Securing REST API using Keycloak and Spring Oauth2
Keycloak documentation suggest 3 ways to secure Spring based REST APIS.
- Using Keycloak Spring Boot Adapter
- Using keycloak Spring Security Adapter
- Using OpenID Connect (OIDC)+ OAuth2
Let us see how we can use Keycloak OIDC support and Spring OAuth2 library to secure REST APIs.
1-1. OpenID Connect (OIDC)+ OAuth2
- OpenID connect can use “Authorization Code Grant”, actually in KeyCloak it is “Standard Flow Enable” in Clients’s settings.
- In practise, the security.oauth2.resource.token-info-uri is not mandatory property:
1-2. PKCE Verification in Authorization Code Grant
1-3. OAuth 2.0 Device Authorization Grant Flow Example
The Oauth 2 Device Authorization Grant, also formerly known as the Device Flow, is an Oauth 2 extension that enables devices with no browser or limited input capability to obtain an access token.
You might have experienced the Device flow when authorizing a PlayStation or a TV app to access your Microsoft or Google account.
1. OAuth 2 Grant Types
Example for config: security.oauth2.resource.jwt.key-value
1-2. OAuth 2 Implicit Grant Type
Here the code(Authorization Code) will not be released from user-authorization-uri..
1-3. Requesting Token with Password Grant
1-4. Client Credentials Grant