Securing REST API using Keycloak and Spring Oauth2

Keycloak documentation suggest 3 ways to secure Spring based REST APIS.

Let us see how we can use Keycloak OIDC support and Spring OAuth2 library to secure REST APIs. Benefits Of Using Spring OAuth2 Over Keycloak Adapter is explained at the end of this article.

Setup keycloak username=admin, password=admin.

Note: Standalone Keycloak runs on Wildfly server. Don’t worry about configuring a user to manage Wildfly server. We need a Keycloak admin user to create realm, client, user, role etc in Keycloak.

If Keycloak runs on Port 8080, make sure your microservice runs on another port. In the example, micro-service is configured to run on 8085.

Note: Access Type confidential supports getting access token using client credentials grant as well as authorization code grant. If a micro-service need to call another micro-service, caller will be ‘confidential’ and callee will be ‘bearer-only’.

Create a role under the client. In this case, role USER is created under employee-service.

In order to provide access to client (micro-service), respective role needs to be assigned/mapped to user.

Because Keycloak is OpenID Connect and OAuth2 complaint, below is OpenID Connection configuration URL to get details about all security endpoints,

Important URLS to be copied from response:

Response also contains grant types and scopes supported

Spring Boot

Dependencies

General Security Properties

Properties to secure REST Endpoints using OAuth2 Resource Server

Note 1: security.oauth2.resource.jwt.key-value property value can be copied from public key at realm level. This is very important and this property is what uses JwtAccessTokenCustomizer which we will see later.

Note 2: Property values will be different based on your configuration, care should be take to use correct values.

Properties to call another micro-service (Service Accounts)

Note: Above properties are required for OAuth2RestTemplate that is used to make secure service account calls.

In order for Spring OAuth2 to parse and set SecurityConextHolder, it needs the roles or authorities from token. Also, in order to determine the list of clients/application/micro-service a user has access, it needs the list of client ids from token. This is the only setup that needs some special handling.

Note: OAuth2RestTemplate is required if this micro-service needs to call another micro-service.

PreAuthorize annotation is use to secure REST endpoints with appropriate roles. Refer below example.

In order to disable default security, SecurityAutoConfiguration and UserDetailsServiceAutoConfiguration can be excluded.

To understand accessing secured micro-service from another micro-service using OAuth2RestTemplate, refer my other article stated below.

Related posts:

Begrijp me vooral niet verkeerd. Ik heb niets dan ontzag voor de vlaggenschepen. Elke keer dat ik een toestel zoals een LG V30 of Note 8 in het wild zie, gluur ik lichtjes opgewonden. Zelf heb ik het…

There is an argument that states “if you want to be a leader, you probably shouldn’t be”. Leadership is something earned from followers, and great leaders often take on the role with a heavy heart…

Important please make sure that you first install the timm library so that you can avoid future problems when running fastai packages. We are going to continue with the same problem as before. We are…