is the mistake? The mistake is still into the realms. I am not in the demo rooms, right? What do you need to do is open another browser type localhost. And then a right demo. Sorry, I have to first give the remnant demo slash account. Then given Enter. What will happen? Realms spelling is wrong. That's why what do you have to do is you will be asked to sign in. You click on that. Now, see the difference. It isn't all thrills. And here what we are doing is we have given auto rooms, demo, and then we have written account. And this has redirected off the debt to here. Last time I was giving Sentinel and I was giving my password. It was not giving me to login because we were in the a route I when we were in the administrative section. Here we are in the account section. So now let me put shunt know and I will put my password. Once I signing. I am inside the user account. Here you can just give you whatever you want. I have given my username and password for the user depending upon for whom you are creating that. Then you can save it and come out of this. Now, if you are updating, that is what it is showing your account console and all those other things. Now, now we have to create, we have created the rooms, we have created the user. The next day. Make other things running. According to the objective of this particular section. We need to make sure that we have a sample application for which we will be creating this authentication mechanism. So the authentication mechanism is handled by key clock, but we need an application, the application itself needs a server. In our case, we have an application server as wild flight. So we need to download while Phi. And then we need to have the sample application, which is which is being deployed into the wild fly server. And then we will be securing data application of wild fly server. Along with the gig lock server. We have some certain steps. We will go and discuss that in the next section. 6. Port & Client Adapter: Hi. In this section, what we will do is we will be securing our sample application and take some necessary steep according to that. So you just sign out of the previous section. What I have shown in the previous section. Just sign out. You can keep this close now. And what do we need to do is we have to download the wild flight. So just download, click on the Download and it will allow you to get, I have already downloaded this, so I will cancel for you. You can just start this download. Now that you have an admin account RL and the user, you can use the key block to secure our sample wild fly servlet sense. So that's why while flying is an application server, we will be taking these wildfires server and we will install our Sample servlet, which has been given by the wild fly and secure that application. First, we will run that application and we will see how we can secure that application. Whenever you want to login through that application, it will go through the key clock and how we are transporting that authentication module or decoupling the authentication module from the application is what we're going to see here. So for that, the first thing you need to do is you need to install the whitefly. And then the wild flight client adopted. We will see that. Let me go to the folder. And what we will do is we will take the wild fly, will extract these files over here. For me. I am keeping it in C key clock. So you can also extract according to your location. Just remember that location that is good enough, okay? Once that is installed, you need to go to the site again in the download section. So key clock dot orgy downloads. In this download section, you have to take your wild flight connected. I will say the adapter you have to take, you need to install this adopter registered application in the admin console. Modify the wild flying stance to work with. Key clock is objective and use key clock with the sample code to secure the application. We will have some sample code, I will show you that, and then you will be able to login. Okay? So what you need to do is you have to again click on the Zip. Download this. Because we're working with WildFire. If you're working with your boss fuels or if you're working with NodeJS or Tomcat. These all unit two, download accordingly to your particular application server, your web server, or your JavaScript, and modify that through the client adapters. There are two kinds of things are available, which you can see. One is the second, one is the OpenID Connect. So we are taking the OpenID Connect z. I have already installed that. I will just after installing the oven, after getting or downloading that, what do you need to do is you have to just extract those files over here again, extracted. Once that is extracted, you can just delete these two. This is not required for me anymore. I will delete it. Now I have the whitefly adopted. The wildflowers. Final thing. Now, you remember previous to the last lesson, I was telling we need to adjust the board, which is used by key o'clock. So at the moment, d block we have seen if you are going to localhost and putting 8080, your key clock is running on port 8080. Now, if you want to run wild fly directly go here and go to the bin folder of white flight. You will again get a standalone. If you run that. I'll show you that. If you run this, it will also try to occupy the fourth ADHD. This is the port. What will happen? It will be a conflict between while fly and key clock. What we need to do here is we need to change the board of wild fly. The key clock. So in this example, we will be changing the port four key clock. There is no conflict. And we can run these applications in different server. For that. We have already unzipped that file. And what we need to do now is we have to see whether our key clock server is running. We have seen that the key clock server is running. And we need to close this because we are now going to modify this port. To modify this is also normal required. This is good enough. Let me keep the downloads in case we need to use anything from there. We will see. Now what we will do is we will go to the bin folder of the key clock server. Whereas the key clock, we will go to q0, glug will go here, will go to the bin folder of key clock. And I want to apply it now if you are in Linux, Windows or PowerShell, the commands will be little bit changed. But let me put a command over here. What I'm doing is I have matured. My clock server is up and running. And I am playing with these two. On top of the key clock server running. I am now going to type certain commands to change the port. What is the command? First of all, you know, if you type your, you know, directory, if you are typing, it will be able to see that there is a standalone dot. Here. You can see this is standalone dot pad. I'm just putting that standalone dot bat. After that, you give a hyphen. Then D, boss dot socket dot binding, your binding, binding dot upset. You can get some commands in wild fly, as well as in gig block for changing the port number. Now, in case you were in Linux, you have to give a dot SH. The rest of the things remains almost same. What you will be doing. Dj boss dot socket dot binding port offset equal to a 100. What you are going to in PowerShell, but it will do, it will be again taking standalone dot. Here. Instead of DJ boss, you can give a w course. The other things stays inside the double quotes. Okay? That is the only change if you are typing it now other, let us not discuss that. Let us now concentrate here. Put an enter over here. What it is going to do is it's going to change your port number on which your clock server is running. So that is what it is happening over here. So once that is change, I will tell you some other things to do. So let's see. Let's wait for a second. I think it does change now. Once this is change, how will you confirm that the key glossaries learning offset a 100? When I say offset a 100, it will be 8180 port in which it will be running. Let me check with the change has happened really on not what I will do is I will go here. I will say 8180. I want to go to the admin section again. Let me see what happens. Now. You can see that 8080 has successfully changed to eat one of the key clock is successfully learning on 818. So you may want to login to it and just have a quick check whether it is currently running. So in my case, it was administrator. And I will put their admin password and go inside that key clock to check whether everything is fine. You can do that. Just a double-checking. The key clock server is I have a demo realm running. So this is my target, which is under the master rule. Fantastic, we are good. Now let us progress to the next step. Now. What is the next step? Now, you can go to the deadlock section. Remember, we have taken this adapter. What you do is inside this white flight adopted, you copy the whole thing. You do a control C, which means a copy. I'll show you like this. Copy this. And now come to the whitefly. Inside the wild fly. If you go to the bin folder, you will be seeing there are two things over here, just even buddies. And there'll be some additional thing they adopted. We'll be putting inside this for you to understand what is getting edit. I'm just showing this and remember, if you are adding it to an existing while flying, make sure you are taking a backup of your standard laundered bad standalone is where you define all your configuration. So don't forget to take a backup if you are doing on an existing if we're doing in the fresh one, it's fine. Now, what I am doing is I have just taken everything from here. Isn't it? I am going to fly while fly. And I'm going to paste everything. And the home of wild flight folder, Control, V, paste it. Everything is now pasted. Now last time when I was showing you, I have told you to watch this particular section. So nothing has been added here. But if you remember last time the Adopter was not there. So we can see an adapter has been added over here. Electron and the adapter is something which we will be not using will be uploading this, at least in this particular configuration. But let us now move. So we have seen there has been something added to the configuration of their dominance as well as the modules. This particular section. Let us not go in deep of that. Now, what we will do is we will move to the next step. Let us move to the next section and start the wild flights over. 7. Registering Vanilla Application - WildFly: In the last section, we have seen that we have changed the offset. That means the port in which geek lock is running is 8180 at the moment. Instead of 8080. If you put 8180, it is running in this portrait. So that is what we have changed. So basically, if you type here local host 8080 and you should not run, isn't it? So that is what we have done, the changes in our last section. And not only that, along with that, what we have done is we have overdid in the wild flight server with the key clock, why DC wildfire adopted. And we have taken this and we have overridden in the wild fly silver. Now the next step is we are starting the wildflowers silver. What do we need to do is we have to go to the wild fly. We are inside while fly. You have to go inside the pin. Now we will be starting the wildfire. How to start whitefly server? It's again a simple process, standalone, standalone dot bat. If you type this, it will kick off the whitefly server. Let us wait for a moment to start this up. And then we will check that at which port this is running. We'll wait for another moment. So basically we have the client adopted in place. We're just kicking off the whitefly server. And remember, when you will be running this before that you have to install adapter that we have done in the last year. During changing of your offset. Remember to close your whitefly server. Key clock service, sorry, that is the key clock silver in the first place and then restart the key clock server. And then you will not face any problem. So that is just a troubleshooting tips to you. Remember that? Now that it looks like it has already started, we have to register the whitefly seller. Now how to register it? I will show you. Before that. I want to hit the server and check what is happening over debt. What I do is I just removed this, I just enter localhost 80 is 0. Now at this point in time, you can see that localhost 8080, wild flights running. Wildflower application server is running your wildflower instances running on this particular port. Few minutes back, we have seen it was not running. And we have also seen that earlier it was running on board 80, ducky clock was running on port 8080, but now Wildflower is running on port 8080 and key clock is running on port 8180. And how we have done changes in the previous section. So you can just have a quick look on that. Just the port. And then we are ready to register this. Now to register this, we have to come to the key clock server. After you come to the catalog server, you have to go to the admin section. You just type here admin. Once you type the admin, what you will see is you will be again going back to that administrative section. What you can do is just type your administrator and the password you need to type. And you should be able to login to the server. Once you login to the server. In our case, we are dealing with the demo realms where all our users has been registered. And now I will click on the team-oriented. Once you click on the demo realm, what we need to do is we are registering the client, isn't it? So to register that client, we have to click on the client's section into client. I have already added it, but you guys can also see that you can create a new one. If you click on Create, it will be allowing. Let me click on the grid. You have to give the client ID over here. What is that client ID for us? For us, the client ID is vanilla. I have already added, but I'm showing you. You need to type vanilla over here, because that is the vanilla application which we are going to show in this particular demo. You need to add here vanilla. And you have to give the root URL, the URL on which the vanilla application will open. You have to type here at http slash slash local host, 8080 slash family law. Once you type this, you need to click on the CIF and it will be saved. I will not save it because I have already saved it. So I will cancel this and go back to the screen. So once you act at what will happen, this will be added the vanilla client ID. So this is the vanilla client ID which I have already added now. Now, the next step is, but just before that, what you would like to do is because you are adding URL, which is vanilla. Let us type that. Okay? So I will type than the law. You will be able to understand what we are trying to achieve here. Once you put this local host vanilla, it will give you a bit. Now this can be a full application page or whatever it is, your angular application, your JavaScript application yield Spring Boot application or anything which you have designed. It can be react, it can be anything in the front-end. But what we are achieving here is we are decoupling the login. Once you click in login, what we want to do is we want to activate this width, the key clock, rather than this one. Really having our own database application database or AAD authentication directly triggering or an LDAP authentication, or an odd mechanism or the federated mechanism, everything if whatever it is you want to login, you will have to attach this with your key clock. And that is what key clock is achieving here. Now, you know that a vanilla application has been given through the client adapter for the wild fly in the Getting Started material. And I will give you the link also for that so that you are not at all confused. But we need to understand the basic idea, what we are trying to achieve here. Now, once you go back here, click on vanilla. If you click on Vanilla, what you are going to get is you're going to get a link like this. Well, whatever you have our task, everything is showing your local host. Vanilla has been already attached. Now, you just need to do two volt things. You go to the installation tab here. What do you need to do is you need to select two things from here. One is the block or the IJ Sun. This is the one. This is the JSON. With unit to copy, not copy. I'll say you downloaded. I have already downloaded that. So I will not download again. And you have to save this file as key globe dot JSON file. So mostly you will have observed that there is a section where I have kept it already saved, so key clocked or JSON. I have kept that saved in my local directory. Just would like you to show that what it is containing. It is containing the same thing, what you are seeing here. You just need to save that in this directory. The authentication mechanism is getting where you are saving it. You're saving inside the key clock, the clock root directory. You are saving it here. Once. You'll save that, sorry, I have to go back. Once you save that, the next step is you have saved, you have downloaded it from there and then saved it. Now, you have to also do one more steep there. You have to choose the XML part of icky o'clock. Why do you see was subsystem? Excellent? What it will do, I will show you again. You again download this and save it in the XML format, where you have to save it again in the same pot, go back. And you can see key glog. Why does he hyphen subsystem? It will save it there. So what are these connectors? Are these maybe I'll be discussing shortly later chapter, but here we are doing the hands-on part of it. So let us not go in details of the theory part of it. Now, modifying the wild fly instances or what next target. Let's move to the next section and then do that. 8. Modifying the WildFly instance: In the last section, we have registered the wild for instance, which is a vanilla application which has been provided by the wild flight. Now, in that section we have seen that we have saved the two files. One is the key clock JSON file and the other one is XML document. Now, in this section what we will quickly do is we'll modify the wildflower instance that has been provided with us. Okay? Instances basically a sort of blurred application that required some additional configuration. Whenever you get an application. We haven't wildflower application, which we will be modifying now. This is the example app. Like this. You will be having an application with you. Now in that application you will need to do some modification in the configuration stuffs. So that is what we will be doing in this particular section. Quickly. You go to the GitHub and as a prerequisite, you need to remember that you have created the client named as vanilla. In the demo realm, what we have seen, this is the, this is the third moral. Inside the demo. We have created a client and the client name is vanilla. Let me again login to the system. We click and just quickly confirm you that what we have created. This is the demo reel. In the demo, we have a client, we have created this vanilla. So that is what we have done. Now what we will do is we'll go to the next step. What do you need to do is you have to go to the wild fly because we are putting some additional configuration in the configuration section. You go to this wild fly directory. And inside that you need to find out the configuration part of it. There is a standalone there is configuration inside this. You will find out this tangent. What you would do is I have just keeping notepad, so I will just show you in the notepad. Other way of opening it, you can use your if you have any text editor, open it through that. Okay, for now I will open it in Notepad. Here. We have to find out a particular key clock entry. What I will do is I will write key if you start finding it from the top. Charities. So here let me tell you what you will get. You will get an entry of this. You have to go and find out this entry. So key clock, it may be depending upon which version you are downloading, it will get Kripke o'clock 1.1 or 1 to whatever it is. Here, might section is stealing that it is key clock 1.2. Now when you will be doing this for the first time, these I have done, let me cut this out and show you what. You may not get this at all in place. You may just get one entry like this. You will be having something like this. What do you need to do is you need to take this out in the first place. And then you need to put an entry of subsystem. What we are doing, you're just making it separate it so that you can put something inside this. Now, in the steep, earlier, we have taken an XML template. If you remember that, you have to paste it here. I have already copied that, so I will just paste that same thing when you will be pasting this. If there is. You may see that in the name section, it will be having our template like module. Then van dot, well, you just need to take out those water module and all those things. No text is required. Just put your water name. That is good enough. And the rest of the thing is as follows. Where it is talking about water realm you are dealing with. So it is dealing, okay, there is a demo reel. Inside the duodenum. There is vanilla. And inside the vanilla. As a resource, it is vanilla. Then there's the public client is true. What is your authentication server even it is 8180. So basically what I'm saying to the application is every time you are coming to this subsystem, there is an authorized this authentication happening from here. Please refer to DC Water necessarily required in the external at the moment. So this is a subsystem, what it has defined from here to here. This is the key thing which you need to remember. After this, what you will do, you will save this and you will restart your application server. For me. It's not required because I had the entry in the first place, so I've just closed it. You save it and come out. And then what you need to do is you need to restart your application server, your application server. This is the application server. You just exit from here and just restart it again so that it takes the configuration in the stand-alone. And we'll do pick up the configuration changes. Once that is done. Once you have a rebooted your application servers, we will go to the next step. The next step is about installing the sample code to secure the application. 9. Testing the Application Authentication: Hi guys. In this section, we'll be installing the sample code to secure that application. That is the final step. And then we will be able to integrate both the application as well as the key clock server. We have our wild flight server running and our key clocks over both are running at the moment. What we need to do is we have to quickly go to our download section. There are two ways to do this. If you want to do this by Git. So you have to install Git in your machine and then clone that. But at the moment we don't need to do cloning using Git. You can do that in the docs, you can just find it. The cloning option is also available. But for us, for the simplicity sake, what we will do, we will just take this. What you do is go to the example section and there is a Quick Start distribution. What they have CDs, you can just take this zip, download it. What do you do is you just click on this and key clock will start, will be downloaded. You can just download that and take this download and put it into your folder in the key clock. So you may have seen I have already extracted this. You also need to do the same thing in your key clock folder. In the root folder, you just keep this. You can do a good cloning using your, if you have your username and password, sometimes it may ask for username and password. The good cologne can also solve the purpose, but for now, we're not doing the git clone. What you have to do if you are going, you can go to the a command prompt and type git clone and then https, github.com. Keep lock and key clock hyphen quick starts. So this is key clock heightened quick to adapt what you can do there. One more thing to remember, as I said, You Qi clock dot JSON should be lying in this folder. So you need to make sure this is already residing here. And then what you need to do is you need to go inside the key clock server. After unzipping that file, you will get the key clock Quickstart common site tag. And you need to find out the app profile. What is that app profile, app profile Z vanilla. What do you need to do is you go inside this and we can deploy this by giving a command. What will be the command? The command is simple. We are using Madeline discuss. We will do a maven clean and then fly and just apply. This, will deploy that application in this particular application server. And what we're doing here is we're coming inside the app profile and saying that please clean this. But remember there are other files also which is bit confusing. So make sure you are not going into app authors and z vanilla. You have to go to app profile Z vanilla and tutor deployment. Now, I will have already deployed it. But for the sake of deployment, I will do a redeployment which will trigger this. This will take few minutes, time. Just let us with fulfilled seconds. And this will give you the clean deployment. Once this is replied, we're ready to test our application integration. So you should be able to get this build success. Once you get this build success, you are good. Now, let us go to the application. And in the beginning, as I said you, the purpose of this was to integrate that T clock with the key clock example app or our vanilla app. In our case. We have that Mr. deep console, we have a task that the clock authentication module. From the vanilla. You will be able to log in through the, the clock administration. So that is the key purpose that you are decoupling the whole application authentication mechanism to key clock server rather than keeping everything safe. For example, you have an AD authentication mechanism. You have integrated that with the key clock. You can do that. And every time you login, it will be login through the key clock. Your solver has been completely decoupled from your authentication module. Let us try this. What we will do is we will just click on the Login here. If you remember, in the key clock server, let me go to the administrative console quickly. Give the password. Why I'm going here. I just wanted you to show. Then in our demo reel. In our demo, we have created our user. What is the user for me? I have created a new user with the name Shantel. And if I click on this, I have provided some credential over here. You need to remember that credential, what you have given. And then you have to go back to your application just for the sake of understanding this IMC. But generally you need to label come back to the admin console. Once it is integrated, you will be signing it up from here. So I will put Sentinel here, and I will put the password, which I have provided that time in the credential section. And if I click on the sign-in, it is a bill to login to the system. So whatever your system is, it will be allowing you to login through the mechanism which has been already integrated through the key clock admin console. One last thing to remember is, I hope you have observed this. We didn't localhost 80, it's 0 when we're opening the vanilla application. When you click on the Login, you can see that it is redirecting to 8180, which is the authentication module. And then when we are providing our username and password, what is happening after signing? It is again going back to your actual application. So that is what just for your reference purpose and you will be not confused with anything. And the how the authentication module has been decoupled in 8180 and how aids raid 0 is running on its own. It can be 100 application which is integrated with key clock server. It will undertake your accordingly, but your 8180 port or whatever port you are configuring there, that will be the authentication page. All of this. In real life, you may not see the port numbers, but the dominant. But that will take you to that. I will log in page all the time. That is the end of this particular section. We've built to integrate the key clock server with the wild fly server. So we're good to do this. If you want to do this for j bar Several, you can do this mechanism. It's same. You just need to follow the whole mechanism what we have followed in a step-by-step process. Okay. Thank you. Let's move to the next section. 10. Securing Your First Application: Hi guys. In this section, what we will be doing is we will be securing our first application, a bit application where we will be doing our front-end web application and the backend rest API. This will show you that how a user can authenticate to our front-end. And also how the front-end is able to secure and invoke securely, invoke the back-end. Now, biennial dissection, you will be able to have a basic understanding that how the application can be secured by deadlock, by leveraging the OpenID Connect. So our best target is how we can leverage the OpenID Connect and how our front-end web application and a back-end rest API connects to each other. And authentication of gig block. Apart from that, I need to say this, that the basic prerequisites of to execute this, as you should have, java as well as NodeJS in your machine. So I am not going into details of how to install NodeJS. You can just open your browser and go to Node js site and install the latest one or any previous stable version. And then you can follow my step by step process. And you will be able to integrate these two. Let's go to the next section. 11. JavaScript-FrontEnd & NodeJS BackEnd: Hi guys. As I said that in this particular section, we are going to cover that sample application which has been broken into two parts. One is the front-end part, which you can see here, and this is the back-end part which will be integrated with the key clock. Now in the front-end application, what are we providing is just a JavaScript. So here you will get a single page application which is written in JavaScript. It's not to explore how JavaScript program can be. It can be multiple things you can do in JavaScript, but this course is more about key clock, so we are not concentrating much more on the front-end, but it's a very simple application. What we are keeping your token. What it will do is it will use Node.JS backend to connect the key clock application. So what we will do after, once we do the integration, we will be logging with that key clock. It will display username. Then it will show you the ID and token and access token. And it will also replace the token. It will definitely invoke the secured endpoint. So that is the primary target. We have two endpoints. What I will be showing you with the Node js. But remember, the backend In APA is also very simple, nothing much inside it. It is more to provide you an understanding that how key clock. And if you can understand the basic concept, you will be able to integrate with many large application as well. So there is a public endpoint and the security endpoint which has been provided for them? Not yes. That's the primary target. Now, what is a diagram? What is there in the right-hand side? The right-hand side is talking about how this request will be. What is the relationship between this request, the front end application, what it is doing? It is where did my cursor, yeah, the front-end application is going to login. The user is going to login to the front-end application. It will be directed to the key clock. You will open our login pinch, which goes to the key clock, and you submit the login page. The key clock authorizes the code. It retrieves the token, and finally it will be authenticated. So this is the basic flow, this is the flow diagram. This is a sequence. Drag them. But what I'm saying is, this is how the whole application will work. Keeping that in mind, let's move to the next section. 12. Configure JS & NodeJs with Keycloak: Now we will be running the application that's the primary dedicate. Now, to do that, just make sure that go to CMD. Jackie or node is installed or not. Make sure that your node is installed for me. I will start 14.17.6 like that, you need to also check that you have Node installed in your machine. Now, what I will do is I will quickly go to the key clock silver. Started. I will go to the geek log server. We have installed in the getting started section. So go to the bin folder. Go here. Then the lawn dot. This will start your gig log server. What happened? I have misspelled it. So just make sure that you are not doing any misspelling. That will start your key clock silver. You can do this later also, but I'm starting to kick log server in the first risk. And then we will do the rest of the things. Just to check that your key club soda is started. You do any of your browser, go to localhost, and you should be landed in the administrator section. Yes, I want to administer the console is dead. Now. What next? What we will do is we'll again go to the File Explorer. We will go to our blog section. We have a front-end as well as the backend. What I will do is first I will go to the front-end part of it. I will dive this in the front. And the first thing you need to do is install. Give this comment and word fulfills against. It should be. To go to the next command line. It doesn't install that. Now we will say n m dot. This will start your front-end. Then while it is dotting, we will open another terminal, which will be the back-end. So what we can do is again, we can go back and go to the backend. Here. You can delete SIM D. And in the back-end, what do you need to do is you need to sit npm install. The backend will be installed again. Once it is installed, you will be able to give the start command to start it back in. I'll give npm start. There is some problem. Let me check. What I will do is I'll just close this again. I will go back to that and one more time I will try to find out what can be the problem. So I will go into the back-end section. And cmd again here. I want to install net in being installed. You can drag to fetch it. There is some error still. Stealing. See geek log back in Node modules, opposition bottom, we did not permitted back-end. So what it is doing is going to the node modeled back-end of religion is rejected. We can do is quickly. I will gloss this because some permission issues are coming. So I will close both of them, have them move that one. So what I will do is I will go to the front-end part outside the directory. I will again do the same in npm install. This is outside the dietary BMs dot. So starting it again, I will go to the backend and again drive to stop that. What I did is just I have taken out from the D globe directory and gifted outside. You may also face a similar kind of problem. So make sure that you take it out or you put it in one of the directory. Don't keep it inside the let me start and then I will tell you what the problem can be in BMs dot. So what I did is I have started the front-end as well as a back-end. So basically, what was the problem? The problem was, there was a key block where I have done the all VK login installation and I was keeping the front-end and back-end inside that whatever was happening, there was a conflict with the other things which I have loaded. What I did is I just got the best to this strand tint and back-end and voted directly inside the C directory. I have pasted in here and I went to front-end, started the frontend tool. And I went to the backend, started the back-end. So that's clear. Now let's move to the and we have the sort of started later. See how we can open the ports, how we can hit in the browser. Open a browser. The browser, make sure that your key clock is running. So we know that our key clock silver is also running. From the last chapter or last section, we have learned how to run the clock. So you need to run the key clock, makes sure that realm has been graded the master realm. What I have discussed in the previous section, which means that your key clock should be up and running, which is named as myelin, has been created. So how to see that? Go inside the administrative console, sign-in with your administered at admitted and basilar. Unique to see that this has been created so clear, the middle, This has been created. Your endpoint has been chosen as open ID endpoint configuration. This is something you need to remember. Once this has been created. You can give a global role name as my role. You go here and there, you can create our rule as a global role limb. You just give that name as it might rule. This is something I have discussed in the other chapters are lit, but you just need to follow the same instruction and create this realm. You create my realm with an OpenID endpoint configuration similar to this green. And then create the rule as my role. That is good enough. Once this is created, you're ready to go to the next section. Now, what you can do is you go here and you've hit local host Eight thousand. You will be able to see a screen which is seen as login I, as I said you, the JavaScript is just nothing but clean from where we are expecting to redirect to key global admin. So if you click on Login, it is saying, we are sorry. What does that mean that it has not been able to connect to the key clock server yet. We have not done any configuration inside the log so that the frontend can understand that. What is the other thing running? The backend is running on. No dread. So do reach there. What you will do is you hit local host 3 thousand. This is a public endpoint. This is a security in front. If you click on the public endpoint, what happened, it is just a public message. If you click on security endpoint, the access is denied. So remember this situation, wet, we are not able to connect with the key clock at all, so there is no connectivity. Know how to connect this. That is the main question in hand. What we will do, we will go to the geek lock server, will have a role. As I said, you, you need to create this role as myelin. Now, what do you need to do is you have to basically click on the client where this client, yes, this is clank. Now you need to click on client, and then you need to create this grid. Here it is great. You need to create your client. That means you need to create my client, which will be able to connect. Let us create a minor gland. What I do is I will be creating my client. And I have chosen OpenID Connect, as I said in the beginning of the section, our client protocol will be OpenID Connect. Openid Connect allow the client to verify the identity of the end-user based on the authentication performed by an authorization server. Saml enabled web based authentication and authorization scenarios, including cross-domain single SSO, and user security tokens containing assertion to pass information. Just remember this, juices and what we'll, we'll droop URL. So the URL will be Not this. In our case, our root Italy's a thousand front-end. Just now we have seen our front-end, this 8 thousand field. Remember, I was trying to go to localhost thousand, which was giving me a login page, right? So that's why I'm adding a thousand. Then click on Save. Success. Here. You will be able to see up yeast up parameter. So your client ID, my client. You can see the root pivotal. A little adventure, a little web origins. These parameters are very important to remember this. We will not go in details of all the configuration in the basic goods. But remember, this is what you need to. Remember from this viewpoint. You can just explore this all what has been written. Granting access, email ids, editing. You can put here that a lot of options somebody as a bar to because you are adding this root URL, localhost Eleven. Basically in your case it will be different. Ips productions. Basically, when you are adding this, you are making sure the application, that is, if somebody is trying to go to attacker.com and try to attack, they would not be able to authenticate also because the current, That's why the primary reason is you need to add that inside the Key Club. There will be no attacker will be able to attack that. That is the primary thing. You need to remember. One more point, that is, like wastewater agency. If you see web origins, these options registers are valid wave origins for the applications. You have hard about quartz, which is cross-origin resource sharing. To obtain token from o'clock, the front-end application has to send an Ajax request to keep block the browser to not Bermuda, no Dockery request from the wave origin planet. Unless RCC used. This also is a key bag method and you need to remember this. Now. Just by doing disease. Now what you can do is you can go and refresh this page. In the meantime, let us see what are the other things available. Client scopes. This, we will come on a detailed section in the next course. Not in this course is a fairly detailed level information so you can just trace through it. So what I'm saying is, you go here and click on the login. Now you are able to come to the section where you are saying that it is directly redirecting to your key clock servers. So you have given the configuration and it is able to come and land in the realm. What is the real Nim? Nim. Know, if I want to login through an administrator, I can do so. But if I wanted to create an user, what do you need to do is you just need to go here, create a new user for the middle. So say for example, I am creating a user named as shunt. Something. You can put the email at the moment. Just putting my name and use it and the bird on e-mail verified. You can keep on although I have not provided any email, but I'm just showing you if you are belonging to an existing group, you need to add it to that. I have not yet added any group name, isn't it? I'm just creating a new user named as Shantel. I am just saving it. So they use that has been created. You go to the credential, cleared some password, say B or D. D. At the moment, you're setting the password. That is, if you are setting a password for the user and the user level is shunting again, I'm just greater duct. Now what I will do, I will go back, refresh. I will add Santana or D. Need to gingerly password to activate your account is the first thing what it says here, I will put the mean and the mean. Now you will be able to login to the application. See, as I said you, that it'll take you and display your name and put some image. That image will be also disappeared. I'm not putting that at the moment. What is this? This is the ID and the token. As I said you, it will be displaying some ID and tokens. So if you click on the Show ID button, DID is going to display. Now in this, what are the things you need to look into it? You can see this EXP, what is this? This is the date and time that took an expanse in seconds. So if you can see this 1648000793, it is taking into consideration that at what time this will be expired. Then you can see dot ISS. What is this? It is talking about the realm. Who is a short of the token. So that you will displace that this is a shirt off this token. What is sub here? What is the sub is an unique identifier of an authenticated user, this unit to remember di mutual ID token, you will see it is getting changed. You can see 1320. Now if you refresh it, okay, Sorry, the token will be getting changed. Not at a sub. It is an unique identifier for these authenticated user. Yeah. What about the name? Can you see my name here? The edit will be a name or the name has been disputed as shunt know dusk. That's why this does not change as the subduction or changes. This is unique for Sentinel does like that. You can. Anything else I'm missing yet though I think the preferred dividend them is just the username, opt authenticated user. You can go and see on the show access token. Ensure access token, you will be able to see the allowed origin. What is this? The least are permuted web origin, which the backend service can use this field when deciding whether to deliver regions should be permitted for courts request on not what are the allowed or in the allowed origin is a thousand. So if I want to invoke my backend service, it should allow whom that needs to be known by the realm. If you had invoking the service, the real Max's realm resources. These are very important. This content, what is real Max's Discontents? A list of global rules. It is an intersection between the roles granted to the user and the rules the client has access to. That. Access is this, this is what you are seeing. That from minor mu is coming should have access. What is the resource access? Resource access is a list of client rules you are having. Walk gland is allowed. What is scope? You can see? Who has the scope to decide what fields to include in the token. That is what you need to remember here. These fields are customizable with good luck, but we're not going to do that customization here. Each time you refresh these tokens, it will keep on changing. See, the tokens are changing. It is 080 become 85 diamonds. So keep on changing. It is in a different time. Right? Now. You can go here to the public endpoint again. And TD is a public message is coming fine. What about the secured endpoint? It's still saying access denied. How we lay a leech did to ensure that that securin point is working. What do you need to do is you need to invoke the service. Otherwise, it cannot directly go and hit a 1090 Dillard give you back invoke the service from the front-end back-end, and then they will be able to call that service. But still, 403, access denied is coming for us. What to do next. 13. Invoke Front End & Backend Services: Hi guys. So we are now targeting to connect the front end to the back-end using an internal goal. But that is what we will be solving here. Now to solve that, the first thing again, back to the realm. I will tell you that as I said, you all the rooms are different. So in the last section we have seen how a master realm has been graded or demo reel has been graded. Now what we will do is in this section in the beginning, as I said, you, you should have a myotome, so you must have created a myofibril. Now once you have created the model, you must have saved with an OpenID configuration. Then what do you need to do is you need to also do a double-check of few things, whether we have done it That's like it was not able to collect, go to users. If you have not created, to use it yet. Create the user is nothing. You just need to click on the user. You just go Add User the right ear username and write your email if you have any firstName plus Nim, and then click on the Save action. Once that is created, you will see the user has been created something like this. Now what you need to do, you need to click on this one. Once you click on the user, what you have to see is whether the RoleMapping has been done properly. Now before RoleMapping, you also need to see if there is a rule. So you have mild role which has been created. And you have to now see whether that rule has been added to your group. How to create group? You just create a new adding a group name, what the group name you put it as my group. And then added. Click on the file group. And once you click on this, you will see RoleMapping is, what do you need to do is click on the RoleMapping. Add this rule. Click on Add selected. Once you do add selected, it will be, I'll take that all mapping has the role has been added. Now, what else? I think once these two or three things are done, first year creating a realm, that is the first thing you have to do. Once you create and configure the next need to create a new user. Once this user has been created, you need to have an definitely, you have to add an username and email FirstName, LastName, whatever they want. After that, what do you need to do? You need to create a group. Now for that user, you must have created some credentials by going here. And if you are putting the tip blurrier zone, it will change the password on. If you keep it off, it will not change it. In the first run. At least it will change. It'll ask you to change, remember that, and then go and create our group. After grades and up the group. What do you need to do? You can add attributes to the group. The user basically inherits all that reboot from a group it belongs to. So that is what you need to remember here. Once that group has been added, you can just go and check whether the global rule has been added Britain on to check that you need to go to Model. And then what you have done. You have added that rule inside groups. That is what we have done few minutes back. Any ruling the clock can be turned into a composite rule later, allowing other roles to be added to the role a user who is granted a composite rule will dynamically be granted all the rule within that composite rule, just, just for the mumbles and just put them in budding. Now, that is what you need to check. Now, what you can do is we will be trying that within we're able to go and invoke the services which is here. So here definitely it will not be invoked at. What we can see is instead of showing access denied, it is trying to authenticate. Last time we were seeing access denied, but this time we're just trying to authenticate. Now, in this, when you click on the Login button, It's possible to go inside that. Now when we'll be clicking this invokes service, didn't a secret message with 200 as a success. Which means the front-end is able to connect to the backend. Without. This is basically the beauty of O2. How we take scared goes to the back end. Basically what it does is the backend retrieves the block public keys. And this does not need to do this for all the requests to the backend, but can instead keep it in the cache, keys in the name of these. It is keeping it in the cache. Now, then the front-end sends a request to the backend, including the access token. So it is basically sending the access token to the back-end. Back-end, easily retrieving the key clocks, public keys. And based on that, the back-end uses the public keys. That integer treats, verifies it. And then how it is very thing this is issued by the key o'clock instance. And that token is valid for the rule, the rule which we have defined here. So that is what you must have seen. That when I was showing you the ID token, I was telling you conduct, you need to just have a quick look through this one. And the access token, what we have based on which resources should be able to access the backend disability, to go back to key clock, retrieve the token, and authorizes it. Now that you have a basic understanding that how a sample application is secured with key clock, you will be able to go and start exploiting more. So that's why this is a basic understanding of how the front-end, as well as the back-end. Front-end is the JavaScript libraries of nudges. For the back-end is what we have used in this. Let's move to the next section. Thank you guys. 14. 2 Factor Authentication - Password & Mobile Auth: Hi guys. In this section, what I will cover is geek lock, two-factor authentication. Now, we have seen that in the last section. Let me show you again quickly. Last section what we have seen this with JavaScript and Node js back and we were able to login to the application. Now, It's not even asking if you log out and come. It will ask you for the authentication. And you were able to do single authentication where it is redirecting to your key clock server, then available to login to the application. You are also able to invoke your services in the back-end and was able to get a secret message. Now, what we will do in this particular section is when we are logging, we will be having two factor authentication. Now. What is two-factor authentication? It will be having one more layer of authentication. Now, I will do a connection from here, and then we will get one time password in my mobile. And even Julie. We will see how this will work. Now, there are two ways to do this. Just to say u. One is you can use Google Authenticator of free OTP. Any of these is fine. What are the steps to do so I will show you the same application where we were sitting, which means localhost. 8 thousand is what we will be using. And at the end of this particular session, you will be able to do two-factor authentication. That is what you need to remember for this. Now, how to do this? What we need to do for that is first, we will go and make sure that we are in my realm, in the realm where we are walking. In this particular section, you want to do a two-factor authentication. To do so, what will you do? You will go to the authentication depth, whereas authentication depth, this is Authentication tab. In the authentication Deb, you need to go to the required action. In the required action you will see configured OTP. So what you can do is you can keep it as a default action for all. It will be by default enabled. This is the first step. After this first step, what you have to do is you have to enforce an existing user to configure the OTD. How will you do that? You have to go to the user section. You have for me, shunt Louis, the user with which we can login to the application. What I will do is I will go here. There is a section. Here in the details of user section. You need to go to required action and unique to enable this as configured OTP. Once you enable this, you just need to save this. Once this is saved, you have to now go to authentication back again. And you need to see what is the OTP policy. If the OTP policy is countered the best, change it to time-based. By default, it should be time-based. It is a SHA Algorithm. Number of digits is six and look ahead and window is one. What did we talk and periodic thirty-seconds. Okay. This is what you need to save it. It can be free OTP or Google Authenticator, anything you can download in your mobile. Now, let me show you from where you will be downloading. You can just go to Google Authenticator. This is what you should be doing in your bile or anywhere you want to do. Basically, the idea is this authenticated will be getting the good and we will be typing that good from a of my mobile. Basically, I will be loading it in my mobile. You can do it in iPad or anywhere that you want to do. So because these are the apps, so it's better to load it into the mobile. So this is one thing. Otherwise you can go to free OTP little bit old. But I prefer Google Authenticator. You can do as you want. You can also take the free OTP. Then we will do this two factor authentication. So let's move to the next section. 15. 2 Factor Authentication - Contd..: Now, once you are done with this, what do you have to do? You have to go to your original application. So our application is in localhost 8 thousand rate. And the earlier we were clicking on Login. Similar way we will click on login. The first level of authentication. It is showing, I am saying in the moment use sign-in because you have enabled the null authentication for this particular user shunt know. You have said two-factor authentication is regret. It is asking from where your authentication should occur. Now to do this, as I said, you, I have installed Google Authenticator. Geek log has direct integration with the three OTP as well as Google authenticated. You can choose any of them and you have been installed that in your mobile. I will do the next steps through my mobile null. Now, open the mobile, go to the Play Store or in an Android, android blister or enough stored. And depending upon which more value or using, search for Google authenticated, I'm searching for Google Authenticator. If you want to do go for free or TB that also you can do. Now, you have to click on Get started in your mobile like this. And you have to scan the QR code, which is displayed on screen. So take your mobile and scan it. Once your scan you will get a code on your mobile. Now, this code is what you will be put inside the browser. Now based on the Meidum authentication, what I will do, I will put what I got in my mobile. It keeps on changing in thirty-seconds. 060, 823 is what it is showing at the moment, and device name is. Now you'll submit that. See, the authentication is successful. This is the way how we should be doing a lot. Factor authentication. Then if you are invoking the service, it is still working. So now next time when you want to do again, when you are coming and when you are clicking on Sign-in. It will ask for one time for now onwards, that one time for these, again are relevant on your mobile. By opening your Google Authenticator, you just type the number at the moment it is 174837, what it is coming in my mobile. And now I'm able to login to the application. Hope that clears the whole way how to configure the two-factor authentication. If you are doing a PLC, you know that how to enable those things with key clock. Thanks. Let's move to the next section. 16. Tomcat & Keycloak Integration Introduction: Hi guys. Welcome. In this section what we are going to do is Tomcat integration with geek lock. So what we will do is we will see step-by-step approach, how Tomcat can be integrated in any applications which has been deployed in Tomcat can be integrated from the backend to key clock adopters. So what I mean by this is you take a sample application, so the application is not the key thing here. We will take any application, any of your files and deployed into the Tomcat application, and then Tomcat web solute or the Enterprise server, whatever server you are using, deploy that in dump dad. Now, one of the configuration that you need to do to connect it to kick long. That is what I am going to show you step-by-step in this particular section. Before we go in depth of it, I just wanted to give you a glimpse of what we will be doing here. While we will be configuring. Let me open this quickly. Basically. You see, I have configured Tomcat at age 0 at five. And what I want you guys to also do is you can do that. I can show you some of those tips what I have done for that. It's very simple thing. Just give an enter. We want to happen. This sample application is something which I have configured with geek log. So basically, whenever you want to get an access to the key clock dot indication to happen from dumped get through key glob. It will ask you how to get the credentials. That is what you need to put. And once you put that, this is the end thing. This is the thing what we will be doing and not the first thing. What I'm showing is basically this has been configured now every time you load the sample. It will not ask now because it has now taken the credentials, basically better to see through the Incognito window. You put local estates to raid five, sample, heat it. Basically from a raid five, it is going to aid 080, which is where your key clock has been configured and it is up and running. So this is my key clock which is running at age 0 is 0. And this is my Tomcat, which is running at its raid five. That is what I have configured at the moment. You also need to do the same. And I will show you how to do and what are the configurations you need to change. It's a very simple thing, but you just need to follow it step-by-step and then you can add on lots of other things what you want to do. But these are the basic things which we need to do. I will put my credentials and it takes me to the page. That is what you need to do. Here. We, we will be taking a simple servlet and then HelloWorld application. It doesn't matter if you have a full-fledged web application which is running, which has to go through your key clock server. These are the same steps you need to follow there as well. Don't get total is what we're considering in this particular section. And we will be going through it, through the configuration to the adapter configuration, what we need to do and what not. Right? Before I go to the next section, one more thing I want to mention, you need to go to kick lock. In short. There are few things which we need to concentrate. From the download viewpoint. I will tell you what to download. One more thing. If you want. Doing this done for Tomcat configuration, remember there are two versions which key clock support? You go to the dump gatt and please download eight or nine version depending upon that. In the next section, I will be telling what needs to be done and whatnot. Thank you. Let's go to the next section. 17. Prerequisite - Tomcat: Hi guys. As I was telling that the prerequisite for this particular section will be to download Apache Tomcat. Go to the budget Tomcat section and download the Tomcat eight or nine depending upon what you want to explore. What you need. Basically, I would say like this. Once you download that, I have already downloaded, let me show you that. Will go to geek Locke directly inside that only I have downloaded. This is my apart you don't get basically when you will be downloading, you will be getting like this about you don't get it 0.5, I have downloaded 8.5. You can also download accordingly. Then you have to just extract that extract those files. And you will get a similar kind of file structure. Once you get that, this is the first thing you are going to do. And you can't it up Tomcat home. Basically, you want to do by going to the environmental video, a variable selection. Based on your requirements, you can set up that you just need to type environment variable. If it is system variables or your local variables. According to that, you can set up I have Java, home, GET home feelings and all those things which is already setup. So let us not go in details of those. But what I want to tell you is you need to download Tomcat and definitely you need to have Java and all the other installation what I have shown earlier needs to be dead already in place. Once that is downloaded, you can close this. Apaches know what from there. Once you download that is done, then what you need to do is Another thing is important to do. That is you need to go to q0 globe downloads. So good globe dog, what G and there'll be a Download section. You just click on the Download and you will come to this particular section. What do you need to do here is you need to click on this zip file, Tomcat 89. You'll be getting I think I got the seven as well. But you can do that. What do you need to do is you have to keep in a particular directory. So I did same thing. You can directly see that I have installed got seven adopters, as well as eight adopters, if any of you need the seven adopters, let me know. Because now it is eight or nine adopters, which is once you download, the download will be in this form. Again, you need to extract those and I will see you. What are the next steps you need to do? So, hope this is clear to you. You will get Tomcat adopted like this. You need to extract those and get, because we are doing 98. That's why I have extracted the eight adopters. Now you are able to get 89. Now the next thing what I want to tell you this what you also need to do is you need to take this waterfall, just write sample Tomcat application and take this worthwhile. Because we're not concentrating on learning Tomcat web application, how to build that. It is more of an integration that we want to do with key clock. I will suggest you just go here and download the Word file. I do have the Word file and I will try to upload this along with this course. So just take that. Once you have taken back, you can close this window. The next thing, you have taken the adopters. What are the adopters? The adopters are basically the connectors, which will be connecting your key clock width. The application you are targeting a web server or an application server where your applications are hosted is what it will be HIV as a connector between these two. So that's why you need this client adopters, which has been built by the clock. And you can directly take that and put it. There will be some short of minimal configuration which will be still needed. And that is what we are going to talk in this particular section. You have hope you have taken down this zip file and also the sample or file, the sample will file. And the adopters, after taking the adopter, you have already taken extracted those. Copy, all this, copy all this key clock Tomcat adapter. So copy this, just right-click on this, and copy this, and go to your Tomcat distribution. What you have to do is your Tomcat folder. There will be lib inside lip. You just need to paste everything. I have already visited. So I'm not pasting it again. You just need to paste everything wet. Inside your Apache Tomcat lib folder. There is a lib folder. Inside the lib folder, you are going to list all the libraries. Basically these are the library files, all the jobs which has been given by key glug. Glug adopted this SPI, this client, all the adopters has been given for different purposes, but we need to just copy it. That is the first thing. 18. Tomcat & Keycloak Integration: Hi, after copying those JAR files inside that, but you don't get adopted copies over. Now what we need to do, we need to focus that where do we have kept it? Remember, we're keeping in the root folder of Apache Tomcat limb and not inside any of the web apps. What file? We have taken sample inside sample in the webinar. Also, you will see a leaf folder. Remember not to put there, it is not going to work that way. You have to keep in the root folder of Apache Tomcat for it. This is the lib folder of the root, root Apache Tomcat. You just need to put it there. Once you put that one there, adopter copying is over. Now we will go to the configurations. Now, even before we go to the configuration, we have to do two things. One is to start that budget Dong get and the second one is to start key clock. Hope you remember the steps how to start Apache? Sorry, Good luck. What you need to do. You need to go here. The bin folder, you need to die. And unit two, sorry, the spelling is wrong again. What I will do is I will just correct it and started taken. Now, this will enable the server in port 8080. Once this is imported 00, then you cannot deliver all portfolio apart, you don't get it also adds 0 is 0. So what we will do is in the meantime, while it is getting up, we can go to Apache. You don't get in there, but you don't get silver. What do you need to do is you need to go to the root folder again. Inside the cons, you need to go to the server and you need to change bought quickly. Where will you change the port? It's simple. You just need to go down. You need to find out eight zeros 0. Instead, you have to change it to 8085. Once you change that to 8085, everything what is getting deployed into the DOM cat will start in its rate F5. Now, once this is over, we will go back and we will see that this is done. Apart from this, you have two more things to do. Basically, I will sit three more things. What are the three things inside this? What do you need to do? I have kept it as separately so that you are not getting confused. The context change, I have just now shown what you are doing. The server thing I have shown inside the garden text, where is this context line? You have to go back to Apache. And inside the gun, you will see this context. If you see my contact, I have just changed it. In the context. You have to put this valve. This is the valve. This is what you have to put inside the context. What it will do, it will enable the dome, it to talk to the key clock authenticated valve. This valve, this is the digits from where I mean, whatever you have copied inside that adopters the JAR file, it'll pick it up from there. Org dot loc, dot adopters, Tomcat key clock authenticated vault. This unit to put an Putin title context of Tomcat. What are the next things you have to do? The next thing you need to do is I will show you. You have a geek lock. Before I showed this, or you keep this in the location, I will tell you. We need to first logging inside the key clock and we can generate these as well. We'll come to this in the sample. You may have seen there is a web dot XML. Where is their sample located? Let me show you. I will quickly go to that folder, web apps. Now, I have just simply drag and drop the sample inside the web apps and it got deployed. Now inside the sample, I'm going to sample folder. Inside the sample, I have web dot xml, right? What do you need to do in the web dot xml? You just need to add the security constant and the login conflicting. So this is the part you may get this one already by default. So don't tell us that. You don't need to touch that. What do you do is you need to add these few lines, which I have added here. The security constraints, the login config and the security rule. Now the other two security roles, one is administered and the other one is Tomcat, which I have given now how this will come into picture and what you have to configure that I will show you in the geek log. Keeping this open, I will go back now. And this one, we will come back. There are three configurations to remember. One is in the web dot xml. The second one is. Inside your Apache Tomcat, whenever, wherever the web apps is deployed inside the web folder, you have to paste the key clock. Now this is where you are defining your realm, how the authentication will happen, whether SSL is required. And you need to also make the user results RoleMapping. I will come to this if you, by default, when you are copying from the key clock server, this may be true. What do you need to do you have to make it false? We will come to that point up does sometimes. But let us now login to the key clock server. Now, because key clock is not up, we can immediately go to the key clock silver and login to the administrators Administration Console. Then with the administrator we can login. The first thing to do here is you have to create a realm. Now how to create a real, you must have seen in the previous videos. In the same way, click on that email and name it as donkey. I have already added the term Katherine, because we are doing and working on the donkey. You just need to name our realm as Tom tech so that we can just instead of a Tomcat, you can give any name. Okay. I'm just giving tom care so that we can relate it very easily inside that create this realm. This realm will again come from the master rule, which is provided by key clock by default, and then points are here. Second, what is the second thing you have to do? You have to go to the clients section. In the client section, what you need to do is you need to create this Tomcat. You will go and click on Create. The moment you click on Grid, you will be getting a client ID to say an aerobe URL. What do you need to do is the same way. What I have given, I have created our Tomcat client, and I have given the root URL as http localhost 8085 sample, and these all will be automatically generated. You don't have to worry about this. Remember this configuration. This configuration is very important. When you are saying that key clock. When you are logging into this application, you go back and fast, go-to o'clock, validate whether this user is valid or not. Then only lead them to login inside the Tomcat, whatever application. I mean, it can be dumped guard. I mean, it can be any kind of war. Full-fledged application doesn't matter, but you are aligned. Now, after you define the client, what are the other things you have to do? You have to create users. Now, what are the users? I have created our Tomcat user or Tomcat, if you remember, in my resource, I am saying the OT server is exhilarated z dot and the resources don't get. If I am saying that, that means let us go inside them. What do you need to do first? You need to come here. You need to click on Add User unique to give the username. What I have given I am now showing you need to give the username and stone cut. At least if you are just exactly following what I'm doing, give the name as a donkey. And you don't need to do anything for that user. You need to clear the credentials, you can switch it off so that first-time login, it will not ask. Generally what I did was I have switched it off. It will not it will be a permanent. So you just need to remember these credentials. That is the first important thing. Then the available rules. Now, where will I get disrupt? You have to go to the row section. Again, I have created rule by clicking on Add Rule. Now where is this rule coming from? If you remember, in the security rule, what I am giving inside web dot xml is what it will be following in the role name. I am saying I will give a Tomcat as a rule name. What I did was I created an ad rule. And the moment you create that rule, the rule will be directly added. Create that rule. Go to the user. Click on the user. Inside the RoleMapping, add that the rule, the default rules that assigned the rules. You need to select this, you just need to select and that rule will be assigned to it. Basically. The user is here. The credentials is what I have already said. You, you just need to make this solvent. You can put your password and password conformations. Then you click on this rule and add that rolls group is not required at all. We will come if anything is required in that area. Now, we have a realm which is named as a Tomcat realm. We have sorry, it is Tomcat not Stomp Catherine. Ignore this one. We are using Tomcat realm. We have created that client. We have created the client's scope. We have the rules in hand in the client's scope. If there is any confusion, you can just go and Jake with your rule is also there. So inside the roles, you really don't need to worry about the role. You just need to create the roles in the fast. So there is a default rule Tomcat, don't worry about that. There is a Tomcat around. That is what you need to make sure that you have created. Then we will have to create than the user, that user having the sequence maybe here and there, I may while generating, I have not kept their dab that how I have generated it. But remember, you have to create a user. You have to associate the guidelines with it. And you need to make sure our realm has been created in it. So fast realm. Then the guidelines you can define, then the user address that user with a particular role and added. That is what you need to do now once that is done. Now three things I have said you okay. Apart from that, one more thing I need to tell you. If you go to the users, if you go here. No RoleMapping we have done in the guidelines, you will have to see how Dong guard is configured. You can see here how longer it is configured. Then you need to go to the installation section. You need to make sure this works. This, you are choosing gig vlogs. Why do you see OpenID Connect? Okay, Jason has been created. So these will enable that. How OpenID will enable this. Now you can just click on this download and you can take that key blog.js and paste it into whereby folder. Now, one more thing you need to remember. If you see the difference. What I did was use a resource RoleMapping. I have saved it to false here you can see it through, so don't forget to set it to false, otherwise their connectivity, you will lose them. You may not end up doing the connection properly. Okay. In the realm, I have used Tomcat drill. Okay. Sorry. Basically, what I did was I make you guys confused about it. Sorry for that. What do you need to do is you can if you are following exactly Me, then you need to credit realm named as Tomcat realm. You can do either way. It's not mandatory that you have to create a dome character will dump that whatever, wherever you are grading, you need to make sure that is exactly mapped with what you are putting into the key Clausius. And so, because I have been asked, so let me discuss about this only rather than saying something else. Okay. So in the DOM guardrails, again, I will go back and show you what I have done is in their dump guttural, I have graded the Tomcat declined and that's why I was confused there, Tom Gardner and dump that realm since nobody's you go created Tomcat declined inside the Tomcat flow and it will be local or state E85 sample. Why 8085? It is it is wet. We are deploying our Tomcat, so we have already changed the port. This is what you need to do when you are creating a client. So basically, you are going, you are saying, Don't get here. And then you are going to give the root URL as http, localhost agency raid five sample. That is all what you need to do while creating that line. Once your client is created, then you need to go to your users. You need to create an user which is again named desk. Don't get angry in DAG. You need to give a credentials for that, that you can login to the system. The temporary you don't make it on, you'll keep it off so that whatever password you are giving that will be permanent. You don't need to change at least for the first time. You don't need to j otherwise, good luck will ask you to change the password in the first chart to have our deck, you can directly do that. Then what do you need to do? You need to see a Tomcat. You remember that I was telling about the roles don't get is the rule. I need to create a security role as a Tomcat. So I have created a Tomcat, the rule, that rule is the user in the role. So anybody who is logging to the system should have this soul into place. Now that rule, where it is there Tomcat rule that this user we don't get rule will be able to login to the system. You just need to see how you have defined that in the security role. That is good enough. So this mapping, this security constraint here, is more important when you want to connect to the don't get. Now, let's move to the next step. What is the next step? The next step, what we will do this, we will go to the Apache Tomcat server and we will start the Apache don't get target. So basically you can just click on the startup.js tax. It does a budget..gov. Okay. I think there is a binding exception. What it is showing cmd dot, dot, dot that is bind. Let me see. Please. I think I have not started the drunkard in the first place. This is key glug. Glug. Glug is up and running. And let's wait. No, I was not expecting any borrowing the exception at all because I have already used an HDF5 board. So there is no conflict between key clock. The clock is running, as you have seen, key clock is running on port and don't get should be able to run on board. There is no other problems. But let's see. I hope this will be good enough. Now, it is started. Close everything. I said these three files I were attached in the section for you to have a closer look. This I can add as a download. Now, what do you need to do is you need to go to localhost 8085 plus Jake with a donkey is fantastic dog, cat is up and running. You need to go to your sample. Just put into your full effect. So the sample is perfectly running. Now, I want to access a JSP or servlet pitch. That is what our web dot xml has done, right? So we have the left and we have the JSP file. That is what we will be no accessing. The moment you click here, what is going to happen? You should redirect you to the key clock server instead of directly showing it, which means authentication is happening to donkey clock server using OpenID Connect what we're showing here, click on this. It will take you to this. If you remember, I have graded Tomcat user, right? I hope I remember the password. And once you give that, it should be able to take you inside. That is allowing us to go inside through authentication from the geek lock silver. So that is what I wanted to show you in this particular demo. If you click on the server now because this is already logged in, it will go. Now if you want to check this happening in incognito window, you just go again and click on edge Szilard sizzle, F5, and go to Stanford, entered directly asking to go through the game here. Now you're locked inside it. And now when you are clicking, you're able to do that. That is how it's all about how to configure. Don't get adopted. So it can be many application, all applications configurations will be same. So what are the steps in the conclusion, I will say there are few steps. The steps are copied adopters. The first tip is to copy their adopters inside years apart. You don't get from the geek lock site, as I have said you in their adopters and put it inside the leaf folder. Once the adapter set of copying that are three configuration files, as I said you what other configuration files? These are the three configuration files you have to do. One isn't the context. In my case it was four because in the silver dot dot config, we have just a portrait 0 at five because good clock does starts by default. In its zeros 0. To start it in a different board I have, in my first section, I have already said how to start it in a different section. If you are confused, you can start key clock in a different port by using the same command. What I've shown in my first introduction section, use that command and started. But in case you want to follow through what I have done in this table, what you do is you just go to your server.js HTML. So if you remember where it is, the silver dot xml, I will just quickly show you. Here is a sort of a single open these genes, the port 28085. And then you have to go to your context. Where is the context? So you have To Go do your web apps. And sorry, before that you are going to deploy your sample or what I have already suggested. I may include this word, but in case I don't, you can directly download. Now, you need to also remember that once you deploy that in the web apps, you need to go inside that folder. Inside the wavelength. Inside the web one, you have to burst this geek loc dot JSON. This file is what you can go inside the key glog. A document doesn't if you want to explore further, once this is done, this is a fast basic steps, right? I am not going into details of everything. I'm going in the very basic steps, how you can verify the token and how you can really connect all the interactions we didn't get log server and your Apache don't get is happening. Is that what I'm showing? You just need to pace their key Cloud or JSON. And another thing, what do you need to do is you need to open the web dot XML. If you don't find a web dot xml, just definitely will find it 34 that you need to pass the security constraint, the login config where you are saying it is a busy, you are ignoring the of the original Tomcat and you are going through our security zone with where you are defining. You can go through administrative controls. So if I again wanted these guys to go through administrative rule, I need to add that. That is what you need to add. These are the two things which you need to add. What is the last thing I want to show you again? The last thing in the configuration. No, I think everything I've said in a web context and key clock. In the context there is an valve. If you remember, that, you need to paste it in contexts where it is the context part that you have to find out inside. Don't get if you go there. Inside the sample. Inside this sorry, doing a mistake. You need to go back to the gun. Here is a conduct inside that context. What I have, I have just added the key clock authenticated evolve. If you do these three steps along with the adopters, you are good to go. Thank you very much guys. These are the basics. Eclipse, what do you need to do? I will be keep on adding more and more relevant information of key clock in my next videos. So thank you very much for watching. Hope this helped. You. Don't forget to give a feedback dr course. That will help me as well as I will understand that what all you are looking forward. I'm a prepared on the goals for that, or I may add it in this course. So please try to give some feedback. Thank you very much. Bye for now.