[keycloak-user] Secure RESTfull API with keycloak

[Alvaro Martin]

 Hi,

We are evaluating keycloak as an IAM for a future application. We are
building a prototype with an Angular front app and a spring boot 2 backend.
The bankend app exposes a RESTfull API whose access we want to restrict
down to the HTTP verb level. At least we want to achive two access levels
on each endpoint: readonly access (HTTP GET) and full access (GET, POST,
PUT, DELETE).

We have configured keycloak and built the application but the backend
doesn´t seem to restrict the access. Here it is the application.yml. We are
trying to setup a ROLE_CLIENT_RO (for readonly) and ROLE_CLIENT_FA (for
full access).

keycloak:
    auth-server-url: http://localhost:8010/auth
    bearer-only: true
    public-client: true
    realm: blue-energy
    resource: client-service
    securityConstraints:
    -   authRoles:
        - ROLE_CLIENT_RO
        securityCollections:
        -   name: protected resource
            patterns:
            - /clients
            - /clients/
            methods:
            - GET
    ssl-required: external

The backend app seem to honor the ROLE_CLIENT_RO role but not the HTTP
verb. If we assign the realm role ROLE_CLIENT_RO to the user that should
grant just readonly access he has unrestricted access to the whole enpoint
(i.e. all the verbs).

We are using keycloak 4.0.0.Final.

Is this configuration supposed to work? We haven´t found much references on
how to setup and scenario like this?

Thanks in advance,


*Álvaro Martín García*[image: bluetab.net] <http://www.bluetab.net/>
alvaro.martin at bluetab.net

+34 91 457 16 97

+34 687 398 622