By alx: June 2020 | last update: July 2020

Spring security with Keycloak
using OAuth 2.0


After seeing how to use spring security, spring security, and keyloak in conjunction with keycloak adapter we were looking for other possibilities to use keycloak without having such a tight-binding.

To be precise, we want to use Spring Security's own oauth2/oidc capabilities, keycloak should act as an external Authorization Server. In this tutorial, we have a Spring boot application that provides a REST API and at the same time acts as a resource server.

According to OAuth2 specs
Resource Server:
The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens
Resource server usually needs some sort of information access token to decide if access should be granted. In order words, the RS gets the access token from the HTTP request exactly from Authorization header and validates it, and if valid, serves the request.

Resouce server supports protecting endpoints using two sorts of OAuth 2.0 Bearer Tokens:
In this article, we will use an access token with JWT format.

Used technologies

Keycloak 8.x
Java 11
curl 7.66
Maven 3.x
jq 1.5

Go to Spring Initializr and create a demo maven project as following:

spring security oauh2 keycloak

Needed dependencies

The spring-boot-starter-oauth2-resource-server contains other dependencies such as oauth2-jose, which contains Nimbus, a library for handling JWT. The spring-boot-starter-web is also needed because Spring Security internally rely on filters.

JWT Payload

There is one important thing in this JWT, it contains the claim scope. As we can see Keycloak's client has by default profile and email as values.

Security configuration

By default, Spring security will internally transform the jwt scope or scp claim into a list of granted authorities, prefixing each scope with the string SCOPE_

The proctected API

Let's test

Change scopes in Keycloak

To add a scope to the client click on Clients in the left menu bar. Now on the right side pick up demo-app, a new page will appear. Go to the Client Scopes tab.
soauh2 keycloak scope
Select manage and click Add selected.
The scope claim looks now like:


The complete code can be found in GitHub