Course – LSS – NPI (cat=Security/Spring Security)
announcement - icon

I just announced the new Learn Spring Security course, including the full material focused on the new OAuth2 stack in Spring Security:


1. Overview

In this tutorial, we’ll discuss the basics of setting up a Keycloak server and connecting a Spring Boot application to it using Spring Security OAuth2.0.

Further reading:

Spring Security and OpenID Connect

Learn how to set up OpenID Connect (from Google) with a simple Spring Security application.

Simple Single Sign-On with Spring Security OAuth2

A simple SSO implementation using Spring Security 5 and Boot.

CAS SSO With Spring Security

Learn how to integrate the Central Authentication Service (CAS) with Spring Security.

2. What Is Keycloak?

Keycloak is an open-source Identity and Access Management solution targeted towards modern applications and services.

Keycloak offers features such as Single-Sign-On (SSO), Identity Brokering and Social Login, User Federation, Client Adapters, an Admin Console, and an Account Management Console.

In our tutorial, we’ll use the Admin Console of Keycloak for setting up and connecting to Spring Boot using the Spring Security OAuth2.0.

3. Setting Up a Keycloak Server

In this section, we will set up and configure the Keycloak server.

3.1. Downloading and Installing Keycloak

There are several distributions to choose from. However, in this tutorial, we’ll be using the standalone version.

Let’s download the Keycloak-22.0.3 Standalone server distribution from the official source.

Once we’ve downloaded the Standalone server distribution, we can unzip and start Keycloak from the terminal:

$ unzip 
$ cd keycloak-22.0.3
$ bin/ start-dev

After running these commands, Keycloak will be starting its services. Once we see a line containing Keycloak 22.0.3 […] started, we’ll know its start-up is complete.

Now let’s open a browser and visit http://localhost:8080. We’ll be redirected to http://localhost:8080/auth to create an administrative login:



Let’s create an initial admin user named initial1 with the password zaq1!QAZ. Upon clicking Create, we’ll see the message User Created.

We can now proceed to the Administrative Console. On the login page, we’ll enter the initial admin user credentials:

keycloak admin console

3.2. Creating a Realm

A successful login will take us to the console and open up the default Master realm for us.

Here we’ll focus on creating a custom realm.

Let’s navigate to the upper left corner to discover the Create realm button:

create realm

On the next screen, let’s add a new realm called SpringBootKeycloak:

create realm name

After clicking the Create button, a new realm will be created and we’ll be redirected to it. All the operations in the next sections will be performed in this new SpringBootKeycloak realm.

3.3. Creating a Client

Now we’ll navigate to the Clients page. As we can see in the image below, Keycloak comes with Clients that are already built-in:

keycloak clients

We still need to add a new client to our application, so we’ll click Create. We’ll call the new Client login-app:

create client

In the next screen, for the purpose of this tutorial, we’ll leave all the defaults except the Valid Redirect URIs field. This field should contain the application URL(s) that will use this client for authentication:

keycloak redirect uri

Later on, we’ll be creating a Spring Boot Application running at port 8081 that’ll use this client. Hence we’ve used a redirect URL of http://localhost:8081/* above.

3.4. Creating a Role and a User

Keycloak uses Role-Based Access; therefore, each user must have a role.

To do that, we need to navigate to the Realm Roles page:

realm roles

Then we’ll add the user role:

create role

Now we have a role that can be assigned to users, but as there are no users yet, let’s go to the Users page and add one:

create user

We’ll add a user named user1:

create user

Once the user is created, a page with its details will be displayed:

user details

We can now go to the Credentials tab. We’ll be setting the initial password to xsw2@WS:

user pass

Finally, we’ll navigate to the Role Mappings tab. We’ll be assigning the user role to our user1:

assign role

Lastly, we need to set the Client Scopes properly so that KeyCloak passes all the roles for the authenticating user to the token. So we need to navigate to the Client Scopes page and then set microprofile-jwt to “default” , as shown in the picture below.

KeyCloak Client Scope

4. Generating Access Tokens With Keycloak’s API

Keycloak provides a REST API for generating and refreshing access tokens. We can easily use this API to create our own login page.

First, we need to acquire an access token from Keycloak by sending a POST request to this URL:


The request should have this body in a x-www-form-urlencoded format:


In response, we’ll get an access_token and a refresh_token.

The access token should be used in every request to a Keycloak-protected resource by simply placing it in the Authorization header:

headers: {
    'Authorization': 'Bearer' + access_token

Once the access token has expired, we can refresh it by sending a POST request to the same URL as above, but containing the refresh token instead of username and password:

    'client_id': 'your_client_id',
    'refresh_token': refresh_token_from_previous_request,
    'grant_type': 'refresh_token'

Keycloak will respond to this with a new access_token and refresh_token.

5. Creating and Configuring a Spring Boot Application

In this section, we’ll create a Spring Boot application and configure it as an OAuth Client to interact with the Keycloak server.

5.1. Dependencies

We use the Spring Security OAuth2.0 Client to connect to the Keycloak server.

Let’s start by declaring spring-boot-starter-oauth2-client dependency in a Spring Boot application in the pom.xml:


Also, as we need to use Spring Security with Spring Boot, we must add this dependency:


In order to delegate the identification control to a Keycloak server, we’ll use the spring-boot-starter-oauth2-resource-server library. It will allow us to validate a JWT token with the Keycloak server. Hence, let’s add it to our pom:


Now, the Spring Boot application can interact with Keycloak.

5.2. Keycloak Configuration

We consider the Keycloak client as an OAuth Client. So, we need to configure the Spring Boot application to use the OAuth Client.

The ClientRegistration class holds all of the basic information about the client. Spring auto-configuration looks for properties with the schema[registrationId] and registers a client with OAuth 2.0 or OpenID Connect (OIDC).

Let’s configure the client registration configuration:

The value we specify in client-id matches the client we named in the admin console.

The Spring Boot application needs to interact with an OAuth 2.0 or OIDC provider to handle the actual request logic for different grant types. So, we need to configure the OIDC provider. It can be auto-configured based on property values with the schema[provider name].

Let’s configure the OIDC provider configuration:

As we can recall, we started Keycloak on port 8080, hence the path specified in issuer-uri. This property identifies the base URI for the authorization server. We enter the realm name we created in the Keycloak admin console. Additionally, we can define user-name-attribute as preferred_username so as to populate our controller’s Principal with a proper user.

Finally, let’s add the configuration needed for validating JWT token against our Keycloak server:

5.3. Configuration Class

We configure HttpSecurity by creating a SecurityFilterChain bean. Also, we need to enable OAuth2 login using http.oauth2Login().

Let’s create the security configuration:

class SecurityConfig {

    private static final String GROUPS = "groups";
    private static final String REALM_ACCESS_CLAIM = "realm_access";
    private static final String ROLES_CLAIM = "roles";

    private final KeycloakLogoutHandler keycloakLogoutHandler;

    SecurityConfig(KeycloakLogoutHandler keycloakLogoutHandler) {
        this.keycloakLogoutHandler = keycloakLogoutHandler;

    public SessionRegistry sessionRegistry() {
        return new SessionRegistryImpl();

    protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
        return new RegisterSessionAuthenticationStrategy(sessionRegistry());

    public HttpSessionEventPublisher httpSessionEventPublisher() {
        return new HttpSessionEventPublisher();
    public SecurityFilterChain resourceServerFilterChain(HttpSecurity http) throws Exception {
        http.authorizeHttpRequests(auth -> auth
            .requestMatchers(new AntPathRequestMatcher("/customers*"))
            .requestMatchers(new AntPathRequestMatcher("/"))
        http.oauth2ResourceServer((oauth2) -> oauth2
            .logout(logout -> logout.addLogoutHandler(keycloakLogoutHandler).logoutSuccessUrl("/"));
    public GrantedAuthoritiesMapper userAuthoritiesMapperForKeycloak() {
        return authorities -> {
            Set<GrantedAuthority> mappedAuthorities = new HashSet<>();
            var authority = authorities.iterator().next();
            boolean isOidc = authority instanceof OidcUserAuthority;

            if (isOidc) {
                var oidcUserAuthority = (OidcUserAuthority) authority;
                var userInfo = oidcUserAuthority.getUserInfo();

                // Tokens can be configured to return roles under
                // Groups or REALM ACCESS hence have to check both
                if (userInfo.hasClaim(REALM_ACCESS_CLAIM)) {
                    var realmAccess = userInfo.getClaimAsMap(REALM_ACCESS_CLAIM);
                    var roles = (Collection<String>) realmAccess.get(ROLES_CLAIM);
                } else if (userInfo.hasClaim(GROUPS)) {
                    Collection<String> roles = (Collection<String>) userInfo.getClaim(
            } else {
                var oauth2UserAuthority = (OAuth2UserAuthority) authority;
                Map<String, Object> userAttributes = oauth2UserAuthority.getAttributes();

                if (userAttributes.containsKey(REALM_ACCESS_CLAIM)) {
                    Map<String, Object> realmAccess = (Map<String, Object>) userAttributes.get(
                    Collection<String> roles = (Collection<String>) realmAccess.get(ROLES_CLAIM);
            return mappedAuthorities;

    Collection<GrantedAuthority> generateAuthoritiesFromClaim(Collection<String> roles) {
        return -> new SimpleGrantedAuthority("ROLE_" + role)).collect(

In the code above, the oauth2Login() method adds OAuth2LoginAuthenticationFilter to the filter chain. This filter intercepts requests and applies the needed logic for OAuth 2 authentication. The oauth2ResourceServer method will validate the bound JWT token against our Keycloak server.

We configure access based on authorities and roles in the configure() method. These constraints ensure that every request to /customers/* will only be authorized if the one requesting it is an authenticated user with the role USER.

Finally, we need to handle logout from Keycloak. To do this, we add KeycloakLogoutHandler class:

public class KeycloakLogoutHandler implements LogoutHandler {

    private static final Logger logger = LoggerFactory.getLogger(KeycloakLogoutHandler.class);
    private final RestTemplate restTemplate;

    public KeycloakLogoutHandler(RestTemplate restTemplate) {
        this.restTemplate = restTemplate;

    public void logout(HttpServletRequest request, HttpServletResponse response, 
      Authentication auth) {
        logoutFromKeycloak((OidcUser) auth.getPrincipal());

    private void logoutFromKeycloak(OidcUser user) {
        String endSessionEndpoint = user.getIssuer() + "/protocol/openid-connect/logout";
        UriComponentsBuilder builder = UriComponentsBuilder
          .queryParam("id_token_hint", user.getIdToken().getTokenValue());

        ResponseEntity<String> logoutResponse = restTemplate.getForEntity(
        builder.toUriString(), String.class);
        if (logoutResponse.getStatusCode().is2xxSuccessful()) {
  "Successfulley logged out from Keycloak");
        } else {
            logger.error("Could not propagate logout to Keycloak");


The KeycloakLogoutHandler class implements LogoutHandler class and sends a logout request to the Keycloak.

Now, after we authenticate, we’ll be able to access the internal customers page.

5.4. Thymeleaf Web Pages

We’re using Thymeleaf for our web pages.

We’ve got three pages:

  • external.html – an externally facing web page for the public
  • customers.html – an internally facing page that will have its access restricted to only authenticated users with the role user
  • layout.html – a simple layout, consisting of two fragments, that are used for both the externally facing page and the internally facing page

The code for the Thymeleaf templates is available on Github.

5.5. Controller

The web controller maps the internal and external URLs to the appropriate Thymeleaf templates:

@GetMapping(path = "/")
public String index() {
    return "external";
@GetMapping(path = "/customers")
public String customers(Principal principal, Model model) {
    model.addAttribute("customers", customerDAO.findAll());
    model.addAttribute("username", principal.getName());
    return "customers";

For the path /customers, we’re retrieving all customers from a repository and adding the result as an attribute to the Model. Later on, we iterate through the results in Thymeleaf.

To be able to display a username, we’re injecting the Principal as well.

We should note that we’re using customers here just as raw data to display, and nothing more.

6. Demonstration

Now we’re ready to test our application. To run a Spring Boot application, we can start it easily through an IDE, like Spring Tool Suite (STS), or run this command in the terminal:

mvn clean spring-boot:run

On visiting http://localhost:8081 we see:

external Facing Keycloak Page

Now we click customers to enter the intranet, which is the location of sensitive information.

Note that we’ve been redirected to authenticate through Keycloak to see if we’re authorized to view this content:

keycloak userlogin

Once we log in as user1, Keycloak will verify our authorization that we have the user role, and we’ll be redirected to the restricted customers page:

customers page

Now we’ve finished the setup of connecting Spring Boot with Keycloak and demonstrating how it works.

As we can see, Spring Boot seamlessly handled the entire process of calling the Keycloak Authorization Server. We did not have to call the Keycloak API to generate the Access Token ourselves, or even send the Authorization header explicitly in our request for protected resources.

7. Conclusion

In this article, we configured a Keycloak server and used it with a Spring Boot Application.

We also learned how to set up Spring Security and use it in conjunction with Keycloak. A working version of the code shown in this article is available over on Github.

Course – LSS (cat=Security/Spring Security)

I just announced the new Learn Spring Security course, including the full material focused on the new OAuth2 stack in Spring Security:

res – Security (video) (cat=Security/Spring Security)
Comments are closed on this article!