{"id":15661935,"url":"https://github.com/lbroudoux/spring-boot-keycloak-authz","last_synced_at":"2025-06-11T07:35:56.770Z","repository":{"id":145929883,"uuid":"126297260","full_name":"lbroudoux/spring-boot-keycloak-authz","owner":"lbroudoux","description":"Sample Spring Boot app using Keycloak Authorization services","archived":false,"fork":false,"pushed_at":"2018-12-04T11:29:08.000Z","size":40,"stargazers_count":20,"open_issues_count":1,"forks_count":6,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-05-05T22:52:17.842Z","etag":null,"topics":["angularjs","authz-services","keycloak","spring-boot"],"latest_commit_sha":null,"homepage":null,"language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/lbroudoux.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-03-22T07:35:59.000Z","updated_at":"2025-03-27T15:00:22.000Z","dependencies_parsed_at":null,"dependency_job_id":"a92c0305-bd42-43a7-93bb-6690017a2e66","html_url":"https://github.com/lbroudoux/spring-boot-keycloak-authz","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lbroudoux%2Fspring-boot-keycloak-authz","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lbroudoux%2Fspring-boot-keycloak-authz/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lbroudoux%2Fspring-boot-keycloak-authz/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lbroudoux%2Fspring-boot-keycloak-authz/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/lbroudoux","download_url":"https://codeload.github.com/lbroudoux/spring-boot-keycloak-authz/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252590529,"owners_count":21772935,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["angularjs","authz-services","keycloak","spring-boot"],"created_at":"2024-10-03T13:29:35.923Z","updated_at":"2025-05-05T22:52:27.761Z","avatar_url":"https://github.com/lbroudoux.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"# spring-boot-keycloak-authz\n\nSample AngularJS / Spring Boot app using Keycloak Authorization services.\n\n\nFew months ago, I've played with [Authorization services in Keycloak](https://www.keycloak.org/docs/3.4/authorization_services/index.html)\n(was using the 4.0.0.Final) and I’d like to share  some feedbacks and thoughts about using it on my Spring Boot application.\nDisclaimer: I’m not a security guru and may have misunderstood some concepts.\n\nThe goal of this repository is to light up some parts that seems a little weird to me. And eventually work onto a better\napproach.\n\nBasically, my need was the following : to associate a role to particular resource instances (and not resource types).\nFor example, in my app I wanted to declare a user has being able to manage the services « ABC » and « DEF » but not the « XYZ ».\nSome actions on this resource instances (update / delete) are denied to other users and roles.\n\nIn practical, this implies to :\n - Being able to have the information (resource instances manageable by user) on the client side in order to adapt the GUI \n    (adding some buttons, displaying some admin infos, …)\n - Being able to get this information on server side to filter out REST APIs\n - Having some complete APIs allowing :\n\t- To get list of candidate users,\n\t- To associate resource instances to users,\n        - To get resource instances manageable by any user (when being a super-admin)\n\nAt first, I thought it was a good pick for [Keycloak Authorization services](https://www.keycloak.org/docs/3.4/authorization_services/index.html)\nand that it will solve all my problems. The application within its repository highlights that:\n - All issues/requirements are not solved by AuthZ services only but with a mix of different Keycloak APIs,\n - UMA and AuthZ Services may not be the best fit as the problem they solved is much more related to protect private \n    resources and not easily allow management of shared ones.\n\n## Setup\n\n### Clone repository\n\nSo start by cloning this repository to get a fresh local copy:\n\n```\n$ git clone https://github.com/lbroudoux/spring-boot-keycloak-authz.git\n```\n\n### Keycloak\n\nDownload a Keycloak distribution (I have used `4.0.0-Final` release) and start the server locally.\nYou'll just have to go to `${KEYCLOAK_HOME}/bin` directory and execute the following command. \n\n```\n$ ./standalone.sh -Djboss.socket.binding.port-offset=100\n```\n\nThat way, you should have a running instance at `http://localhost:8180`. This is the default URL \nused by application and cannot be changed easily yet.\n\nUse that URL in your browser to access the administration console of Keycloak.\nIt is located at `http://localhost:8180/auth`. Connect using the Keycloak default administration user\n`admin/123` if it's the first time you login. Keycloak requires changing this passwork at first login.\n\n#### Configure application realms and authorizations\n\nCreate a new Keycloak realm by importing the `/src/main/resources/sbauthz-realm-config.json` file.\nThis should a realm called simply `sbauthz`.\n\n### Spring Boot application\n\nBefore launching everything, you need to retrieve some frontend compoents. For that, we'll use `bower`.\nSo just execute `bower install` within your clone directory.\n\nNow just launch the `mvn spring-boot:run` command:\n\n```\n .   ____          _            __ _ _\n /\\\\ / ___'_ __ _ _(_)_ __  __ _ \\ \\ \\ \\\n( ( )\\___ | '_ | '_| | '_ \\/ _` | \\ \\ \\ \\\n \\\\/  ___)| |_)| | | | | || (_| |  ) ) ) )\n  '  |____| .__|_| |_|_| |_\\__, | / / / /\n =========|_|==============|___/=/_/_/_/\n :: Spring Boot ::       (v1.5.10.RELEASE)\n\n[INFO] com.github.lbroudoux.springbootkeycloakauthz.SpringBootKeycloakAuthzApplication - Starting SpringBootKeycloakAuthzApplication on lbroudoux-OSX with PID 5607 (/Users/lbroudou/Development/github/spring-boot-keycloak-authz/target/classes started by lbroudou in /Users/lbroudou/Development/github/spring-boot-keycloak-authz)\n[DEBUG] com.github.lbroudoux.springbootkeycloakauthz.SpringBootKeycloakAuthzApplication - Running with Spring Boot v1.5.10.RELEASE, Spring v4.3.14.RELEASE\n[INFO] com.github.lbroudoux.springbootkeycloakauthz.SpringBootKeycloakAuthzApplication - No active profile set, falling back to default profiles: default\n[DEBUG] org.jboss.logging - Logging Provider: org.jboss.logging.Slf4jLoggerProvider found via system property\n[DEBUG] org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve - Using org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver to resolve Keycloak configuration on a per-request basis.\n[INFO] com.github.lbroudoux.springbootkeycloakauthz.SpringBootKeycloakAuthzApplication - Started SpringBootKeycloakAuthzApplication in 1.783 seconds (JVM running for 4.451)\n\n```\n\nThe application has started after you just see those lines. The application is deployed on `http://localhost:8080`.\n\n\n## Playing around\n\nDefault configuration comes with 3 users:\n* admin (`admin/\u003cnew_password\u003e`) is administrator and is able to administrate realm\n* jdoe (`jdoe/jdoe`) is simple user\n* alice (`alice/alice`) is user and manager of resources\n   \nAll users have extra role `uma_authorization` so that they can respond to UMA Challenge.\n\n### Endpoints\n\nThe main page for tests is `http://localhost:8080/#/authz`. It is reachable via the `User Mgt` entry menu that\nis only visible for the `admin` role.\n\n* `Get Users` allows to retrieve all users from realm,\n\n\u003e Once users have been loaded, you should have access to extra links in order to get user roles, attach resource to \nusers or get resources managed/owned by user. See below for more on resources.\n\n* `Create Resource` illustrates the declaration of a Resource on Keycloak side,\n\n\u003e This should be done in the same time you create resources into your application database.\n\n* `Clean Resource` illustrates how to destroy a Resource on Keycloak side,\n* `Check Identity` illustrates the invocation of a protected Resource with resolution of the UMA challenge on the client side,\n* `Attach Resource` near to user illustrates the attachment of the previously created Resource to a user on the server side,\n\n\u003e This should be done when you're assigning the `manager` role to a Resource within your application. Target user is declared as\n`owner` on the Keycloak side.\n\n* `Get Owned Resources` near to user illustrates how to retrieve Resources owned by user on the server side,","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flbroudoux%2Fspring-boot-keycloak-authz","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flbroudoux%2Fspring-boot-keycloak-authz","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flbroudoux%2Fspring-boot-keycloak-authz/lists"}