Security Top

I just announced the new Learn Spring Security course, including the full material focused on the new OAuth2 stack in Spring Security 5:

>> CHECK OUT THE COURSE

1. Overview

Keycloak is an open-source identity and access management (IAM) system that integrates well with the Spring Boot application. In this tutorial, we'll describe how to get Keycloak user ID in a Spring Boot application.

2. Problem Statement

Keycloak provides features such as securing a REST API, user federation, fine-grained authorization, social login, two-factor authentication (2FA), etc. Moreover, we can use it for implementing single sign-on (SSO) using OpenID Connect (OIDC). Let's assume that we have a Spring Boot application secured by OIDC using Keycloak, and we want to get a user ID in the Spring Boot application. In this situation, we'll need to get an access token or security context in the Spring Boot application.

2.1. Keycloak Server as Authorization Server

To keep things simple, we'll be using Keycloak embedded in a Spring Boot application. Let's assume that we're using the authorization server project available on GitHub. First, we'll define the customerClient client in realm baeldung in our embedded Keycloak server: Then, we export the realm details as customer-realm.json and set the realm file in our application-customer.yml:

keycloak:
  server:
    contextPath: /auth
    adminUser:
      username: bael-admin
      password: pass
    realmImportFile: customer-realm.json

Finally, we can run the application using the –spring.profiles.active=customer option. Now, the authorization server is ready. After running the server, we can access the authorization server's welcome page at http://localhost:8083/auth/.

2.2. Resource Server

Now that we've configured the authorization server, let's set up the resource server. For that, we'll use the resource server project available on GitHub. First, let's add the application-embedded.properties file as a resource:

keycloak.auth-server-url=http://localhost:8083/auth
keycloak.realm=baeldung
keycloak.resource=customerClient
keycloak.public-client=true
keycloak.principal-attribute=preferred_username

Now, the resource server is secure using the OAuth2 authorization server, and we must log in to the SSO server to access the resources. We can run the application using the –spring.profiles.active=embedded option.

3. Get Keycloak User ID

Getting the user ID from Keycloak can be accomplished in a few ways: using an access token or client mapper.

3.1. By Access Token

Building on top of the Spring Boot application CustomUserAttrController class, let's modify the getUserInfo() method to get the user ID:

@GetMapping(path = "/users")
public String getUserInfo(Model model) {

    KeycloakAuthenticationToken authentication = 
      (KeycloakAuthenticationToken) SecurityContextHolder.getContext().getAuthentication();

    Principal principal = (Principal) authentication.getPrincipal();

    String userIdByToken = "";

    if (principal instanceof KeycloakPrincipal) {
        KeycloakPrincipal<KeycloakSecurityContext> kPrincipal = (KeycloakPrincipal<KeycloakSecurityContext>) principal;
        IDToken token = kPrincipal.getKeycloakSecurityContext().getIdToken();
        userIdByToken = token.getSubject();
    }

    model.addAttribute("userIDByToken", userIdByToken);
    return "userInfo";
}

As we can see, first we obtained the Principal from the KeycloakAuthenticationToken class. Then, we extract the user ID from IDToken using the getSubject() method.

3.2. By Client Mapper

We can add a user ID in the client mapper and get it in the Spring Boot application. First, we define a client mapper in the customerClient client: Then, we get the user ID in the CustomUserAttrController class:

@GetMapping(path = "/users")
public String getUserInfo(Model model) {

    KeycloakAuthenticationToken authentication = 
      (KeycloakAuthenticationToken) SecurityContextHolder.getContext().getAuthentication();

    Principal principal = (Principal) authentication.getPrincipal();

    String userIdByMapper = "";

    if (principal instanceof KeycloakPrincipal) {
        KeycloakPrincipal<KeycloakSecurityContext> kPrincipal = (KeycloakPrincipal<KeycloakSecurityContext>) principal;
        IDToken token = kPrincipal.getKeycloakSecurityContext().getIdToken();
        userIdByMapper = token.getOtherClaims().get("user_id").toString();
    }

    model.addAttribute("userIDByMapper", userIdByMapper);
    return "userInfo";
}

We use the getOtherClaims() method from IDToken for getting the mapper. Then, we add the user ID to the model attribute.

3.3. Thymeleaf

We'll modify the userInfo.html template to display the user ID information:

<div id="container">
    <h1>
	User ID By Token: <span th:text="${userIDByToken}">--userID--</span>.
    </h1>
    <h1>
        User ID By Mapper: <span th:text="${userIDByMapper}">--userID--</span>.
    </h1>
</div>

3.4. Test

After running the application, we can navigate to http://localhost:8081/users. Entering baeldung:baeldung for the credentials, will return the following:

4. Conclusion

In this article, we looked at getting the user ID from Keycloak in a Spring Boot application. We first set up the required environment for invoking a secure application. Then, we described getting Keycloak user ID in the Spring Boot application using IDToken and client mapper. As always, the full source code of this tutorial is available over on GitHub. Additionally, the authorization server source code is available over on GitHub.

Security bottom

I just announced the new Learn Spring Security course, including the full material focused on the new OAuth2 stack in Spring Security 5:

>> CHECK OUT THE COURSE
Security footer banner
Comments are closed on this article!