We have decided to use Keycloak as the authentication provider for our system under development, using React with Spring boot.
My idea is to create a front-end client in the keycloak and let the React use keycloak-js to authenticate the user on load. After authenticating the backend resources could be used.
There is a competing idea, not to expose the keycloak to the client, route the login request through the spring boot backend to keycloak.
I am interested to know, how people are using keycloak for authentication and what are the pros and cons using such pattern.
There is something very surprising about this question (and how regularly it or similar questions are being asked).
What has me confused is, how Keycloak made it through the evaluation process without a commitment to OIDC.
Assuming you are developing a Web-App with some kind of REST API, OIDC is a well suited fit for such a problem, and Keycloak is an OIDC provider.
Then keycloak-js is an option, but also any other OIDC implementation for react.
If you don’t want to make Keycloak public, I’m not sure what you gain from using it over whatever the Spring ecosystem can provide you with in terms of user management.
Thank you very much clarifying this. Actually I am quite new in working with authentication management and similar concepts. Would appreciate if you could share some resources to have a better concept on this.
If your app is publicly exposed, and you are using Keycloak to authenticate your users on this app, then just publicly expose Keycloak as well. To address security concerns other exposing Keycloak publicly, look at the threat mitigation section of the official documentation: Server Administration Guide
You can also put a WAF before your Keycloak to protect it against well known threats.
There is no point in using an Identity Provider such as Keycloak, and then making the requests to Keycloak go through a backend you developed yourself. What are the chances that your backend implementation is more secure than Keycloak?