Spring Keycloak authentication - serves both web application and web service

Our stack includes the following services, each service runs in a docker container:

• Front-end in React
• Backend service based on Spring boot "resource-service"
• Keycloak
• Other backend service (consumer)

Both the front-end and the consumer services communicate with the backend using REST API.
We use Keycloak as our user management and authentication service.

We would like to integrate our Spring based service "resource-service" with Keycloak by serving both web application and a service flows:

1. Web application - React based front-send that should get a redirect 302 from the "resource-service" and send the user / browser to login in the Keycloak site and then return to get the requested resource.

2. Server 2 Server coomunication - A server that need to use the "resource-service" API's should get 401 in case of authentication issues and not a redirection / login page.

There are few options to integrate Spring with Keycloak:

1. Keycloak Spring Boot Adapter
2. Keycloak Spring Security Adapter
3. Spring Security and OAuth2

I noticed that there is a "autodetect-bearer-only" in Keycloak documentation, that seems to support exactly that case. But -
There are a lot of integration options and I'm not sure what is the best way to go, for a new Spring boot service.
In addition, I didn't find where to configure that property.

I've used approaches one and two and in my opinion, if you are using Spring Boot, use the corresponding adapter, use the Spring Security adapter if you're still using plain Spring MVC. I've never seen the necessity for the third approach as you basically have to do everything on your own, why would anyone not use the first two methods?

As for using the Spring Bood adapter, the only configuration necessary is the following:

keycloak:
  bearer-only: true
  auth-server-url: your-url
  realm: your-realm
  resource: your-resource

And you're done. The bearer-only is so that you return 401 if a client arrives without a bearer token and isn't redirected to a login page, as you wanted. At least that's what's working for us

After that, you can either use the configuration for securing endpoints but it's a bit more flexible to either use httpSecurity or @EnableGlobalMethodSecurity which we're doing with e. g. @Secured({"ROLE_whatever_role"}).

If you're using the newest Spring Boot version combined with Spring Cloud, you might run into this issue.

I configure my resource-servers to always return 401 when Authorization header is missing or invalid (and never 302), whatever the client.

The client handles authentication when it is required, token refreshing, etc.: Some of certified OpenID client libs even propose features to ensure user has a valid access-token before issuing requests to protected resources. My favorite for Angular is angular-auth-oidc-client, but I don't know which React lib has same features.

Keycloak adapters for Spring are now deprecated. You can refer to this tutorials for various resource-server security configuration options. It covers uses cases from most simple RBAC to building DSL like: @PreAuthorize("is(#username) or isNice() or onBehalfOf(#username).can('greet')")