Keycloak config for Java application with Spring (Java 21)

If you want to secure your Spring microservice endpoints with Keycloak, you are in perfect place. Let’s do this step by step.


First we need is of course to add proper dependencies, I’m using maven: 
<dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>
 
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
        </dependency>
</dependencies>


Second, provide some properties for our authorization server connection: 
spring:
  security:
    oauth2:
      resourceserver:
        jwt:
          issuer-uri: http://localhost:8080/realms/custom-realm
          jwk-set-uri: http://localhost:8080/realms/custom-realm/protocol/openid-connect/certs


Third and last – create a configuration class. Good practice is to keep your endpoints authorized by default (as provided below). 
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
import org.springframework.security.web.SecurityFilterChain;
 
import java.util.Collection;
import java.util.Map;
 
@Configuration
@EnableWebSecurity
public class KeycloakConfig {
 
    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity) throws Exception {
        httpSecurity
                .authorizeHttpRequests(registry -> registry
                        // unsecured endpoints
                        .requestMatchers("/example/unsecured")
                        .permitAll()
 
                        // default authorized
                        .anyRequest()
                        .hasRole("default-roles-custom-realm"))
 
                .oauth2ResourceServer(oauth2Configurer -> oauth2Configurer.jwt(jwtConfigurer -> jwtConfigurer.jwtAuthenticationConverter(jwt -> {
                    Map<String, Collection<String>> realmAccess = jwt.getClaim("realm_access");
                    Collection<String> roles = realmAccess.get("roles");
                    var grantedAuthorities = roles.stream().map(role -> new SimpleGrantedAuthority("ROLE_" + role)).toList();
                    return new JwtAuthenticationToken(jwt, grantedAuthorities);
                })));
 
        return httpSecurity.csrf(AbstractHttpConfigurer::disable).build();
    }
}








Extras


Getting user information

Template for getting user info: 
import lombok.AccessLevel;
import lombok.NoArgsConstructor;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
 
@NoArgsConstructor(access = AccessLevel.PRIVATE)
public class UserUtils {
 
    public static String getActualUserId() {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (!(authentication instanceof AnonymousAuthenticationToken)) {
            return authentication.getName();
        }
        else {
            throw new IllegalStateException();
        }
    }
}




Working with tokens with curl

Getting access token: 
curl -v -X POST http://localhost:8080/realms/custom-realm/protocol/openid-connect/token -H 'Content-Type:application/x-www-form-urlencoded' --data "client_id=custom-client&username=user&password=user&grant_type=password"
Refreshing token: 
curl -v --data "grant_type=refresh_token&client_id=custom-client&refresh_token={REFRESH_TOKEN}" http://localhost:8080/realms/custom-realm/protocol/openid-connect/token


Popular posts

My Ubuntu Desktop config

Image
This article describes Ubuntu configuration I’m personally using. Those are tools which makes my work much easier and more pleasant. Consider adding them to your setup. Extensions To add Ubuntu GNOME extensions you have to enable this possibility at first. Here is short tutorial: https://damiankumor.blogspot.com/2023/08/enabling-gnome-extensions.html Dash to panel Custom menu panel. I like to have it on the top. https://extensions.gnome.org/extension/1160/dash-to-panel Final effect looks like that: Audio selector Tool for easily selection of audio input and outputs. https://extensions.gnome.org/extension/5135/audio-selector Final effect: Extension list Tray icon for fast extension management. https://exten...
Read more »

Enabling Gnome Extensions

Image
GNOME Shell extensions allow us to modify our system elements behavior and add some new features in very easy way. Browser extensions work similar so don't be afraid. If you want to read more about GNOME Shell extensions visit this site: https://extensions.gnome.org/about If you are looking for some useful extensions check this article about Ubuntu Desktop config I personally use: https://damiankumor.blogspot.com/2023/08/my-ubuntu-desktop-config.html Requirements Firefox To enable possibility to install gnome extensions via Firefox you have to install one package and add browser extension: sudo apt-get install chrome-gnome-shell https://addons.mozilla.org/en-US/firefox/addon/gnome-shell-integration Chrome To enable gnome extensions on Chrome you have to install same package and also add browse...
Read more »

Basic AKHQ running with docker (HTTP)

Introduction This article describes basic case of running AKHQ with docker. All the code is available on my GitHub . Specification: - Protocol: HTTP - AKHQ authorization: NO Requirements: - internet access - to download AKHQ docker image, - installed docker - to run downloaded image, - running kafka - visible within any connected network interface. Configuration First of all we have to create YAML file - to tell AKHQ where is our kafka running. akhq: ui-options: topic-data: sort: Newest connections: local: properties: bootstrap.servers: "localhost:9092" Then just run AKHQ docker image (on port 1790) with previously created YAML config: docker run -it -p 1790:8080 --name akhq_basic_container -v application-basic.yml:/app/application.yml tchiotludo/akhq Once container is created you can start simple by: docker container start akhq_basic_container ...
Read more »