custom oidc in keycloak

Question

I have a spring based application which does authentication and authorization(oauth2 based) for a client app.I want to now use keycloak to manage my authorizations, but i want to keep my spring code. Basically i want to use my existing auth code as an external identity provider in keycloak.

I am thinking of adding changes in client app such that it receives token from my existing oauth code(which does the authentication) and then exchange this token with keycloak(for session and authorization management). How can i do this? What configurations need to be done in keycloak?

I read about token exchange in keycloak here, but i am not clear about the kind of token i need to send from my existing auth code. https://www.keycloak.org/docs/latest/securing_apps/

Answer 1

Here is how OAuth2 roles are usually spread:

• Keycloak is authorization-server
• Spring service is resource-server
• front-end is client
• user is resource-owner

I have a doubt of you wanting your Spring service to be "authorization-server" as well (serve user identity). If so, I think you should not.

Keycloak (or any other OpenID provider) should be the only authorization-server. Both Spring and client(s) should be configured to use it as so.

To write it differently, Keycloak is responsible for users login and emitting tokens with user ID (subject) and rights (roles or whatever). Other tiers in the architecture (clients & resource servers) get user info from the token and apply relevant security checks (spring security annotations, Angular guards, etc.).

I published a mono-repo for a meetup with minimal sample involving a Spring resource-server and Angular (with Ionic) client talking to a Keycloak OpenID authorization-server. You might find some inspiration browsing it.