Spring boot 3 Keycloak integration for beginners | The complete Guide
Вставка
- Опубліковано 23 лип 2024
- Buy me a coffee: ko-fi.com/boualiali #Keycloak #springboot3 #Java #WebSecurity #SSO #OpenIDConnect #OAuth2 #IAM #Tutorial #WebDevelopment
Unlock the power of secure applications with this in-depth tutorial on integrating Keycloak, a robust open-source Identity and Access Management solution, with Spring Boot, one of the industry's leading Java application frameworks.
🎁 Spring Data JPA course: aliboucoding.com/p/the-full-g...
🎁 🚀 COUPON Code: EARLYBIRD20
Source code: github.com/ali-bouali/keycloa...
Don't Forget to
===========================================
💯 Free courses here: aliboucoding.com/courses
💯 Subscribe to the youtube channel
💯 Join our Discord Community - / discord
💯 Join our Facebook Group - / 589612651142975
💯 Join our Instagram: / alibou_coding
Whether you're building enterprise-grade applications or developing personal projects, effective identity and access management is critical. Keycloak, with its comprehensive set of features like Single Sign-On (SSO), Identity Brokering, User Federation, and Fine-Grained Authorization Services, provides a solid foundation for securing your applications.
Boost your Spring Boot applications' security to the next level by mastering Keycloak integration. This tutorial is perfect for developers of all levels eager to enhance their understanding of application security.
Make sure to hit the 'Subscribe' button for more tutorials and guides on Java, Spring Boot, Keycloak, and more. If you have any questions, please leave a comment below; we'd love to hear from you!
Table of Content:
00:00 Introduction
01:07 Course curriculum
02:35 Keycloak feature
06:05 Keycloak advantages
07:59 Keycloak terms
11:24 Exploring the documentation
14:37 Intall Keycloak
16:56 Exploring & Playing with Keycloak
33:56 Create new Spring boot project
34:52 Create a demo controller
36:09 Add security configuration
39:04 Add OAuth2 configuration
42:02 Test the chnages
44:28 Add roles support
49:26 JWT token converter
01:09:44 Test and debug
01:12:50 Outro
Join the Micro Services course waiting list and get and get an exclusive EARLY-BIRD discount
aliboucoding.ck.page/d0f9317e13
Thank you. I'm watching the second video on security in Spring boot on your channel and I'm absolutely delighted! No one has explained better yet.
I’m super happy to know that. Happy to have you here
Finally a tutorial that explains very well how keycloak works and its integration with springboot, thank you 🙏🏾
Glad you liked it!
안녕하세요
알기 쉽고 꼼꼼하게 설명해주셔서 너무 감사합니다ㅜㅠ
구독 할게요!
Happy you liked it!
Great video, it's really helpful that developers like you are putting hardcore efforts to share their knowledge.
Dear alibou,
I wanted to take a moment to say thank you for your amazing tutorial video on UA-cam about Keycloak and its implementation in Spring Boot. Your video was incredibly helpful and easy to understand.
I really appreciate how you explained the concepts of Keycloak and showed how it can be integrated with Spring Boot. Your explanations were clear and straightforward, making it easy for me to follow along.
If possible, it would be great if you could create a video tutorial specifically focusing on the authentication flow. This would greatly enhance our understanding of the topic.
Additionally, I would love to see a video tutorial on debugging in IntelliJ IDEA. As a beginner developer, learning effective debugging techniques is crucial, and I believe your guidance would be highly beneficial.
Thank you once again for creating such valuable educational content. Your videos have significantly improved my understanding of Keycloak and Spring Boot, and I eagerly look forward to watching more of your tutorials in the future.
Best regards,
ArefSa
I really appreciate this comment.
Those following this video, pls disable all the required actions in Configure -> Authentication -> Required actions tab. Applicable for keycloak 24.0.5.
Thank you!! I got an "invalid_grant" error before disabling them 😂😂
@edouardo_afangnon1783 yup was having same error.
Life saver! Thanks a lot bro
I'm a Java fresher, and this time I want to work on a personal project involving Spring Security combined with JWT and OAuth2. I have watched many of your tutorial videos, and I must say they have been extremely helpful to me. Thank you for all the knowledge you have provided.
Happy you liked it
Thanks, bro. This is probably the best video on the subject that I've come across recently. You're good at explaining things. I'd like to see another video on how to perform user registration through REST API and Keycloak.
PS and, yeah, it would be great to watch a good video about OAuth and Spring Security REST API. I know you had something similar, but without the REST API."
Glad you enjoyed it!
I will provide such content ASAP
I was going through a Udemy course, and the Keycloak screens there were too old, the new version of UI is very different. Thankfully I landed on this video. It helped me a lot. Thanks.
Glad it was helpful!
Really appreciate your video, amazing tutorial. Thank you!
Glad you enjoyed it!
Awaited one from you, thanks man, keep rocking 🎉❤❤
Happy you liked it
Thanks for such great tutorial. It helps a lot to get basic understanding of keycloak
My pleasure!
Thanks a lot. your video is fantastic, everything was self-explanatory
Glad you liked it
Thanks a lot Ali. It was a great tutorial as usual.👏
Happy you liked it
I finally watched a video that really helped me! Thank you for that! I would like to know how to make it possible to use Keycloak in both the back-end (Java + Spring) and the front-end with React.👏👏👏👏
Happy you liked it!
I’m working on it
thanks a lot Ali! This was very informative !
Glad it was helpful!
Thank you for the video. Your english is really understandable
You're welcome 😊
Great tutorial :D Thank You :D
Thank you so much!! Your video is really helpful!!
Glad it was helpful!
@@BoualiAli Merci beaucoup! ;)
Thanks a lot for your video, it is easy to understand the concept through your video
Glad to hear that
excellent video, thank you for sharing!
Happy to have you
thank you Ali for this amazing tutorial
My pleasure
Amazing video, perfectly explained, very educational.
Thank you so much for this! (a video on debug mode on IntelliJ would be great).
Great suggestion!
thanks for providing github repo.. it works like a charm
Happy you liked it!
The best spring boot teacher
Happy you liked it
@@BoualiAlii agreed with him
a lot of libraries were deprecated so it was difficult changing from sb2 to 3 but your tutorial helped a lot,thanks
Happy you liked it!
Your explanation was amazing thanks
Happy you liked it
great tutorial very elaborate and informative.
Happy you liked it
mr and so and so forth thank you
Thank you very much for this guide. The JWT Authentication converter is really tough but well explained! I'm looking for now to replicate / save keycloak users into my database.
Why do you need to do that?
@@BoualiAli Because I have some relations between entities like "UUID carOwner" into CarEntity (eg). And I add some business informations to my logged user. Do you think it's a bad practice?
@@remylavergne6424 just save the user id from keycloak
Great tutorial👏
Glad you think so!
Great Video. It really helped me while migrating things over. There are some upgrades missing in your github. Let me know if I can contribute anything and make it complient as per latest spring boot version.
Thanks a lot for the helpful tutorial. Would be great if you can make a tutorial for KeyCloak integration with LDAP/Active Directory.
Great suggestion!
thank you!
Hi..! since we are adding client roles as underlying role to realm roles do we need to add client roles again for the user?
COUPON Code: *EARLYBIRD20* => Spring Data J PA course: aliboucoding.com/p/the-full-guide-to-master-spring-boot-data-jpa
Nice tutorial, can you please go more into detail with keycloak so something like logout, double registration and so an. Amazing video!
Happy you liked it!
I will schedule one soon
The best spring boot teacher (Bouali Ali). I want to new video for Java Concurrency & Multithreading Complete Course
Happy you liked it
I will schedule such a video
thank you for the content. can you demonstrate how to automatically refresh the token once expired without having the user to login again (when microservice1 calls microservice2 for example) ?
If I create a role with "ROLE_user" as the role for the user then I don't have to worry about the 403 forbidden error and also I don't have to write the extra configuration for it ? to modify the roles from "user" to "ROLE_user" ?
One interesting tutorial would be one for interacting with keycloak using it's API's. For example creating users, updating passwords etc...
I will cover this part in a separate video
@@BoualiAli this sounds great. Can’t wait to see that video 🙂
Thank you for the helpfull vdo. Please continue for user federation and store in db.
Custom User Storage Provider
Thank you, I will
Is there any point on assigning client_admin role when we have already assigned the realm admin role with is a composite role associated with the client_admin? Shouldn't it be included in the realm admin role
You are perfect bro!
I appreciate that!
Great. Thx a lot
You are welcome!
With quarkus you don't need to write this bunch of classes and settings, just use a single @ROLES notation. Spring still has a lot to evolve compared to other frameworks. Actually what saved Spring was the Graal VM
Spring is always 3 years (at least) ahead of the rest of the frameworks.
For quarkus, I need to try it and the we can discuss
Spring is more mature and better documented.
I would still go with spring because my company uses it.
Hi Bouali, frist of all thank you for the video! I have to implement a similar project trough keycloak. I' using java 21 and spring boot 3.2.0, and I have to use a JWT bearer instead of a Bearer Token. Is it possibile? It's good idea using this application such base for trying to update my project?
Thank you!!!
Happy you liked it
Amazing video Bouali. One question: How could I register new users in frontend with keycloak using Angular with springboot? in my frontend in a login form, first I check if the credencials is ok, if it is ok, I return the token for user be able to make request, is it right? Thanks
Thank you so much
Happy you likedit
Great video. How do we connect user signup and login to this so that KeyCloak can track it then
Hi, thanks for the video! I am wondering, can i use this guide for microservice architecture? If so, each microservice should have this spring security impl, or can i build my project in a different way, for example using security only for gateway and adding some general security to another microservices?
It is enough to add security to API Gateway
Hey hi @boualiAli i have implemented the keyCloak integration with spring boot 3 but in case of invalid or expired token it is not throwing any exception can you please help me
please make more video about keycloak, tks for your helpful video
Sure thing!
Good video. 43:44 when i put the bear token it tells me also unauthorized ! anyone had the same problem ?
thank you bro for this video , but i had problmes regarding some deprecated versions of security , can u help me please ?
thanks in advance
@BoualiAli This is very good and well explained. But how to implement opaque token, is it even possible?
thank you for this amazing tutorial.can you please make a video for implementation of multi tenancy with Keycloyk?
Great suggestion!
Is there a way to generate token without knowing that magic url? How did you know the url? Is there any documentation about this?
Thank you for this awesome content.
Pls can you make a video for multiple implementation of UserDetaisService, so that the system can use multiple table for authenticating user depending on the Login endpoint. Thank you
Happy you liked it
The question that you really need to ask: why you have such system design?
I guess you need to review you database design and group all the users in one table.
Please provide more details and I will try to answer and assist you
I have a question. On your step cal to postman get token, I can see you don't have client_sercret, but the token still return. I follow you on my website, it return error:
{
"error": "unauthorized_client",
"error_description": "Client secret not provided in request"
}
That mean I missing client_sercret, please elaborate it. Thanks so much
for the tutorial, I created a public API so I didn't need a client secret
Hi, thanks for your video! I have a question about the flow of a real application. Does my frontend connect directly to Keycloak for authentication, or does it go through my backend, which then connects to Keycloak for authentication?
yes
Thanks my friend for your lessons
My pleasure 😇
@@BoualiAli what about Spring Rest Data or maybe Spring Cloud?
@@DashaZakella1001 what about them?
@@BoualiAli can you make a video of them?
Hi, Thanks for the video. I would like to point out something about the role settings. Perhaps you need to make it a bit clearer that point. It seems we are defining users for the REALM. We can define Roles for a Realm as well. So any user that is defined under a particular realm can be associated with any role that is created within the same realm. For global permissions roles such as ADMIN, USER, MANAGER etc, may be handled by this realm role definition. Probably for fine-grain authorization within a client, we may need extra role definitions under a particular client such as USER(read but not write), ADMIN(data posting, updating etc).
Sure, I will make that clear in the next video
Thank you very much for this video. I was searching for a good tutorial for a long time, but most tutorials just throw some random code and config in your face, without any explanation. Mostly this does not really work and you have got no change to understand what you are doing and what is going wrong.
This one is very different and I got a better understanding what is happening and I have got the feeling to start over by myself.
Great to hear!
Hi, thank you for the great video. I learned a lot and now I know how to build my web service safely. Thanks a lot for that! However, I still have one question: how do I get good tests written for it now? I follow the "test first" approach and of course my tests pop and don't work anymore. It doesn't work at all, because a token is missing to call the API. Can you say something about this, share a link or make a video?
You can mock the security context.
Please share more details on our discord server
Danke!
I really appreciate that ❤️❤️
Dear Alibou,
I have question about JWT converter, how i can claim user attributes from user details in keycloak and i want use this claims for my controller or service? sorry for my grammar i still learning english. I hope you understand what i mean. Thank you Mr. Alibou great video
Your english is good 👍.
I already explained it in the token converter part
How would you forgo if you had to store additional user info that keycloak does not support like for example user preferred language?
Happy you liked it
I will create another video to show this details
@@BoualiAli that would be really helpful, thank you 😁
So, you don't need any keycloak dependencies in POM? Spring security is abstracting it? Also how to make rest api accept any of two tokens , one from keycloak and another one from diff auth server?
Check the oauth2 video. This will help you understand the flow
I made a keycloak-spring-angular application using keycloak 18, I had to use the admin client to make the spring backend function as a middleware, because you can make a user in the keycloak window, but it would make a user by standard with the default-user profile, and you can assign a role to that group, but I had no idea how to differentiate between the users without using that middleware. Is there a way to do that? And using spring as middleware, makes it so you don't have to rewrite the custom keycloak registration page or start sending attributes with the jwt
Can you please explain more. I really didn't get the issue
@@BoualiAli so when making a user, using the default login page in keycloak, it automatically uses the default_group to register a user, à group to which you can assign the role Member for example, but I could not figure out how to give someone the role Mentor for example, because it defaults to default_group on the register page, that's why I had to use my Spring Backend as Middleware, making a rest call to the keycloak server and filtering through the realm roles to pick the right one, so my question is, can you differentiate between groups / users on the default keycloak registration page?
I I put @Controller annotation and I am redirecting JSP pages according to the role based ,when I hit endpoint requests ,the access token generated is not being sent with the request how to do it,with postman it is working properly ,because we are giving request with the newly generated access token .what to do,how to do with browser help me
You need to include the token in the header of the request
Hey thanks for the tutorial, I am new to this so have a few questions..
1. Instead of appending Role in code can't we just do it in keycloak itself.
2. Can we use some kind of pattern matching like antmatcher and assign roles for endpoints instead of using preauthorize on each endpoint?.. it might become repetitive as endpoints increase to double digits.
Happy you liked it!
1- yes it is possible but you need to configure your spring app to remove the prefix (ROLE_)
2- yes you can do that, check the roles and permissions video and you will have a clearer picture how to implement it
👍👍👍👍👍thank you
You are so welcome!
Thanks for this awesome tutorial. However, I am following your steps but when trying to retrieve a token I keep getting
"error": "invalid_grant", "error_description": "Account is not fully set up". I've been trying for 2 hours to figure it out but can't wrap my head around this. Any help is appreciated.
you need to complete the user profile by providing all the required info: username, firstname, lastname, email
I love your videos, this was really helpful to understand keycloak, but i would love to see if its possible to make a controller that gets the user credentials and with those credentials to make the request to the keycloak for the authentication if you have any tip on this it would be helful. Thanks again for the hard work !
Happy you liked it.
if you need such functionality, you just need to invoke the same endpoint I used in postman and pass the required body with the correct values and you will get the token
@@BoualiAli I tried that way and managed to make it work now i skipped the "/authentication" url so it can be accessed without Authorization header. And when i make a new request i pass the new token that i got from authentication to the request so Keycloak can make the check if the user is authenticated and has the right role to access the resources.
Thanks again for help !
ti voglio bene
Hello @BoualiAli thank you for taking your time to provide such detail tutorial on keycloak. I'm having issue logging in my user on postman. I've followed your steps but I keep getting this response:
`{
"error": "invalid_grant",
"error_description": "Account is not fully set up"
}` I'd like your advice on this. Thank you.
Your realm and client are missing configuration.
Please follow carefully
Please disregard this. Apparently, it is required that I provide the user email address and full name.
Hi, Great explanation
Via spring boot security application need to add the user registration and authentication how to handle that?
coming next week
Hi Ali, first of all I want to thank you for this very detailed and well-explained guide, it really helped me have a clearer idea on how keycloak integration works in spring boot,
but I really want to ask for help on this minor problem,
i'm still getting 403 forbidden when even after adding the role
Please follow the steps precisely and assign the roles to the user
Very nice explanation
We need custom temple with keycloak for login and try to use front end as a react and back end is an springboot
Note: When we are hitting front end that should be redirect to keycloak login custom template if user validated then we need to redirect to springboot and Response send to front end
Thanks in advance
Happy you liked it!
I will cover more topics soon
Thanks @@BoualiAli
Nice video. But can you please make a video on how to log out user and change the session time using keycloak & spring security
Happy you liked it
I will create another video more detailed
@@BoualiAli Thanks. Eagerly waiting for it.
For those who get this in postman (minute 30:34)
{
"error": "invalid_grant",
"error_description": "Account is not fully set up"
}
What worked for me was: setting the email, firstname and lastname for the user.
Thanks! :D
ma man ♥
thanks
Thanks man :)
Tks you so much :D
Hello, great video tutorial, but could you explain how you can secure endpoints without using method level annotations? Thanks
Check the Spring boot roles and pernmission video and you will have you answer there
Thank you for this video. At 1:09:14, jwt() is deprecated, I simply used jwt(Customizer.withDefaults()) which works. However, jwtAuthenticationConverter() isn't working. I have been trying to find an alternative way to inform the security filter chain of the custom jwtAuthConverter.
Please can you help with this.
Hello Bouali. I found a way around it.
In the security filter chain, this is how it appears
http.oauth2ResourceServer(oAuth2ResourceServer -> oAuth2ResourceServer
.jwt(jwtConfigurer -> jwtConfigurer.jwtAuthenticationConverter(jwtAuthConverter)));
Nice work!
Yes this is the way to fix it
@@BoualiAli Thank You.
Thank you so much kindly put video about websocket chatbot spring boot thank you soooo much for you help
Wow, I just finished recording this video.
It will be published really soon
Really thank you soo much sir you are great crystal clear explanation thank you so much sir
Now, the question is, how the heck you integrate it with the actual frontend??, I mean, I usually use SpringSecurity with JWT so what I do is I implement a service for the user to actually login which will return a minimal dataset about the user (like the name, the avatar, etc) and also the generated authentication Bearer token, so from ther on, the front end will have to attach that Bearer token to the header any time it wants to consume a service from my backend.
Here I'm missing that last part, how does the frontend tell the backend it is authenticated?
will be explained in the coming video
Hi, thanks for the video! I have a question (maybe someone already found an answer): I tried to just create a new role ROLE_test_admin, and got 403, I guess it was because of principal, but why... What I'm trying to understand why we need to read "preferred_username" instead of "sub"?
That's very strange, but the problem is not in principal "preferred_name" or "sub". "JwtAuthenticationConverter" simply doesn't get "resource_access....roles". It only checks
Arrays.asList("scope", "scp");
That's the reason... why...
@@dmitriizheleznikov2949 try using hasRole rather than hasAuthority on the method.
This was really helpful!
Is there a way to make the user manage his account (change username etc.) with some kind of rest api call?
Happy you liked it
Yes, you can use the keycloak endpoints to do that.
I will try to make a video for that if you find it useful
@@BoualiAli It would be really helpful as I couldn't find any guides on how to do that
Great video but I have an error. Regarding jwt, I have a question. I have been following your instructions, but at the SecurityConfig phase, it tells that .jwt() has been deprecated. How do I approach this?
I think you’re using 3.1
Use 3.0 instead
@@BoualiAli it works , thank you
How to create an user on keycloak with Java code ?
How can we test this security configuration setup? Maybe you can do a tutorial on unit testing the security chain.
Good idea
Great content, thanks for the amazing course.
I would spend less time with the conversion shenanigans and would invest this time elaborating some Unit tests for mocking Keycloak for coverage purposes.
Great suggestion!
thank You Ali for This amazing tutorial ,can u do a vid about keycloak(24.0.1) authentifiaction(login//logout)with spring boot 3 thanks
coming next week
Another great spring tutorial!
Is it possible to combine this one together with spring social login?
Thanks!
Happy you liked it
I will provide a video about that too
@@BoualiAli thanks 🙏
Hi there, great content! Just a quick question is it correct to say principle or principal? As I think we are referring to the request initiator which in this case would be a principal, but we refer to it as principle. Is this a typo or that's how it is supposed to be? Keep up the good work :)
Can you please remind me which part of the video 😅
@@BoualiAli For example the field principleAttribute, shouldn’t that be principalAttribute? I don’t get what are you referring to when you say principle? Just needed to clarify this :)
Hi, How to send a token request to keycloak for a particular role? Like instead of getting all the roles in token for a user, we can specify the role and get role specific token. Is it possible?
I really didn't get the use case. can you explain a bit more please?
@@BoualiAli So what's happening is that we have multiple roles per user. Now when we are getting the access token for that user, the payload will consist of all the roles the user have. || Now, what I want is can I already specify the role for that user ? Like a user can have ADMIN or REGULAR role. So can I get ADMIN specific or REGULAR specific access token?
Hello,
Your tutorial is very good.
Can you make a tutorial in which, in addition to Keycloak 21 and Spring Boot 3, Angular 16 is also integrated?
There are few tutorials that integrate Keycloak, Spring Boot and Angular, and if there are, they are old because Keycloak has changed a lot in the meantime and many things are no longer the same.
Thank you!
Happy you liked it
I'm working on a full angular video and it will be released soon.
After that I will create another one for keycloak integration with Angular too
@@BoualiAli Thank you!
I am a fan of Angular and Spring Boot ❤
@@BoualiAli i will wait that
@@BoualiAli yes that is so awesome. Thank you.
I've a question sir : I saw when you created spring project with needed dependencies, you chose Oauth2 Resource Server. Can you let me know when should we choose Oauth2 Authorization Server or Oauth2 Client ? Thank you so much!!
-> Choose OAuth2 Authorization Server when you want to manage user authentication, issue access tokens, and handle authorization for your own resources.
-> Choose OAuth2 Client when you need to access resources protected by an OAuth2 provider, such as social media APIs or third-party services.
-> Choose OAuth2 Resource Server when you want to secure your own resources and validate incoming requests with OAuth2 access tokens, effectively acting as a protected resource server.
=> Authorization Server is for managing your own resources' security, OAuth2 Client is for accessing external resources, and OAuth2 Resource Server is for securing and protecting your own resources.
@@BoualiAli Thank you so much for very clear answer. I appreciate it!