How to Setup Keycloak + Spring Boot + Oauth2 within Microservice Architecture

Question

I've setup Keycloak and a public/front-end spring boot app successfully. Everything is working as expected. The front-end Spring Boot App is configured in Keycloak as a client (app-ui) in the realm, user's are able to login through keycloak, tokens pass successfully everything's great. Spring Security is securing endpoints and roles are being respected for endpoints.

Now, I'm trying to add a downstream Spring Boot App (Web Service) in the mix and I want it to be aware of the logged in user to be able to secure calls to it. The front-end Spring Boot App is using Feign Client to call the REST endpoints on the back-end Spring Boot App, but the back-end is not doing any authentication/authorization.

I have a couple questions I'm having trouble figuring out:

1. How do I setup the front-end Spring Boot App to pass the authenticated user details to the back-end Spring Boot App (RequestInterceptor / RestTemplate / Feign config / Http Headers)?
2. How do I configure the back-end Spring Boot App to use the authenticated user details it receives from the upstream Spring Boot App and what dependencies do I need to add to the back-end Spring Boot App to facilitate that (org.keycloak:keycloak-spring-boot-starter and org.springframework.boot:spring-boot-starter-security)?
3. Is there anything I need to configure in Keycloak for the back-end Spring Boot App? Should it be registered in Keycloak as a confidential/non-public client (e.g. app-api)?
4. Is there anything specific to configure in the back-end Spring Boot App? Does it talk to Keycloak to verify the authenticated user details it receives from the upstream callers?

I'd love to see a demo or tutorial that takes the one's I've seen about How to integrate Keycloak and Spring Boot one step farther to also secure any other downstream services. If I can figure this out, I'll post one.

I'm assuming this can be done with standard OAuth2 configuration on the back-end Spring Boot App, but I wasn't sure how it's recommended to achieve this architecture.

Here's the architecture I'm trying to setup:

Answer 1

How do I setup the front-end Spring Boot App to pass the authenticated user details to the back-end Spring Boot App (RequestInterceptor / RestTemplate / Feign config / Http Headers)?

You need to pass bearer-token in your http request header.

How do I configure the back-end Spring Boot App to use the authenticated user details it receives from the upstream Spring Boot App and what dependencies do I need to add to the back-end Spring Boot App to facilitate that (org.keycloak:keycloak-spring-boot-starter and org.springframework.boot:spring-boot-starter-security)?

You need to add a new client in realm for example "back-end-client" and set its "Access Type" to 'bearer only'. You will need 'keycloak-spring-boot-starter' and 'spring-boot-starter-security' dependencies, also in your add 'keycloak-adapter-bom' . In your application.properties you should have below mentioned properties

keycloak.realm =
keycloak.auth-server-url = your keycloak url
keycloak.ssl-required =external
keycloak.bearer-only=true
keycloak.resource =your client name
keycloak.credentials.secret= your secret key
keycloak.security-Constraints[0].authRoles[0] = user
keycloak.security-Constraints[0].securityCollections[0].patterns[0] = /*
keycloak.cors=true

Is there anything I need to configure in Keycloak for the back-end Spring Boot App? Should it be registered in Keycloak as a confidential/non-public client (e.g. app-api)?

You need to create a new client and it should be registered as "bearer only"

you can refer this link : https://www.keycloak.org/docs/latest/securing_apps/#_spring_boot_adapter