Authorization based on Role Based Access Control using Keycloak and Spring Boot 3.0

Keycloak is an open-source Identity and Access Management (IAM) solution aimed at modern applications and services. Keycloak provides out-of-the-box authentication and authorization services as well as advanced features like User Federation, Identity Brokering, and Social Login.

Springboot 3 is major release of Spring Boot which is based on Spring Framework 6.0 and will require Java 17 or above. There are breaking changes with Spring Security 6.0 as listed here .

The breaking change with SpringBoot 3 that is of interest to us is the removal of WebSecurityConfigurerAdapter. KeycloakSpring adapter that we used earlier will not work because KeycloakWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter.

It was also announced by the Keycloak team that Keycloak adapters are deprecated and there will not be any future updates or fixes.
It is recommended to use Spring Security provided OAuth2 and OpenID Connect support.

In this article we will see how to use spring-secuity-oauth2 to integrate SpringBoot 3 application with Keycloak. we will also see how Springboot 3 based Resource Server performs authorization decisions based on role-based access control (RBAC). In Keycloak roles are granted to the…