Microservice security with OAuth 2, Spring Security and Keycloak – Part 1

Securing an application is a very sensitive topic. It brings complexity, but it can’t be negleted. On this article I give a brief introduction about the concepts. Then on the upcoming parts I will show how to implement an authentication/authorization process with OAuth, Spring Security and Keycloak.

What is OAuth2?

OAuth 2 (RFC 6749) is a process where the authentication is delegated to a third-party application that hosts the user account. Using this process, avoid the need for user’s account password. For example, you can use your Facebook, GitHub or Google account to login a service.

OAuth roles

• Resource server is where the user’s resources are helded
• Owner is the user that owns the resources and give permission to the client
• Client is the application that wants to access user’s resources
• Authorization server is responsible for verifying user’s identity and generating the access tokens

Authorization Flow

On this section flow involved on the OAuth process will be described and a diagram illustrating the requests and responses to each role.

1. The client requests the authorization to resource owner. As an alternative, the authorization request can be done using the authorization server as intermediary
2. The client receives the authorization grant, which is the resource owner’s authorization and depends on the method used to request the authorization
3. The client request an access token using the credential obtained from the previous step
4. The authorization server authenticates the client using the authorization grant and if it is all right, issues an access token
5. Using the access token received from the authorization server, the client authenticates and request the protected resource, from resource server
6. The access token is validated by resource server, and if valid the returns the protected resource

Project stack

On this project I will use Keycloak as the Identity Manager running on Docker and Spring Security to handle the Authorization Server and Resource Server .

On the next parts I will show how to set up Keycloak and configure it, and how to protect a resource and authenticate using Spring Security. See you on the next parts!