I have a similar system, without docker.
The Angular application does login with the public client.
Then, it uses the token with my Java REST server (JAVA EJB class, no Spring).
The Java Application is configured to use the confidential client.
The problems I found:
- public and confidential clients must work either in https or http, you cannot mix them;
- a lot of problem with CORS : keycloak is installed on a different pc
With CORS problem i get 403 error
So I suggest you to rise log to maximum level and read what the java adapter send to server.
For example, this is what i read in the log (i’m using wildfly):
8:32:29,374 DEBUG [org.apache.http.impl.conn.tsccm.ConnPoolByRoute] (default task-13) Releasing connection [{s}->https://edu.svi:38443][null]
18:32:29,374 DEBUG [org.apache.http.impl.conn.tsccm.ConnPoolByRoute] (default task-13) Pooling connection [{s}->https://edu.svi:38443][null]; keep alive indefinitely
18:32:29,374 DEBUG [org.apache.http.impl.conn.tsccm.ConnPoolByRoute] (default task-13) Notifying no-one, there are no waiting threads
18:32:29,375 DEBUG [org.keycloak.adapters.authorization.AbstractPolicyEnforcer] (default task-13) Authorization GRANTED for path [PathConfig{name='BWCLogin', type='MODULI', path='/webservice/login/*', scopes=[read, print, update, delete, create], id='74fc7556-2a5e-41ca-bf8b-a1018a29424d', enforcerMode='ENFORCING'}]. Permissions [[Permission {id=74fc7556-2a5e-41ca-bf8b-a1018a29424d, name=BWCLogin, scopes=[print, read, create, update, delete]}]].
18:32:29,375 DEBUG [org.keycloak.adapters.authorization.PolicyEnforcer] (default task-13) Policy enforcement result for path [https://dan.svi:8443/SpesaWeb/webservice/login/getinfo] is : GRANTED
18:32:29,375 DEBUG [org.keycloak.adapters.authorization.PolicyEnforcer] (default task-13) Returning authorization context with permissions:
18:32:29,375 DEBUG [org.keycloak.adapters.authorization.PolicyEnforcer] (default task-13) Permission {id=74fc7556-2a5e-41ca-bf8b-a1018a29424d, name=BWCLogin, scopes=[print, read, create, update, delete]}
18:32:29,375 DEBUG [io.undertow.request.security] (default task-13) Authenticated as 51543276-5886-4520-bcde-f7132fbbc75c, roles [cliente]
I haven’t a CORS problem now, so i cannot produce a log, but there was an error saying “NotAllowed…”