2. Page 1 of 13
Content
Get started with Keycloak.……………………………………….………..02
Integrate Keycloak with Spring Boot and Spring Security……………..02
Sample property file…………………………………………………………………….03
Sample Security configuration file………………………………………03
Using Public access type……………………………………………………………….04
Project structure – Application one………………………………………………04
Project structure – Application two………………………………………………07
Using bearer-only access type………………………………………………………10
3. Page 2 of 13
Get started with Keycloak
• Apache Keycloak is an opensource identity and access management provider. Learn more
• You can download the Keycloak server from here You can download the stable latest release.
• Once you download just extract it. It may look like the above image.
• You can change the server port and other configuration data by changing standalone.xml file which is in
standalone -> configuration directory.
• If you need to start the Keycloak server go to the bin directory.
o Windows – run standalone.bat
o Linux – run standalone.sh
• Now Keycloak server will start on port 8080 if you did not change it.
• You can go to Administration Console from here http://localhost:8080/auth/
• The very first time you may need to create an admin user.
• Once you provide admin credentials you created, you can login to the admin panel.
Integrate Keycloak with Spring Boot and Spring Security
• Keycloak can be used with Spring Security. If you want, you can do it without integrating Spring Security.
• Apache Keycloak can be very easily integrated with Spring Boot and Spring Security. You need to do a few
things.
o Create a new Security configuration file.
o Add some properties to the property file.
Here I am going to create two small Spring Boot applications which are running on port 8090 and port 8092. I am using
another Spring Boot application which is running on port 8091 as a service for the application running on port 8090.
5. Page 4 of 13
In Keycloak client configuration, there are three types of Access types.
1. Public – This is used for clients who need a browser login.
2. Confidential – This is used for clients who need browser login with a client secret.
3. Bearer only – This access type means it only allows bearer token requests not browser login
Using Public access type
Here I described two applications with public access type. Both applications look same. Here are some details of those
application.
Configuration Application one Application two
server.port 8090 8092
keycloak.auth-server-url http://localhost:8080/auth http://localhost:8080/auth
keycloak.realm api api
keycloak.resource client1 client2
keycloak.public-client true true
As you can see each application uses same realm (api), but different keycloak resources (client1 and client2)
Project structure – Application one
8. Page 7 of 13
SecurityConfig.java
This is same as Sample security config file above mentioned.
Project structure – Application two
Everything is same except application.properties file and ProductService file.
ProductService.java
package com.example.productapp.service;
import org.springframework.stereotype.Service;
import java.util.Arrays;
import java.util.List;
@Service
public class ProductService{
public List<String> getProducts(){
return Arrays.asList("Apple", "Sony","Nokia", "Mi");
}
}
application.properties
server.port=8092
keycloak.auth-server-url=http://localhost:8080/auth
keycloak.realm=api
keycloak.public-client=true
keycloak.resource=client2
I created two Keycloak clients called client1 and client2 for these applications in Realm called “api”. Both clients have
same Access Type which is “public”
9. Page 8 of 13
Both clients are same but Client ID and Valid Redirect URLs are different.
• Client1 - http://localhost:8090*
• Client2 - http://localhost:8092*
Now you can run both applications on port 8090 and 8092. Then you can try as follows.
Just go to http://localhost:8090
Once you click on Search products button, you will be redirect to the Keycloak login page.
10. Page 9 of 13
Once you have logged in successfully, you will be redirected to secure page http://localhost:8090/products
Same time you can check the second service which is running on port 8092. Go to http://localhost:8090/products
Then it will not redirect you to Keycloak login page and directly it will redirect to the secure page. Because You already
login the Keycloak secure service.
11. Page 10 of 13
Using confidential and bearer-only access type
Here I’m going to create two REST web applications which are running on port 8090 and 8092. Please look at the project
details.
ProductController.java
package com.example.productapp.controller;
import com.example.productapp.service.ProductService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RestController;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import java.util.List;
@RestController
public class ProductController {
@Autowired
private ProductService productService;
@PostMapping(path = "/products")
public List<String> getProducts(){
return productService.getProducts();
}
@GetMapping(path = "/logout")
public String logout(HttpServletRequest request) throws ServletException {
request.logout();
return "/";
}
}
ProductService.java
package com.example.productapp.service;
import org.springframework.stereotype.Service;
import java.util.Arrays;
import java.util.List;
@Service
public class ProductService{
public List<String> getProducts(){
return Arrays.asList("Nokia","Sony");
}
}
application.properties
server.port=8090
keycloak.enabled=true
keycloak.auth-server-url=http://localhost:8080/auth
keycloak.realm=api
keycloak.resource=client3
keycloak.bearer-only=true
SecurityConfig.java
SecurityConfig.java file is same as Sample Security configuration file which I mentioned above.
12. Page 11 of 13
Here are the details of Keycloak client.
Since this is a REST web application I am going to use Postman to send the request.
13. Page 12 of 13
As you can see, you cannot access the source. Because it is secured by Keycloak and you need Authorization header
and with a Bearer token.
The bearer token can be received by following Keycloak API.
http://localhost:8080/auth/realms/{realm_name}/protocol/openid-connect/token
You must provide client_id, username, password, grant_type and client_secret to get the token.
• client_id – client name
• username – username of the user
• password – password of the user
• grant_type – this should be “password”
• client_secret – this can be found from Keycloak admin panel related to client
Once you provide related data, you will be able to get the token and some other details. Please check this screenshot.
14. Page 13 of 13
Then you can use this token in header to access the secured API.
This token will be saved by the front-end client (React, Angular…etc.) and it can be used in future requests.