In the last Keycloak article, we successfully adapted Keycloak to Spring Security with a keycloak.json configuration. It contains quite a few properties that I feel we need to learn together as we go deeper into the process.

Common properties of Keycloak adapters


Domain name, this is a mandatory item.


The application’s client_id, a unique identifier for each client registered on the Keycloak server. This is a mandatory item.


The realm public key in PEM format, not recommended for client configuration. It will be automatically pulled every time the Keycloak Adapter is used.


The base address of the Keycloak server, usually in the format https://host:port/auth, which is a must.


Keycloak The scope of the server’s communication using HTTPS is optional and has three options.

  • external , the default value, indicates that all external requests must use HTTPS.
  • all , as the name implies, all use HTTPS.
  • none , disable HTTPS .


Keycloak The secure port of the server, default 8443.


If set to true , Keycloak Adapter will check if the user role carried by the token matches the resource; otherwise it will look up the user’s role in realm. Default false.


Set to true to not configure a password for the client, otherwise you need to configure keycloak.credentials.secret. The way to generate secret is to change the access type of the corresponding client setting option to confidential in the Keycloak console, and then check the corresponding configuration item in the installation. The value is false when the access type is not confidential.


Enables cross-domain (cors) support. Optional, default false. If set to true it activates the configuration items starting with cors-, which are common cross-domain configuration items without being verbose.


For services, this should be set to true. If enabled, the adapter will not attempt to authenticate the user, but will only validate the bearer token. If a user requests a resource without a Bearer Token it will 401 . This is optional. The default value is false.


If your application is not only a Web application but also provides an API Service (now usually a Restful Service), with this configuration enabled the Keycloak server will be relatively “smart” in directing unauthenticated users through the request header ** to the login page or return a 401 status. This is a bit smarter than bearer-only.


Enable Basic Authentication authentication for the adapter, if enabled you must provide secret. The default is false.


JavaScript CORS request via root path /k_query_bearer_token used to get token from server, seems to be something used by nodejs related backend application, I tossed it for half a day without success.


When the client access type is Confidential, you need to configure the client token, which currently supports secret and jwt types. Refer to the description in public-client.


The above lists most of our commonly used properties, the later properties and customizations Keycloak server related are not introduced for now. The rest of the Keycloak configuration items can be viewed at Keycloak Java Adapter Configuration Items. In the next article I will give an analysis of the Keycloak Spring Security authentication authorization process.