How to Secure Spring Boot Application With Keycloak
Hi guys, This is my 3rd article about keycloak. In first article, we have discussed, how to do basic configurations in keycloak server. Therefore I am not going to discuses it again. If you confuse that configurations, refer my previous article and also keycloak documentation. I have put those links below.
In this article, You can learn
- How to get client access token with REST APIs
- How to get user access token with REST APIs
- How to manage security of spring boot application with access token
How to get client access token with REST APIs
First, You have to create Client Roles according to the your application. Then you have to create Realm Roles and composite with client roles. I have create two roles as admin and user as client roles and web-user and web-admin as realm roles. Then web-user was composited with user role and web-admin was composited with admin role.
Client Roles
Realm Roles
Second, You have to create new users and and assigned roles for them. I have created 3 users as below.
- amilramesh -> web-user
- virajlakshitha -> web-admin
- yasinduwishmith-> web-user and web-admin(both roles)
Third, You have to visit to the client in the left hand side list menu and then note down the client-id and secrete. After that you can create a new POST request with Authorization as Basic Auth in postman. Request URL have been set to as below pattern.
{{keycloak host}}/auth/realms/{{realm}}/protocol/openid-connect/token
You have to set body as x-www-form-unlencoded and set key as grant_type and set value as client_credentials.
Then set authorization details as below.
username -> {{client-id}}
password -> {{client-secret}}
**You can refer below curl for any clarifications.
curl — location — request POST ‘http://localhost:8080/auth/realms/ABC-Company/protocol/openid-connect/token' \
— header ‘Content-Type: application/x-www-form-urlencoded’ \
— header ‘Authorization: Basic dXNlci1zZXJ2aWNlOjA2NWZmZjc2LTM4MDEtNDhlZS05MTlhLThkZDIxNjRhYjk3MQ==’ \
— data-urlencode ‘grant_type=client_credentials’
After sending the request, you can get below result
How to get user access token with REST APIs
You have to visit to the user in the left hand side list menu and then choose a particular user and then note down the user-id and also password which you have entered earlier. After that you can create a new POST request in postman. Request URL have been set to as below pattern.
{{keycloak host}}/auth/realms/{{realm}}/protocol/openid-connect/token
You have to set body as x-www-form-unlencoded and set details as below.
grant_type -> {{password}}
client_id -> {{client-id}}
client_secret -> {{client-secrete}}
username -> {{user-name}}
password -> {{user-password}}
**You can refer below curl for any clarifications.
curl — location — request POST ‘http://localhost:8080/auth/realms/ABC-Company/protocol/openid-connect/token' \
— header ‘Content-Type: application/x-www-form-urlencoded’ \
— data-urlencode ‘grant_type=password’ \
— data-urlencode ‘client_id=user-service’ \
— data-urlencode ‘client_secret=065fff76–3801–48ee-919a-8dd2164ab971’ \
— data-urlencode ‘username=yasinduwishmith’ \
— data-urlencode ‘password=Test123’
After sending the request, you can get below result
How to manage security of spring boot application with access token
Step 01
Create Spring boot application.
Step 02
Update pom.xml file using below dependencies
Update properties in pom.xml
Step 03
Then You can update your Application.yml file as below.
Step 04
You have to create a file to configure keycloak security.
Step 05
Create test controller to check the keycloak security.
Step 06
Create a request with Query params which includes key as Authorization and set value of key into Bearer {{user-token}} in postman.
Note:- You have to get user access token using above mentioned endpoint and used it here.
Example of Bearer token:-
First, You can send the request without including Authorization token. you will receive 401 unauthorized status.
Using user token, you will get 200 status code with below output.
Note :- If token may be expired, you have to get another token using above mentioned endpoint (User token).
So guys, please read the blog A to Z and Don’t Skip anything.
This is the end of this article and I really hope, you will enjoy this article and share with your friends.
With my next article, I will share with you, how we manage users, roles with keycloak through spring boot project.
Please follow my account and stay tuned for new updates
Please…
Clap 👏
Share ❤🎉
Comment ✍