Re: [keycloak-user] Secure RESTfull API with keycloak

Hi, We are evaluating keycloak as an IAM for a future application. We are building a prototype with an Angular front app and a spring boot 2 backend. The bankend app exposes a RESTfull API whose access we want to restrict down to the HTTP verb level. At least we want to achive two access levels on each endpoint: readonly access (HTTP GET) and full access (GET, POST, PUT, DELETE). We have configured keycloak and built the application but the backend doesn´t seem to restrict the access. Here it is the application.yml. We are trying to setup a ROLE_CLIENT_RO (for readonly) and ROLE_CLIENT_FA (for full access). keycloak: auth-server-url: http://localhost:8010/auth bearer-only: true public-client: true realm: blue-energy resource: client-service securityConstraints: - authRoles: - ROLE_CLIENT_RO securityCollections: - name: protected resource patterns: - /clients - /clients/ methods: - GET ssl-required: external The backend app seem to honor the ROLE_CLIENT_RO role but not the HTTP verb. If we assign the realm role ROLE_CLIENT_RO to the user that should grant just readonly access he has unrestricted access to the whole enpoint (i.e. all the verbs). We are using keycloak 4.0.0.Final. Is this configuration supposed to work? We haven´t found much references on how to setup and scenario like this? Thanks in advance, *Álvaro Martín García*[image: bluetab.net] <http://www.bluetab.net/> alvaro.martin(a)bluetab.net +34 91 457 16 97 +34 687 398 622