Authorization based on Role Based Access Control using Keycloak and Spring Boot 3.0

Keycloak is an open-source Identity and Access Management (IAM) solution aimed at modern applications and services. Keycloak provides out-of-the-box authentication and authorization services as well as advanced features like User Federation, Identity Brokering, and Social Login.

Springboot 3 is major release of Spring Boot which is based on Spring Framework 6.0 and will require Java 17 or above. There are breaking changes with Spring Security 6.0 as listed here .

The breaking change with SpringBoot 3 that is of interest to us is the removal of WebSecurityConfigurerAdapter. KeycloakSpring adapter that we used earlier will not work because KeycloakWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter.

It was also announced by the Keycloak team that Keycloak adapters are deprecated and there will not be any future updates or fixes.
It is recommended to use Spring Security provided OAuth2 and OpenID Connect support.

In this article we will see how to use spring-secuity-oauth2 to integrate SpringBoot 3 application with Keycloak. we will also see how Springboot 3 based Resource Server performs authorization decisions based on role-based access control (RBAC). In Keycloak roles are granted to the users who are trying to access protected resources.

To understand better, Let’s look at a sequence diagram, In this article we will be demonstating Steps 3–8. Keycloak is our Autherization Server and SpringBoot application is the resource Server.

What is Resource Server ?

The resource server is the OAuth 2.0 term for our API server. The resource server handles authenticated requests after the application has obtained an access token. Resource Server validates OAuth token and verifies Authorization to access protected resource ( in our case REST APIs).

Spring Boot and Keycloak

We will be usingspring-boot-starter-oauth2-resource-server which is resource server…