A minimal Java Spring Boot SPA integrated with Keycloak using OpenID Connect (OIDC) for authentication.
This project demonstrates how to:
- Secure a Spring Boot application with Keycloak
- Use Thymeleaf to render user info after login
- Run Keycloak and your SPA locally using Docker or native Java
- Automate Keycloak realm and client setup
- Keycloak: Acts as the Identity Provider (IdP) for authenticating users via OIDC.
- Spring Boot Application: Serves as the client that handles user authentication and authorization.
- JWT (
APP_TOKEN): A custom JWT issued by the Spring Boot application upon successful login, used for stateless session management.
-
User Login:
- The user accesses the application and is redirected to Keycloak for authentication.
- Upon successful authentication, Keycloak redirects the user back to the application with an authorization code.
-
Token Exchange:
- The application exchanges the authorization code for an ID token and access token from Keycloak.
- The ID token is parsed to extract user details and roles.
-
Custom JWT Issuance:
- The application generates a custom JWT (
APP_TOKEN) containing user information and roles. - This JWT is set as a secure, HTTP-only cookie in the user's browser.
- The application generates a custom JWT (
-
Stateless Session Management:
- Subsequent requests include the
APP_TOKENcookie. - A custom filter (
AppJwtAuthenticationFilter) intercepts requests, validates theAPP_TOKEN, and sets the authentication context if valid. - No server-side session is maintained; authentication is stateless.
- Subsequent requests include the
-
Access Control:
- Endpoints like
/secretare protected and require valid authentication. - Access is granted based on the presence and validity of the
APP_TOKENcookie.
- Endpoints like
Configures Spring Security to:
- Disable session creation (
SessionCreationPolicy.STATELESS). - Implement custom authentication filters.
- Define authorization rules for endpoints.
Handles the successful authentication event by:
- Generating the
APP_TOKENJWT. - Setting the
APP_TOKENas a secure, HTTP-only cookie. - Redirecting the user to the home page.
Intercepts incoming requests to:
- Extract and validate the
APP_TOKENcookie. - Set the authentication context if the token is valid.
- Reject requests with invalid or missing tokens.
To log out:
- Delete the
APP_TOKENcookie: This removes the user's session token. - Invalidate the Keycloak session: Redirect the user to Keycloak's end-session endpoint to terminate the session on the IdP side.
- Spring Boot 3.x / Java 17
- Spring Security 6.1+ with modern lambda DSL
- OAuth2 Login via Keycloak (OIDC)
- Session management via
JSESSIONID - Logout support from both SPA and Keycloak
- Dockerized Keycloak with automatic realm import
- Java 17+
- Maven 3.9+
- Docker & Docker Compose (optional, for containerized Keycloak)
- Keycloak 25+ (Quarkus distribution)
Project Structure
keycloack-poc/
├─ spa/ # Spring Boot SPA
│ ├─ src/
│ │ ├─ main/
│ │ │ ├─ java/
│ │ │ │ └─ com/example/spa/
│ │ │ │ ├─ SpaApplication.java
│ │ │ │ ├─ SecurityConfig.java
│ │ │ │ └─ WebController.java
│ │ │ └─ resources/
│ │ │ └─ templates/
│ │ │ └─ index.html
├─ docker/
│ └─ keycloak/
│ └─ realm-export.json # Exported Keycloak realm
├─ pom.xml
└─ application.yml
- Runs Keycloak in development mode (
start-dev) - Configurable bootstrap admin username and password
- Easy setup for testing authentication and authorization flows
- Lightweight POC, suitable for local development
- Java 17+ installed
- Bash shell (Linux/macOS/WSL)
- Keycloak distribution installed at
/opt/keycloak
- Clone this repository:
git clone https://github.com/arisath/keycloack-poc.git
cd keycloack-poc