REST Service Protected Using Keycloak Authorization Services

Ravinder Thirumala
6 min readJul 12, 2019

Keycloak is an open-source Identity and Access Management (IAM) solution aimed at modern applications and services. Keycloak provides out-of-the-box authentication and authorization services as well as advanced features like User Federation, Identity Brokering, and Social Login.

Keycloak provides fine-grained authorization services as well. This allows you to manage permissions for all your services from the Keycloak admin console and gives you the power to define exactly the policies you need.

We are going to see how to use Keycloak Authorization services to protect REST APIs by using a set of permissions and policies defined in Keycloak. Access to these APIs is enforced by a policy enforcer that intercepts every REST call.

Spring Boot and Keycloak

Keycloak Client Adapters makes it really easy to secure applications and services. The Client Adapter is available for a number of platforms and programming languages. There are adapters for JBoss EAP/Wildfly, Spring Boot, Angular, NodeScript, and JavaScript.

We will write a RESTful service with SpringBoot and then secure it with Keycloak. We will be writing course-management application providing REST API for managing Courses in a University setting. Our resources here are the REST APIs . Before looking at Application we will setup Keycloak Server and then Configure it.

Set Up Keycloak

Download Keycloak from here, unzip, and start the Keycloak using the following command:


In your browser, go to http://localhost:8080/auth/

Since it’s the first time that the Keycoak server is running, you will have to create an admin user, so let’s create an admin user with admin as the username and password as admin .

Now, log in to Keycloak using admin user and start configuring Keycloak; the admin user is created in the default realm called master.

Ravinder Thirumala

Java enthusiast and open source contributor