By Marone: April 2020
GoalIn this article we are going to secure a Spring boot REST API with keycloak using Resource Owner Password Credentials Grant in short password grant
johndoepasses the username and password to the client.
2. The client sends the credentials to keycloak.
3. If everything is fine keycloak returns an Access Token.
4. The client use the Access Token to call the API
Warning! The resource owner password credentials grant type is suitable in cases where the resource owner has a trust relationship with the client, such as the device operating system or a highly privileged (RFC 6749)
Used technologiesKeycloak 8.0.1
Spring security configuration
The root url
/is allowed by anyone.
Other urls are allowed by any
The url http://localhost:8080 is accessible by all users while
/adminrequired users to be authenticated.
/protectedwithout anything returns
Let's test with access token
Since the user
johndoeis now authenticated, we are able to access the api.
The complete code can be found in GitHub