Search code examples
spring-bootkeycloakspring-cloud-gateway

Thymeleaf + Gateway + Keycloak: best configuration

My project is:

  • backend: 2 microservices behind a Spring cloud gateway,
  • frontend: a Spring boot app with Thymeleaf.

architecture

I want to secure frontend and backend access with Keycloak:

  • a user logs in frontend
  • keycloak returns a token
  • the frontend saves the token
  • the frontend sends a request to the gateway with the token in a bearer authorization header
  • the gateway checks the token with keycloak
  • if ok, the request is sent to a microservice.

I have tried multiple configurations for securing the frontend (Spring security, keycloak adapter) and the backend (oauth2-client, Spring security, authorization_code, password) with multiple keycloak clients configuration (public, confidential, bearer-only) and none of them succeeded entirely.

Either the frontend and the microservices are secured and not the gateway, either the gateway and the microservices are secured and not the frontend.

I have found a lot of tutorials but nothing like the architecture I want.

How would you configure the frontend, the gateway and keycloak ?

Solution

  • Finally, I found the right configuration for my case:

    • microservices as oauth-resource-server,
    • Gateway as oauth-resource-server too,
    • Keycloak client with a public access-type,
    • Frontend application: two options:
      • Spring security alone and Keycloak endpoints for login and logout,
      • Or Spring security with Keycloak adapter.

    The frontend only needs username and password. Keycloak returns a token. The gateway needs a valid token. The token is passed to microservices.

    It’s one solution among others…