How is keycloak authenticating my confidential client? (Spring Boot)

I have a basic RBAC endpoint and a filter for incoming requests

public String void test() {
   return ok;

public class AuthFilter extends OncePerRequestFilter {

     protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
     // adds a valid `Authorization` header to the request with a Bearer token
     AuthRequestWrapper authRequest = new AuthenticationRequestWrapper(request);
     AuthResponseWrapper authResponse = new AuthenticationResponseWrapper(response);

     chain.doFilter(authRequest, authResponse);


My request wrapper builds an Authorization header based on a custom cookie value with a Bearer token. I’m able to hit the protected endpoint, but the problem is when I remove the Authorization header I’m still able to hit the protected endpoint and don’t know why.

What’s going on? Does it have to do with the JSESSIONID and Oauth2_token_request_state cookies? I’m not sure what’s going on behind the scenes to authenticate but I can’t seem to get rid of these cookies either to verify.

I’m using a Backend for Frontend pattern and ideally I’d be able to control the authentication flow on my own. I have standard flow enabled and a confidential access type. Using postman with just the Authorization header is sufficient, so I’d like to disable whatever Keycloak is doing here and use my own Authorization header.