[keycloak-user] Multiple access types for a single Spring Boot application

Jonathan D'Andries jonathandandries at gmail.com
Wed Apr 26 12:13:23 EDT 2017 

Here is what I want to do:

I have built REST services in Spring Boot. For the services themselves, I
want to use "bearer-only" access type so that applications are NOT
redirected to a login page if unauthenticated.

However, I want the generated swagger documentation to use the
"confidential" access type so that swagger-ui.html redirects the
user/browser to a login page and capture the token that will then be passed
to the services when testing things out.

It seems like the best way to accomplish this is with two clients similar
to the demo here:

http://blog.keycloak.org/2015/10/getting-started-with-keycloak-securing.html

My concern is that having two client configurations in my spring boot
application.yml doesn't seem possible - am I missing something? I am aware
of the multi-tenant options for Keycloak, but I don't actually want two
different realms:

https://keycloak.gitbooks.io/documentation/securing_apps/topics/oidc/java/multi-tenancy.html

For whatever configuration I come up with, I want the user's token to apply
to both the swagger-ui and the services, but with two different access
types.

Here are some things I've learned so far:

I'm aware that swagger-ui offers an option to authenticate it's services
with a token. There are two limitations of this approach:
 1. With springfox generated swagger, it doesn't seem to work. I'd have to
put a lot of effort to fix this, and I'd rather not because
 2. You would still need to get a token from somewhere, and that means
pointing users to another login page that isn't automatically prompted when
you go to swagger-ui. It just seems like a more annoying user experience to
have to take extra steps to generate a token and then paste that into
swagger-ui.

I'm also aware that my spring boot configuration can be more restrictive
than the keycloak client configuration. In other words, I can restrict to
bearer-only in my service even if the client is configured for confidential
access type. If there is a way for different values for
keycloak.bearer-only based on URL pattern in the
keycloak-spring-boot-adapter, this could be a real option.


Thanks for any help/advice you may have.

Jonathan

More information about the keycloak-user mailing list