REST Service Protected Using Keycloak Authorization Services
Keycloak is an open-source Identity and Access Management (IAM) solution aimed at modern applications and services. Keycloak provides out-of-the-box authentication and authorization services as well as advanced features like User Federation, Identity Brokering, and Social Login.
Keycloak provides fine-grained authorization services as well. This allows you to manage permissions for all your services from the Keycloak admin console and gives you the power to define exactly the policies you need.
We are going to see how to use Keycloak Authorization services to protect REST APIs by using a set of permissions and policies defined in Keycloak. Access to these APIs is enforced by a policy enforcer that intercepts every REST call.
Spring Boot and Keycloak
We will write a RESTful service with SpringBoot and then secure it with Keycloak. We will be writing course-management application providing REST API for managing Courses in a University setting. Our resources here are the REST APIs . Before looking at Application we will setup Keycloak Server and then Configure it.
Set Up Keycloak
Download Keycloak from here, unzip, and start the Keycloak using the following command:
In your browser, go to
Since it’s the first time that the Keycoak server is running, you will have to create an admin user, so let’s create an admin user with
admin as the username and password as
Now, log in to Keycloak using
admin user and start configuring Keycloak; the
admin user is created in the default realm called