Skip to content

Microservice security with OAuth 2, Spring Boot, Spring Security and Keycloak – Part 2

In the part 1 of this article, I gave an overview of OAuth 2 framework. In this part I will introduce Keycloak and start getting the hands dirty by setting it up for the example.

What is Keycloak?

Keycloak is an open source product Identity and Access Management (IAM) which deals with users and profile management. This system provides out of the box authentication/authorization functionalities. Avoiding the hassle and risk of building your own solution to authenticate and authorize users. On this example, Keycloak will work as the Authentication Server (see the part 1 for more details) providing realm and application token, allowing the access to a protected endpoint (Resource Server).

Let’s get the hands dirty

On this section I will explain how to set up Keycloak for implementing an OAuth authentication. This includes the creation of a realm, create a client and configure roles.

1) Run Keycloak on docker

Before we can start using Keycloak, it’s necessary to run it. For the sake of simplicity, we can simple use a docker image. Also a database is necessary and in this example I will use Postgres.

For this example, use the following docker-compose:

Then run the following command on the terminal:

  docker-compose up -d

2) Creating a realm

Figure 2.1

A realm represents a security domain for the application and is highest part where users, clients and roles are associated. To create a new realm on Keycloak, you should hover on left side where is “Master” (this is the default realm created by Keycloak), then click on the button “Add realm”

Figure 2.2

3) Create a client

Figure 3.1

A client on Keycloak is an application that want to authenticate and provide a single sign-on solution . To create a new client, go to Clients on the left side menu, then click on Create (Figure 3.1).

Figure 3.2

To add a client, specify a Client ID and select openid-connect as Client Protocol ID (Figure 3.2). The Client ID works like the username of the application.

Figure 3.3

After creating the client, change the Access Type to confidential, this will make the client secret required in order to authenticate our application (Figure 3.3). Pay attention if the option Service Accounts Enabled is “On”.

Figure 3.4

On the same page, specify a “Valid Redirect URIs”. For this example add http://localhost:8080/* (Figure 3.4)

Figure 3.5

On the tab Credentials on the client creation page, the client secret is shown (Figure 3.5). The secret works like a password of the application and will be used later to generate the authentication token.

4) Create client scope

The scopes allows the creation of a common set of mappers and roles that can be shared between multiple clients.

Figure 4.1

To create new client scope, go to the option Client Scopes on the left side menu and click on Create (Figure 4.1).

Figure 4.2

Next specify a name a click on save (Figure 4.2). This will create the client scope which can be associated with a client.

Figure 4.3

The next step is the client scope association which can be done by accessing the Clients option on the left side menu. Then, clicking on the Client Scopes tab will show all Available Client Scopes. Next, select the recently created scope and click on the Add selected button.


We have configured Keycloak for this example setting up the client, client scope and associating it with the client. On the next part I will show how we can put everything together using Spring Boot and Spring Security. See you on the next part 🙂

Published inUncategorized

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *