How to configure multiple Keycloak sso clients in spring-boot application?

Question

I am configuring Keycloak SSO with spring boot micro-services. I want multiple keycloak clients to access spring boot services. If Keycloak adapter is used in spring boot application pom.xml then required properties supports only one client and secret. How can we add multiple clients in spring boot app at runtime?

I have used following adapter in pom.xml

<dependency>
    <groupId>org.keycloak.bom</groupId>
    <artifactId>keycloak-adapter-bom</artifactId>
    <version>5.0.0</version>
    <type>pom</type>
    <scope>import</scope>
</dependency>

The following is configured in application.properties

keycloak.auth-server-url=http://localhost:9080/auth
keycloak.realm=test
keycloak.ssl-required=external
keycloak.resource=rest-api
keycloak.credentials.secret=62s4376d-9b45-4aa3-abcb-1abdefc4fab88
keycloak.use-resource-role-mappings = true
keycloak.security-constraints[0].authRoles[0]=rest-api
keycloak.security-constraints[0].securityCollections[0].patterns[0]=/api/*

Above properties support only one client configuration and only allow token generated by client rest-api which is added in application.properties.

I want to create client in Keycloak dynamically and want spring-boot application to allow token generated by all the clients.

Dynamic client registration is available for spring boot oAuth2 configuration but could not find any example with keycloak multiple clients configured in spring boot application

It will be helpful if anybody has solved similar requirement and would like to share configuration or example.

Answer 1

Maybe you should take a different approach.

OAUTH2 terminology reminder:

1. resource owner
2. resource server
3. authorization server
4. client

Usually, API is representing a resource server. If you take a look at keycloak spring adapter, one of the configuration parameters is keycloak.resource which is actually the name of the client in terms of Keycloak.

So, what comes along is that you will have client per micro-service as they are protecting/serving different resources.

(For those clients, you usually need to set up roles, for example, ADMIN, REGULAR USER, SUPER USER)

To achieve that, what you have to do is to set up the right roles for each user in your realm.

When to token comes to API (no matter how it was generated - by which client), API will (apart of checking validity) decode JWT and take a look at resources property and see what roles do you have for particular resource assigned to API (micro-service) serving the request.

To conclude:

You can do whatever you want with you FE clients...but at the end, it's important what roles bearer token that came within request carries for particular API's client/resource of interest.

One of the solutions:

Single API - Single set of resources FE clients: React SPA, Android, IOS

You can use just one single client (configured in a proper way with all URLs and so on) in your realm to have this working.

But, if you from some reason need more clients for your FE Apps, you add them, but in that case, you can keep using roles of main client/resource already existing or you can set roles on each new client and take advantage of composite roles.

E.g. android-app-client, ROLE: super-user-role...

make this role composite and say, everyone that has this role, needs also admin-user-role for API client.

Answer 2

After hard working on it, I found its quite simple. You just need to implement your own KeycloakSpringBootConfigResolver, using different configs to resolve different deployments. Then Bean it. The keycloak adapter will use your bean to resolve a deployment for different requests.