Hi all,
I have developed a RESTful API using spring boot and a ReactJS application that make API calls to the that backend.
Now I need to secure both apps and I’m a little bit confused because I’m trying to figure out if I only need one client on keycloack that the 2 apps will use? with which access type?
Or do I need a client for each app - one for the spring boot RESTful API and the second one for react app? If so what would be their access types?
Thank you so much
You can secure your Spring Boot rest Api’s using Keycloak OIDC protocol with just one client profile. Once the user is authenticated by with the token endpoint by getting access_token you can use this bearer token for securing your rest API.
Further, in the front end using your React you can call the specific API for login, user registration etc…
Note: if you have a custom login page set property bearer-only=TRUE in appliction.properties this will not direct to keycloak login page.
Thank you @circ1 for taking the time to answer my questions.
So if I undertand it correctly, creating one client only on keycloack is enough to secure the API. I’m assuming I should use access type = confidential?
I though I should create a new client on keycleak for each app that needs to use the REST API. Like one for React app, one for mobile app.
Thank you
Yes access type = confidential
You can use this adapter for securing your rest api’s
https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-rest-springboot
Awesome thank you man!
