Integrating Keycloak with Spring Boot — A Practical Guide

By -

Integrating Keycloak with Spring Boot — A Practical Guide

After understanding the core concepts of SSO, it’s time to see a **real implementation**. In this post, we integrate **Keycloak** with a Spring Boot application, showing login flows, adapters, and configuration.

What is Keycloak?

Keycloak is an open-source Identity and Access Management (IAM) solution that supports:

  • Single Sign-On (SSO)
  • OAuth2 and OpenID Connect
  • LDAP / Active Directory integration
  • User federation, roles, and fine-grained authorization

It acts as the **Identity Provider (IdP)**, while your Spring Boot app acts as the **Service Provider (SP)**.

Step 1: Set up Keycloak

1. Download and run Keycloak (standalone or container): 

docker run -p 8080:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:latest start-dev

2. Log in to Keycloak admin console: http://localhost:8080/ 3. Create a realm (e.g., springboot-sso) 4. Create a client (e.g., my-app) 5. Configure access type as confidential and set redirect URIs (e.g., http://localhost:8081/*)

Step 2: Add Keycloak dependencies to Spring Boot

Add these Maven dependencies: 





  org.keycloak

  keycloak-spring-boot-starter

  22.0.1





  org.keycloak

  keycloak-spring-security-adapter

  22.0.1

> Versions may vary; check the latest Keycloak Spring Boot adapters.

Step 3: Configure application.properties

Add Keycloak configuration: 



keycloak.realm=springboot-sso

keycloak.auth-server-url=http://localhost:8080/

keycloak.resource=my-app

keycloak.credentials.secret=YOUR_CLIENT_SECRET

keycloak.ssl-required=external

keycloak.public-client=false

keycloak.bearer-only=false

Step 4: Configure Spring Security Adapter

Create a security configuration class: 



import org.keycloak.adapters.springsecurity.KeycloakSecurityComponents;

import org.keycloak.adapters.springsecurity.config.KeycloakWebSecurityConfigurerAdapter;

import org.springframework.context.annotation.Configuration;

import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;

import org.springframework.security.config.annotation.web.builders.HttpSecurity;

@Configuration

public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter {

    @Override

    protected void configure(HttpSecurity http) throws Exception {

        super.configure(http);

        http.authorizeRequests()

            .antMatchers("/public/**").permitAll()

            .anyRequest().authenticated();

    }

    @Autowired

    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {

        auth.authenticationProvider(keycloakAuthenticationProvider());

    }

}

This configuration ensures that:

  • Public endpoints are accessible without login
  • All other endpoints require authentication via Keycloak
  • Keycloak authentication provider is used for Spring Security

Step 5: Running the application

1. Start your Spring Boot app (`localhost:8081`) 2. Try accessing a protected endpoint: http://localhost:8081/secure 3. You’ll be redirected to Keycloak login page 4. After successful login, you’ll return to the Spring Boot app with a valid session

Step 6: Roles and Authorization

In Keycloak, you can define roles per client or realm. Then in Spring Security, you can restrict access: 



http.authorizeRequests()

    .antMatchers("/admin/**").hasRole("ADMIN")

    .antMatchers("/user/**").hasRole("USER");

> Important: Keycloak roles are mapped to Spring Security authorities. > Always check how your Keycloak claims are converted.

Common issues

  • Redirect loop — often due to incorrect redirect URI or public vs confidential client
  • 403 Forbidden — token valid but roles not mapped correctly
  • Token expiration — default Keycloak token lasts 5 minutes; adjust if needed
  • WebFlux vs MVC differences — reactive apps need special configuration

Next steps

The next post will show **how to debug SSO authentication issues**, including:

  • Token expiration
  • Roles not applied correctly
  • Redirect loops and filter chain problems

This builds naturally on the Keycloak + Spring Boot integration we just set up.

Part of the Spring Boot SSO Series

❤️ Support This Blog

If this post helped you, you can support my writing with a small donation. Thank you for reading.

Coffee ☕ Thanks 🙏 Extra Support ❤️

Comments

Post a Comment

Popular posts from this blog

fixed: embedded-redis: Unable to run on macOS Sonoma

By -
Image
Issue you might see below error while trying to run embedded-redis for your testing on your macOS after you upgrade to Sonoma. java.lang.RuntimeException: Can't start redis server. Check logs for details. Redis process log: at redis.embedded.AbstractRedisInstance.awaitRedisServerReady(AbstractRedisInstance.java:70) at redis.embedded.AbstractRedisInstance.start(AbstractRedisInstance.java:42) at redis.embedded.RedisServer.start(RedisServer.java:9) Solution use the latest one: https://mv   ...
Read more

Copying MDC Context Map in Web Clients: A Comprehensive Guide

By -
Image
Introduction In distributed systems, maintaining context across microservices is crucial for effective logging and tracing. The Mapped Diagnostic Context (MDC) in logging frameworks like Logback or Log4j allows developers to propagate contextual information such as request IDs, user IDs, or correlation IDs across threads and services. When using web clients to make outgoing requests, it's essential to propagate the MDC context map to ensure consistency and traceability. This guide will provide   ...
Read more

Reset user password for your own Ghost blog

By -
Image
If you do not config mail up for your ghost blog, it maybe a big problem once you lost your user password. however, methods are always more than problems. We can fix it up by reset it. 1. Find out your database name in your ghost config, it is maybe in config.production.json   "database": {     "client": "mysql",     "connection": {       "host": "localhost",       "user": "ghost-452",       "password": "dade1b0565f2585e07c7",       "database": "ghost_production_acm" 2. Use mysql to reset the password. mysql -u root -p Enter the password for root account. mysql> use ghost_production_acm; mysql> select * from users; ghost use bcrypthash for the password. You can get bcrypt hash string from http://bcrypthashgenerator.apphb.com/ mysql>update users set password=' $2b$10$PaL8tKcU4i0CsjRrM6BhROVQMwwLFw2HSx/kWlAUgja23fNllc2Fy' where ...
Read more