Getting Started with SSO Kit
SSO Kit builds upon Spring Boot and Spring Security. It comes with a starter and client side modules for configuring the security settings needed to authenticate with an identity provider.
1. Create a Hilla Application
You can create a Hilla application without authentication by entering the following from the command-line:
npx @hilla/cli init <your-project-name>
2. Backend
Once you’ve created a Hilla application, you can begin securing it by installing and configuring SSO Kit on the backend. The following section shows how to block unauthorized users from using a button in an application. You can install and update SSO Kit by adding it as a dependency to your application in the pom.xml
file.
2.1. Add SSO Kit Dependency
Add the sso-kit-starter
module to the pom.xml
file of a Vaadin application like so:
<dependency>
<groupId>dev.hilla</groupId>
<artifactId>sso-kit-starter</artifactId>
<version>2.1.0</version>
</dependency>
Note
|
Version Number
See the SSO Kit releases page for the latest version, or a different version of the sso-kit-starter dependency.
|
2.2. Configure Endpoints
For Hilla to be able to parse and generate endpoints from an application and from SSO Kit dependency for your frontend, you have to add a configuration to the Hilla Maven plugin with your application and SSO Kit dependency package names like this:
<build>
<defaultGoal>spring-boot:run</defaultGoal>
<plugins>
<plugin>
<groupId>dev.hilla</groupId>
<artifactId>hilla-maven-plugin</artifactId>
<version>${hilla.version}</version>
<!-- Add this configuration. -->
<configuration>
<parser>
<packages>
<package>com.example.application</package>
<package>dev.hilla.sso.starter</package>
</packages>
</parser>
</configuration>
<!-- ... -->
</plugin>
</plugins>
</build>
2.3. Configure SSO Provider in Spring
Next, you need to set some configuration properties to connect SSO Kit to an OpenID Connect provider. These properties can be added to your application.properties
file where you give the provider URL and the client registration details, such as credentials and scope.
Provider definition is configured within the spring.security.oauth2.provider
namespace where you give a key to identify your provider, such as keycloak
. You can use the same key to register the client for that provider within the spring.security.oauth2.registration
namespace, where you specify client credentials and the requested scope.
The scope is a list of keywords to request the provider for a specific set of information, such as user profile
, email
, and roles
. The following is an example of the properties to set to enable a Keycloak instance to perform authentication:
spring.security.oauth2.client.registration.keycloak.scope=profile,openid,email,roles
# Customize the following property values for your Keycloak configuration:
spring.security.oauth2.client.provider.keycloak.issuer-uri=https://my-keycloak.io/realms/my-realm
spring.security.oauth2.client.registration.keycloak.client-id=my-client
spring.security.oauth2.client.registration.keycloak.client-secret=very-secret-value
2.3.1. Single Sign-On
SSO Kit provides the SingleSignOnConfiguration
auto-configuration class to set up Hilla and Spring to allow single sign-on with external identity providers.
Note
|
Customized Security Configuration
If you need a customized security configuration, you can disable this auto-configuration class by adding its fully-qualified name to the spring.autoconfigure.exclude property and define your own configuration class.
|
The following configuration enables login for the identity providers defined in the application configuration. It instructs the application to accept requests for the login route. It can be configured by setting the hilla.sso.login-route
property, which defaults to /login
.
To redirect users automatically to the provider login form, you can set this property to /oauth2/authorization/{provider-key}
, where {provider-key}
is the key used to configure the provider in application.properties
file.
hilla.sso.login-route=/oauth2/authorization/keycloak
Tip
|
Custom Login Page
Some providers support a custom theme for their login pages. Learn more about this in Theming.
|
2.4. Secure the Application
A Hilla application includes frontend code and backend endpoints. Both of them can and should benefit from authentication protection.
2.4.1. Protect Example Endpoint
Hilla allows fine-grained authorization on endpoints and endpoint methods. You can use annotations like @PermitAll
or @RolesAllowed(…)
to declare who can access what.
To try this feature, replace the @AnonymousAllowed
annotation in HelloWorldEndpoint.java
with @PermitAll
. When you do this, unauthenticated users won’t be able to access all endpoint methods. You could also apply the same annotation at the method level for more fine-grained control.
Start the application using the mvnw
command. Then try the application in the browser. It should work correctly, except that when you click on the Say Hello
button, nothing happens. This is because the endpoint is no longer accessible without authentication.
3. Frontend
Once the backend is secure, you can begin extending authentication features to the frontend. The following section shows how to display user information (e.g., a name), on secured views and enable users to log in and out.
3.1. Install SSO Kit Client Dependency
npm install --save @hilla/sso-kit-client-react
This dependency contains the SsoProvider
provider and the useSsoContext
hook which are needed in the later steps.
3.2. Add SSO Provider
The SsoProvider
provides the single sign-on context to the application. Import the SsoProvider
and pass the RouterProvider
as a parameter to it in the App.tsx
file.
import { SsoProvider } from "@hilla/sso-kit-client-react";
return (
<SsoProvider>
<RouterProvider router={router}/>
</SsoProvider>
);
3.3. Add Log-In & Log-Out Buttons
As an example, add two buttons to the drawer footer — one to sign in, and another to sign out. Use the imported useSsoContext
hook to get the authenticated
state and to add the login
and logout
functions to the buttons.
import { Button } from '@hilla/react-components/Button.js';
import { useSsoContext } from "@hilla/sso-kit-client-react";
// Get the authenticated state, the login and logout functions in the MenuOnLeftLayout function.
const {authenticated, login, logout} = useSsoContext();
// Replace the `footer` in the returned element.
<footer slot="drawer">
{authenticated
? <Button onClick={logout}>Sign out</Button>
: <Button onClick={login}>Sign in</Button>
}
</footer>
3.4. Add Access Control
You can protect your views by verifying that each authentication has happened before loading the view.
Tip
|
Custom Redirect Path
You can define a custom redirect path in the protectRoutes function on which to redirect users that are not authenticated. The default value is the predefined /ssologin path, which redirects the user to the provider’s login page.
|
In the frontend/routes.tsx
file, enrich the ViewRouteObject
type with AccessProps
type to be able to protect a view and add the requireAuthentication
parameter to a view:
import { AccessProps, protectRoutes } from "@hilla/sso-kit-client-react";
// Enrich the ViewRouteObject type with AccessProps.
export type ViewRouteObject = (IndexViewRouteObject | NonIndexViewRouteObject) & AccessProps;
// Add requireAuthentication to the About View.
{
path: '/about',
// ...
requireAuthentication: true,
},
// Protect the views which require authentication.
export const routes: readonly ViewRouteObject[] = protectRoutes([
// ...
]);
Filter the menu excluding unauthorized views by amending the view filter in MainLayout.tsx
:
// Gather the hasAccess function and add filter to the routes that checks for authentication.
const { hasAccess } = useSsoContext();
const menuRoutes = (routes[0]?.children || [])
.filter((route) => route.path && route.handle && route.handle.icon && route.handle.title)
.filter(hasAccess) as readonly MenuRoute[];
Now the About
item in the menu appears only when authenticated.
3.5. Show User Information
The SSO Kit Client provides the User
class which contains information about the authenticated user. You can get the user information by using the useSsoContext
hook.
Since the About page is now protected, it’s a perfect place to show some information about the current user:
import { useSsoContext } from "@hilla/sso-kit-client-react";
// Gather the user from the SSO context.
const { user } = useSsoContext();
// Add some output in the return.
<p>Username: {user?.preferredUsername}</p>
<p>Full name: {user?.fullName}</p>
<p>Email: {user?.email}</p>
4. Single Sign-Off
SSO Kit provides two methods for logging out the user. They’re defined by the OpenID Connect specification like so:
4.1. RP-Initiated Logout
RP-initiated logout (i.e., Relaying Party, the application) enables the user to logout from the application itself, ensuring the connected provider session is terminated.
4.2. Back-Channel Logout
Back-Channel Logout is a feature that enables the provider to close user sessions from outside the application. For example, from the provider’s user dashboard or from another application.
4.2.1. Enable the Feature
To enable the feature in an application, you need to set the hilla.sso.back-channel-logout
property to true
. You would do that like you see here:
hilla.sso.back-channel-logout=true
The client should then be configured on the provider’s dashboard to send logout requests to a specific application URL: /logout/back-channel/{registration-key}
, where {registration-key}
is the provider key.
4.2.2. Modify the Frontend
As an example, show a dialog when the user is logged out from outside the application.
The useSsoContext
hook provided by the SSO Kit Client handles the back-channel logout and receives an event if logout happens. To get notified about a logout event, register a callback using the onBackChannelLogout
function and store the logged out state:
import { ConfirmDialog } from '@hilla/react-components/ConfirmDialog.js';
import { useEffect, useState } from 'react';
import { useSsoContext } from "@hilla/sso-kit-client-react";
const { onBackChannelLogout } = useSsoContext();
// Store the logged out state.
const [loggedOut, setLoggedOut] = useState(false);
// Subscribe to the back-channel logout event and set logged out state to true on the event.
useEffect(() => {
onBackChannelLogout(() => {
setLoggedOut(true);
});
}, []);
// Add the confirm dialog to the AppLayout.
<ConfirmDialog header='Logged out' cancelButtonVisible
opened={loggedOut}
onConfirm={login}
onCancel={logout}
>
<p>You have been logged out. Do you want to log in again?</p>
</ConfirmDialog>
You can trigger a logout externally with the provider tools. For Keycloak, you can sign out a session from the administration console or visit the page https://my-keycloak.io/realms/my-realm/protocol/openid-connect/logout
.