🔸 TL;DR
▪️ Keycloak is an open-source Identity and Access Management platform.
▪️ It helps centralize login, SSO, roles, users, clients, tokens, and identity federation.
▪️ For Java developers, it often means: “Stop coding authentication yourself. Integrate with standards.”
▪️ It supports common identity protocols such as OpenID Connect, OAuth 2.0, and SAML.
▪️ It sits on the tech radar as the serious self-hosted / open-source IAM option, between lightweight auth libraries and commercial SaaS platforms.
🔸 WHAT IS KEYCLOAK?
Keycloak is an Identity Provider.
Instead of every application managing users, passwords, login screens, roles, token generation, password reset, MFA, and SSO by itself…
Keycloak centralizes that responsibility.
Your Java application becomes a client or resource server.
Keycloak becomes the place where identity lives.
In simple terms:
▪️ Users authenticate with Keycloak
▪️ Keycloak issues tokens
▪️ Your Java app validates those tokens
▪️ Your app makes authorization decisions from roles, scopes, or claims
That is a much cleaner architecture than spreading authentication logic everywhere.
🔸 1️⃣ PROTECT A SPRING BOOT API WITH KEYCLOAK TOKENS
@Configuration @EnableWebSecurity class SecurityConfig { @Bean SecurityFilterChain security(HttpSecurity http) throws Exception { return http .authorizeHttpRequests(auth -> auth .requestMatchers("/public/**").permitAll() .requestMatchers("/admin/**").hasRole("ADMIN") .anyRequest().authenticated() ) .oauth2ResourceServer(oauth2 -> oauth2.jwt()) .build(); } }
spring:
security:
oauth2:
resourceserver:
jwt:
issuer-uri: http://localhost:8080/realms/java-realm
Explanation:
▪️ Your Spring Boot app does not manage passwords.
▪️ It trusts JWT tokens issued by Keycloak.
▪️ Spring Security validates the token signature, issuer, and expiration.
▪️ Your endpoints are protected with standard authorization rules.
This is the typical backend integration.
🔸 2️⃣ MAP KEYCLOAK REALM ROLES TO SPRING SECURITY ROLES
@Bean JwtAuthenticationConverter jwtAuthenticationConverter() { JwtGrantedAuthoritiesConverter scopes = new JwtGrantedAuthoritiesConverter(); JwtAuthenticationConverter converter = new JwtAuthenticationConverter(); converter.setJwtGrantedAuthoritiesConverter(jwt -> { Map<String, Object> realmAccess = jwt.getClaim("realm_access"); if (realmAccess == null || realmAccess.get("roles") == null) { return List.of(); } Collection<String> roles = (Collection<String>) realmAccess.get("roles"); return roles.stream() .map(role -> new SimpleGrantedAuthority("ROLE_" + role)) .toList(); }); return converter; }
Explanation:
▪️ Keycloak can put user roles inside the JWT.
▪️ Spring Security expects authorities like ROLE_ADMIN.
▪️ This converter bridges the Keycloak token model with Spring Security authorization.
▪️ Now annotations like @PreAuthorize("hasRole('ADMIN')") become usable.
This is where identity becomes authorization.
🔸 3️⃣ CREATE A USER PROGRAMMATICALLY WITH THE KEYCLOAK ADMIN CLIENT
Keycloak keycloak = KeycloakBuilder.builder()
.serverUrl("http://localhost:8080")
.realm("master")
.clientId("admin-cli")
.username("admin")
.password("admin")
.build();
UserRepresentation user = new UserRepresentation();
user.setUsername("alice");
user.setEmail("alice@example.com");
user.setEnabled(true);
CredentialRepresentation password = new CredentialRepresentation();
password.setType(CredentialRepresentation.PASSWORD);
password.setValue("change-me");
password.setTemporary(true);
user.setCredentials(List.of(password));
keycloak.realm("java-realm")
.users()
.create(user);Explanation:
▪️ Keycloak is not only a login screen.
▪️ It also exposes admin APIs.
▪️ You can automate user creation, onboarding, role assignment, client configuration, and realm management.
▪️ This is useful for internal platforms, SaaS onboarding, test environments, or enterprise provisioning.
Identity becomes infrastructure.
🔸 WHERE DOES KEYCLOAK STAND ON THE TECH RADAR?
Think of the IAM landscape like this:
▪️ Open-source / self-hosted IAM Keycloak, Zitadel, Authentik, Ory, FusionAuth, SuperTokens, Casdoor, Janssen
▪️ Enterprise SaaS IAM Okta, Auth0, Microsoft Entra ID, Ping Identity, ForgeRock
▪️ Cloud provider IAM / CIAM AWS Cognito, Firebase Authentication, Google Cloud Identity, Azure AD B2C / Entra External ID
▪️ Developer-first auth platforms Clerk, WorkOS, Stytch, Frontegg
▪️ Authorization-focused tools Oso, Cerbos, Open Policy Agent
Keycloak is especially interesting when you want:
▪️ Open standards
▪️ Self-hosting
▪️ Strong customization
▪️ Enterprise SSO
▪️ LDAP / Active Directory integration
▪️ Identity brokering
▪️ Java-friendly integration
▪️ No full dependency on a proprietary SaaS auth provider
But Keycloak also means:
▪️ You operate it
▪️ You upgrade it
▪️ You secure it
▪️ You monitor it
▪️ You design realms, clients, roles, and flows properly
So the question is not:
“Is Keycloak better than Okta/Auth0/Cognito?”
The better question is:
“Do we want to own our identity platform, or consume it as a managed service?”
🔸 SPRING SECURITY VS KEYCLOAK
Spring Security and Keycloak are not direct competitors.
They solve different parts of the security puzzle.
▪️ Spring Security protects your Java application.
It handles filters, authentication mechanisms, authorization rules, method security, CSRF protection, session security, OAuth2 resource server integration, and access control inside your Spring Boot app.
▪️ Keycloak manages identity outside your application.
It handles users, passwords, login screens, realms, clients, roles, SSO, MFA, identity brokering, LDAP integration, and token issuing.
In simple words:
▪️ Spring Security = protects the application
▪️ Keycloak = manages the identity provider
▪️ Together = a clean enterprise security architecture
A common setup is:
Keycloak authenticates the user, issues a JWT token, and Spring Security validates that token before allowing access to your APIs.
🔸 TAKEAWAYS
▪️ Keycloak is not just “a login tool”. It is an identity platform.
▪️ For Java developers, its most common use case is securing Spring Boot APIs with JWT tokens.
▪️ It helps avoid custom authentication code, which is usually risky and expensive to maintain.
▪️ It fits well in enterprise, internal platform, B2B, and self-hosted architectures.
▪️ Its competitors are not all equivalent: some are SaaS, some are open-source, some are cloud-native, some focus more on authorization than authentication.
▪️ Keycloak gives you control, but control always comes with operational responsibility.
Authentication looks simple.
Until you have to manage users, roles, sessions, tokens, SSO, federation, MFA, audits, and password policies across multiple applications.
That is exactly where tools like Keycloak start to make sense. 🔐
(and Keycloak is free🆓)
#Java #SpringBoot #SpringSecurity #Keycloak #OAuth2 #OpenIDConnect #SAML #IAM #CyberSecurity #BackendDevelopment #SoftwareArchitecture #CloudNative #IdentityAccessManagement #JavaDeveloper
Go further with Java certification:
Java👇
Spring👇
SpringBook👇
JavaBook👇