ramanamuttana/sso-kit

Vaadin SSO Kit

SSO Kit is an add-on for Vaadin Flow that provides all the configuration you need to add single sign-on capabilities to your applications.

SSO Kit is built upon the OpenID Connect specification and it comes with a Spring Boot starter module that takes care of configuring the security settings you need to authenticate against your identity provider.

These are the currently supported identity providers:

• Keycloak
• Okta
• Azure Active Directory

SSO Kit is compatible with Vaadin Platform starting from version 23.2.0.

Getting Started

To get started with SSO Kit you just need to add the sso-kit-starter module as a dependency to your Vaadin application, e.g. in your pom.xml:

<dependency>
    <groupId>com.vaadin</groupId>
    <artifactId>sso-kit-starter</artifactId>
</dependency>

Setting Client Credentials and Login Route

Then you need to set your identity provider client credentials in your application.yml, e.g. for Keycloak:

spring:
  security:
    oauth2:
      client:
        provider:
          keycloak: # This is the registration-id, can be any value
            issuer-uri: https://my-keycloak.io/realms/my-realm
        registration:
          keycloak: # This should be the same as the registration-id
            client-id: my-client
            client-secret: verySecretValue
            scope:
            - profile
            - openid
            - email
            - roles
vaadin:
  sso:
    login-route: /oauth2/authorization/keycloak # /oauth2/authorization/<registration-id>

This configuration will redirect to the provider's login page any unauthorized request.

Protecting Your Views

You can set which views require authentication annotating them as described in Annotating the View Classes. For example:

@PermitAll
@Route(value = "private")
public class PrivateView extends VerticalLayout {
    // ...
}

Get the Authenticated User

The SSO Kit starter provides the AuthenticationContext bean that you can inject into your views to get the currently authenticated user:

@PermitAll
@Route(value = "private")
public class PrivateView extends VerticalLayout {

    public PrivateView(AuthenticationContext authContext) {
        authContext.getAuthenticatedUser().ifPresent(user -> {
            var fullName = user.getFullName();
            Notification.show("Hello, " + fullName + "!");
        });
    }
}

Logging the User Out

The same AuthenticationContext bean provides the logout() method to terminate both the local user session and the provider's session:

@PermitAll
@Route(value = "private")
public class PrivateView extends VerticalLayout {

    public PrivateView(AuthenticationContext authContext) {
        add(new Button("Logout", e -> authContext.logout()));
    }
}