In the last Keycloak article, we successfully adapted Keycloak to Spring Security with a
keycloak.json configuration. It contains quite a few properties that I feel we need to learn together as we go deeper into the process.
Common properties of Keycloak adapters
Domain name, this is a mandatory item.
client_id, a unique identifier for each client registered on the Keycloak server. This is a mandatory item.
The realm public key in
PEM format, not recommended for client configuration. It will be automatically pulled every time the Keycloak Adapter is used.
The base address of the Keycloak server, usually in the format
https://host:port/auth, which is a must.
Keycloak The scope of the server’s communication using HTTPS is optional and has three options.
external, the default value, indicates that all external requests must use HTTPS.
all, as the name implies, all use HTTPS.
none, disable HTTPS .
Keycloak The secure port of the server, default
If set to
true , Keycloak Adapter will check if the user role carried by the token matches the resource; otherwise it will look up the user’s role in realm. Default
true to not configure a password for the client, otherwise you need to configure
keycloak.credentials.secret. The way to generate
secret is to change the
access type of the corresponding client setting option to
confidential in the Keycloak console, and then check the corresponding configuration item in the
installation. The value is
false when the
access type is not
Enables cross-domain (
cors) support. Optional, default
false. If set to
true it activates the configuration items starting with
cors-, which are common cross-domain configuration items without being verbose.
For services, this should be set to
true. If enabled, the adapter will not attempt to authenticate the user, but will only validate the bearer token. If a user requests a resource without a
Bearer Token it will
401 . This is optional. The default value is
If your application is not only a Web application but also provides an API Service (now usually a Restful Service), with this configuration enabled the Keycloak server will be relatively “smart” in directing unauthenticated users through the request header ** to the login page or return a
401 status. This is a bit smarter than
Enable Basic Authentication authentication for the adapter, if enabled you must provide
secret. The default is
/k_query_bearer_token used to get token from server, seems to be something used by nodejs related backend application, I tossed it for half a day without success.
When the client access type is
Confidential, you need to configure the client token, which currently supports secret and jwt types. Refer to the description in
The above lists most of our commonly used properties, the later properties and customizations Keycloak server related are not introduced for now. The rest of the Keycloak configuration items can be viewed at Keycloak Java Adapter Configuration Items. In the next article I will give an analysis of the Keycloak Spring Security authentication authorization process.