Skip to main content

Notice: This Wiki is now read only and edits are no longer possible. Please see: for the plan.

Jump to: navigation, search

BaSyx / Scenarios / Authorization

Setting up Keycloak

Keycloak is an open source software product to allow single sign-on with Identity and Access Management aimed at modern applications and services. As of March 2018 this WildFly community project is under the stewardship of Red Hat who use it as the upstream project for their RH-SSO product.


To start the Keycloak, you can use the following command:

docker run -p 9006:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin jboss/keycloak

Warning: The startup may take a while. Do not stop the server after the message Added 'admin' to '/opt/jboss/keycloak/standalone/configuration/keycloak-add-user.json', restart server to load user -b

Once the server is started, the admin console can be opened in the browser using the link below:

Note: You must only start the Docker Container to execute the Test Scenario, as the Realm and Client is automatically created by the Keycloak ServiceProvider when executing the Test.

Setup using portal

The initial screen for the admin console appears.


Realms and users

When you log in to the admin console, you work in a realm, which is a space where you manage objects. Two types of realms exist:

  • Master realm - This realm was created for you when you first started Keycloak. It contains the admin account you created at the first login. You use this realm only to create other realms.
  • Other realms - These realms are created by the admin in the master realm. In these realms, administrators create users and applications. The applications are owned by the users.


Create Realm

As the admin in the master realm, you create the realms where administrators create users and applications.


  • Keycloak is installed.
  • You have the initial admin account for the admin console.


  1. Go to http://localhost:9006/auth/admin/ and log in to the Keycloak admin console using the admin account.
  2. From the Master menu, click Add Realm. When you are logged in to the master realm, this menu lists all other realms.
  3. Type basyx-demo in the Name field.
  4. Click Create.


The realm name is case-sensitive, so make note of the case that you use.

The main admin console page opens with realm set to basyx-demo.


Add Client


  1. Go to http://localhost:9006/auth/admin/ and log in to the Keycloak admin console using the admin account.
  2. From the Master menu, select basyx-demo.
  3. Click Clients.
  4. Click Create.


Set the property of client

  • Set Access Type to Confidential
  • Turn ON OAuth 2.0 Device Authorization Grant Enabled
  • Turn ON Authorization Enabled
  • Enter valid redirect URIs
  • Click Save.


Setup using Keycloak Java Adapter

Add the following maven dependencies to the project :





Create a Keycloak instance as depicted in below code :

  1. private void buildKeycloak() {
  2. 	keycloak = KeycloakBuilder.builder()
  3. 	         .serverUrl(BASE_ADDRESS)
  4. 	         .realm(MASTER_REALM_NAME)
  5. 	         .clientId(MASTER_CLIENT_ID)
  6. 	         .username(USERNAME)
  7. 	         .password(PASSWORD)
  8. 	         .build();
  9. }

Create Realm

Create a realm using below code snippet :

  1. private void createRealm() throws RealmCreationException {        
  2. 	RealmRepresentation realmRepresentation = createRealmRepresentationFromJson();
  4. 	keycloak.realms().create(realmRepresentation);
  5. }
  7. private RealmRepresentation createRealmRepresentationFromJson() {
  8. 	return loadJson(KeycloakServiceProvider.class.getResourceAsStream("/" + REALM_FILE_NAME), RealmRepresentation.class);
  9. }

Add Client

Add a client to a realm using below code snippet :

  1. private void addClientToRealm() throws AddClientException {        
  2. 	RealmResource realmResource = getRealmResource();
  4. 	ClientRepresentation clientRepresentation = createClientRepresentationFromJson();
  6. 	realmResource.clients().create(clientRepresentation);
  7. }
  9. private RealmResource getRealmResource() {		
  10. 	return keycloak.realms().realm(REALM_NAME);
  11. }
  13. private ClientRepresentation createClientRepresentationFromJson() {
  14. 	return loadJson(KeycloakServiceProvider.class.getResourceAsStream("/" + CLIENT_FILE_NAME), ClientRepresentation.class);
  15. }

Setting up Authorized AAS Registry

The Cloud & Edge Deployment scenario can be implemented using Authorized AAS Registry.

After setting up Keycloak, follow below steps to access the secured endpoints of AAS Registry:

Step 1 : Create an instance of Authorized AAS registry proxy.

Code Snippet

  1. private void createAuthorizedAASRegistryProxy() {
  2. 	registry = new AuthorizedAASRegistryProxy(REGISTRY_ENDPOINT, authorizationProvider.getAuthorizationSupplier());
  3. }

Step 2 : Create an instance of Authorized Connected AAS manager using the above instance of registry to access a secured AAS repository.

Code Snippet

  1. private void createConnectedAASManager() {
  2. 	aasManager = new AuthorizedConnectedAASManager(registry, authorizationProvider.getAuthorizationSupplier());
  3. }

Step 3 : Use the above Authorized Connected AAS manager to perform the general operation like Creating AAS, Creating Submodels etc.

Code Snippet to create AAS

  1. private void createAssetAdministrationShellOnCloudServer() {
  2. 	aasManager.createAAS(componentFactory.getAAS(), CLOUD_ENDPOINT);
  3. }

Code Snippet to create Submodel

  1. private void createSubmodelOnAasCloudServer() {
  2. 	Submodel docuSubmodel = componentFactory.getDocuSM();
  4. 	asManager.createSubmodel(aasIdentifier, docuSubmodel);
  5. }

Full code implementation can be found here AuthorizedRegistryScenario

Additional Resources

Back to the top