Keycloak is Open Source Identity and Access Management Server, which is a OAuth2 and OpenID Connect(OIDC) protocol complaint.

Keycloak documentation suggest 3 ways to secure Spring based REST APIS.

1. Using Keycloak Spring Boot Adapter
2. Using keycloak Spring Security Adapter
3. Using OpenID Connect (OIDC)+ OAuth2

Let us see how we can use Keycloak OIDC support and Spring OAuth2 library to secure REST APIs.

1-1. OpenID Connect (OIDC)+ OAuth2

Securing REST API using Keycloak and Spring Oauth2

 

1. OpenID connect can use “Authorization Code Grant”, actually in KeyCloak it is “Standard Flow Enable” in Clients’s settings.
2. In practise, the security.oauth2.resource.token-info-uri is not mandatory property:
   security.oauth2.resource.token-info-uri=${rest.security.issuer-uri}/protocol/openid-connect/token/introspect

 

1-2. PKCE Verification in Authorization Code Grant

PKCE Verification in Authorization Code Grant

 

1-3. OAuth 2.0 Device Authorization Grant Flow Example

OAuth 2.0 Device Authorization Grant Flow Example

The Oauth 2 Device Authorization Grant, also formerly known as the Device Flow, is an Oauth 2 extension that enables devices with no browser or limited input capability to obtain an access token.

You might have experienced the Device flow when authorizing a PlayStation or a TV app to access your Microsoft or Google account.

https://github.com/keycloak/keycloak-community/blob/master/design/oauth2-device-authorization-grant.md

 

1. OAuth 2 Grant Types

1-1. Authorization Code Grant

Example for config: security.oauth2.resource.jwt.key-value

 

1-2. OAuth 2 Implicit Grant Type

OAuth 2 Implicit Grant Type Flow Example

Here the code(Authorization Code) will not be released from user-authorization-uri..

 

1-3. Requesting Token with Password Grant

Keycloak: Requesting Token with Password Grant

 

1-4. Client Credentials Grant

Keycloak: Client Credentials Grant Example

 

 

OAuth 2.0 Refresh Token Example

 

 

 

 

Reference

Securing REST API using Keycloak and Spring Oauth2