Thymeleaf + Gateway + Keycloak: best configuration

Question

My project is:

• backend: 2 microservices behind a Spring cloud gateway,
• frontend: a Spring boot app with Thymeleaf.

I want to secure frontend and backend access with Keycloak:

• a user logs in frontend
• keycloak returns a token
• the frontend saves the token
• the frontend sends a request to the gateway with the token in a bearer authorization header
• the gateway checks the token with keycloak
• if ok, the request is sent to a microservice.

I have tried multiple configurations for securing the frontend (Spring security, keycloak adapter) and the backend (oauth2-client, Spring security, authorization_code, password) with multiple keycloak clients configuration (public, confidential, bearer-only) and none of them succeeded entirely.

Either the frontend and the microservices are secured and not the gateway, either the gateway and the microservices are secured and not the frontend.

I have found a lot of tutorials but nothing like the architecture I want.

How would you configure the frontend, the gateway and keycloak ?

Answer 1

Finally, I found the right configuration for my case:

• microservices as oauth-resource-server,
• Gateway as oauth-resource-server too,
• Keycloak client with a public access-type,
• Frontend application: two options:
  • Spring security alone and Keycloak endpoints for login and logout,
  • Or Spring security with Keycloak adapter.

The frontend only needs username and password. Keycloak returns a token. The gateway needs a valid token. The token is passed to microservices.

It’s one solution among others…