How to Secure Spring Boot Application With Keycloak

Published in

Arimac

4 min readSep 24, 2021

Hi guys, This is my 3rd article about keycloak. In first article, we have discussed, how to do basic configurations in keycloak server. Therefore I am not going to discuses it again. If you confuse that configurations, refer my previous article and also keycloak documentation. I have put those links below.

In this article, You can learn

How to get client access token with REST APIs
How to get user access token with REST APIs
How to manage security of spring boot application with access token

How to get client access token with REST APIs

First, You have to create Client Roles according to the your application. Then you have to create Realm Roles and composite with client roles. I have create two roles as admin and user as client roles and web-user and web-admin as realm roles. Then web-user was composited with user role and web-admin was composited with admin role.

Client Roles

Realm Roles

Second, You have to create new users and and assigned roles for them. I have created 3 users as below.

amilramesh -> web-user
virajlakshitha -> web-admin
yasinduwishmith-> web-user and web-admin(both roles)

Third, You have to visit to the client in the left hand side list menu and then note down the client-id and secrete. After that you can create a new POST request with Authorization as Basic Auth in postman. Request URL have been set to as below pattern.

{{keycloak host}}/auth/realms/{{realm}}/protocol/openid-connect/token

You have to set body as x-www-form-unlencoded and set key as grant_type and set value as client_credentials.

Then set authorization details as below.

username -> {{client-id}}
password -> {{client-secret}}

**You can refer below curl for any clarifications.

curl — location — request POST ‘http://localhost:8080/auth/realms/ABC-Company/protocol/openid-connect/token' \
— header ‘Content-Type: application/x-www-form-urlencoded’ \
— header ‘Authorization: Basic dXNlci1zZXJ2aWNlOjA2NWZmZjc2LTM4MDEtNDhlZS05MTlhLThkZDIxNjRhYjk3MQ==’ \
— data-urlencode ‘grant_type=client_credentials’

After sending the request, you can get below result

How to get user access token with REST APIs

You have to visit to the user in the left hand side list menu and then choose a particular user and then note down the user-id and also password which you have entered earlier. After that you can create a new POST request in postman. Request URL have been set to as below pattern.

{{keycloak host}}/auth/realms/{{realm}}/protocol/openid-connect/token

You have to set body as x-www-form-unlencoded and set details as below.

grant_type -> {{password}}
client_id -> {{client-id}}
client_secret -> {{client-secrete}}
username -> {{user-name}}
password -> {{user-password}}

**You can refer below curl for any clarifications.

curl — location — request POST ‘http://localhost:8080/auth/realms/ABC-Company/protocol/openid-connect/token' \
— header ‘Content-Type: application/x-www-form-urlencoded’ \
— data-urlencode ‘grant_type=password’ \
— data-urlencode ‘client_id=user-service’ \
— data-urlencode ‘client_secret=065fff76–3801–48ee-919a-8dd2164ab971’ \
— data-urlencode ‘username=yasinduwishmith’ \
— data-urlencode ‘password=Test123’

After sending the request, you can get below result