A Deep Dive into the Model Context Protocol and Quarkus: Implementing a Keycloak Authentication Workflow
This week, I participated in an internal hackathon named “Know Your Tools,” where we researched AI-related topics in small groups. My colleague and I chose to explore the Model Context Protocol (MCP) and authentication, recognizing that permission workflows pose significant challenges in Agentic AIs. In these systems, it’s common for each agent to be granted administrative rights, allowing users to access external systems with more permissions than they typically have. Our goal was to investigate the implementation of a Keycloak authentication workflow in a MCP application.
While my colleague focused on exploring FastMCP, I decided to implement the authentication workflow using Quarkus, a modern Java stack optimized for Kubernetes and GraalVM. In this blog post, I’ll walk through my implementation and share the key insights.
Introduction to the Model Context Protocol (MCP) and Quarkus
The Model Context Protocol (MCP) is a framework that enables the deployment and management of intelligent agents within an application ecosystem. MCP facilitates seamless communication and data exchange between these agents, making it an essential tool for building robust and scalable AI-driven applications.
Quarkus (= Red Hat Build of Quarkus, the supported thing from Red Hat which you already get when you have an OpenShift Subscription), on the other hand, is a Kubernetes-native Java stack tailored for GraalVM & OpenJDK, crafted from the best of breed Java libraries and standards. It offers blazing-fast startup times, low memory footprint, and subsecond scaling, making it an ideal choice for developing high-performance applications.
Integrating Keycloak for Secure Authentication
Keycloak is an open-source identity and access management solution. It allows you to securely manage and authenticate users, providing features such as single sign-on (SSO), identity brokering, and user federation.
By integrating Keycloak with a Quarkus MCP application, we can ensure that only authorized users gain access to the application’s functionalities, enhancing security and compliance.
Example Implementation: Keycloak Login Workflow
Let’s walk through my implementation of a Keycloak authentication workflow in a Quarkus MCP application.
1. Project Setup
I created a new Quarkus project using the following command:
quarkus create app -x rest -x langchain4j-openai com.redhat.developers:quarkus-mcp-app:1.0-SNAPSHOT
This sets up a basic Quarkus application with REST and Langchain4j OpenAI integration.
2. Dependencies
The project includes the following key dependencies:
<dependency>
<groupId>io.quarkus</groupId>
<artifactId>quarkus-rest</artifactId>
</dependency>
<dependency>
<groupId>io.quarkiverse.langchain4j</groupId>
<artifactId>quarkus-langchain4j-openai</artifactId>
<version>1.0.0</version>
</dependency>
<dependency>
<groupId>io.quarkus</groupId>
<artifactId>quarkus-oidc</artifactId>
</dependency>
3. Configuration
I configured Keycloak in the application.properties
file:
quarkus.oidc.auth-server-url=https://rhbk.apps.ocp.ocp-gm.de/realms/granatengeorg-de
quarkus.oidc.client-id=know-your-tools-hackathon
quarkus.oidc.credentials.secret=aTsRi1B4tVgyF69Wsb35hfEyUFsnhWi0
quarkus.oidc.tls.verification=none
quarkus.http.auth.permission.default.deny=true
quarkus.http.auth.permission.default.paths=/*
quarkus.http.auth.proactive=false
4. Secured Resource Implementation
I created a SecuredResource
class to demonstrate the authentication workflow:
package de.granatengeorg.tools;
import io.quarkus.security.identity.SecurityIdentity;
import jakarta.ws.rs.GET;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.Produces;
import jakarta.ws.rs.core.Context;
import jakarta.ws.rs.core.MediaType;
import io.quarkus.security.Authenticated;
@Path("/api")
public class SecuredResource {
@GET
@Path("/hello")
@Authenticated
@Produces(MediaType.TEXT_PLAIN)
public String hello(@Context SecurityIdentity identity) {
String username = identity.getPrincipal().getName();
return "Hello, " + username + "! Your token is valid.";
}
@GET
@Path("/public")
@Produces(MediaType.TEXT_PLAIN)
public String publicResource() {
return "This is a public endpoint. No authentication required.";
}
}
This implementation demonstrates a simple yet effective authentication workflow:
- The
/hello
endpoint is protected and requires a valid JWT token. - The
/public
endpoint is unauthenticated and accessible to all users.
Conclusion
Integrating Keycloak with a Quarkus MCP application provides a robust and secure mechanism for managing user authentication and authorization. By following the steps outlined in this blog post, you can implement a Keycloak authentication workflow that enhances the security of your Quarkus applications.
This implementation not only demonstrates the power of Quarkus but also highlights how MCP can be leveraged to create secure and scalable AI-driven applications. With this knowledge, you can start exploring the possibilities of integrating authentication workflows into your own projects. Happy coding!
A possible next step would be to integrate this to your Agentic AI workflow. And use that somehow in a more complex use case. If you think, that sounds like a new blog post idea for Future-Georg, you are right.