how to both security web browser request and Restful request in spring security with keycloak

Question

I'm using spring boot security with keycloak to security my app. But I have both normal web browser request (using thymeleaf template), and rest api request (no browser and the method in Controller annotated with @ResponseBody with json format).

From the web guider, I found keycloak will used different client type for browser request (e.g. public client) and for no UI reqeust (bearer-only), and the session in SecurityConfig.java is different, new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl()) and new NullAuthenticatedSessionStrategy().

So my question is how could I configure the spring security and keycloak for both support browser reqeust and rest api request in one app?

Thanks!

Answer 1

Having a bearer-only client makes sense only when you've got another client to authenticate with. In short, these are the three types of client types in Keycloak:

• Public: Permits authentication, without a client secret.
• Confidential: Permits authentication, with a client secret.
• Bearer only: You need to have an access token to access its resources.

Having said that, I don't see the point in making the same application both public and bearer only. As a rule, you make a client per application. So you've got two choices:

• Make your application public or confidential. That will accept browser and non-browser requests. Recommended.
• Divide your application in two and make one who merely serves the UI (public or confidential) and other one which serves the REST API (this will be bearer-only). Still, remember you'll need to log in using the UI client to authenticate yourself. Only advisable if your application API is large enough to be split from the UI.