SSO Kit is an add-on for Vaadin Flow that provides all the configuration you need to add single sign-on capabilities to your applications.
SSO Kit is built upon the OpenID Connect specification and it comes with a Spring Boot starter module that takes care of configuring the security settings you need to authenticate against your identity provider.
These are the currently supported identity providers:
SSO Kit is compatible with Vaadin Platform starting from version 23.2.0.
To get started with SSO Kit you just need to add the sso-kit-starter
module as a dependency to your Vaadin application, e.g. in your pom.xml
:
<dependency>
<groupId>com.vaadin</groupId>
<artifactId>sso-kit-starter</artifactId>
</dependency>
Then you need to set your identity provider client credentials in your application.yml
, e.g. for Keycloak:
spring:
security:
oauth2:
client:
provider:
keycloak: # This is the registration-id, can be any value
issuer-uri: https://my-keycloak.io/realms/my-realm
registration:
keycloak: # This should be the same as the registration-id
client-id: my-client
client-secret: verySecretValue
scope:
- profile
- openid
- email
- roles
vaadin:
sso:
login-route: /oauth2/authorization/keycloak # /oauth2/authorization/<registration-id>
This configuration will redirect to the provider's login page any unauthorized request.
You can set which views require authentication annotating them as described in Annotating the View Classes. For example:
@PermitAll
@Route(value = "private")
public class PrivateView extends VerticalLayout {
// ...
}
The SSO Kit starter provides the AuthenticationContext
bean that you can inject into your views to get the currently authenticated user:
@PermitAll
@Route(value = "private")
public class PrivateView extends VerticalLayout {
public PrivateView(AuthenticationContext authContext) {
authContext.getAuthenticatedUser().ifPresent(user -> {
var fullName = user.getFullName();
Notification.show("Hello, " + fullName + "!");
});
}
}
The same AuthenticationContext
bean provides the logout()
method to terminate both the local user session and the provider's session:
@PermitAll
@Route(value = "private")
public class PrivateView extends VerticalLayout {
public PrivateView(AuthenticationContext authContext) {
add(new Button("Logout", e -> authContext.logout()));
}
}