So many choices

We need to provide SSO between a Spring Boot application, Alfresco and JBoss Bussiness Central / MAB / kie server.

Since Alfresco supports only SAML I thought using Keycloak should provide in our needs. However the Alfresco support for SSO is limited to identifying the user and they suggest a shared LDAP server to manage groups and permissions.
So I configured Keycloak to use Open LDAP.
I use the Keycloak Admin API to register user.

Our front-end application is Angular and we added keycloak-angular to manage the login on the front-end and will be using APIs from Alfresco, JBPM kie-server and our Spring Boot application.

Using the Keycloak Spring Boot Starter or Spring Security Adapter is problematic because they don’t actually leverage Spring Security configuration which means a separate configuration for protecting resources and even worse trying to tell it which URLs should be unauthenticated.
So I found some examples of configuring a Spring Security OAuth2 resource server.
This is where all the different options come in:

  • public vs confidential
  • JWT vs opaque
  • OAuth2 client vs Resource server
  • keycloak-angular vs ???

I’m interested in identity and realm roles.
Alfresco is going to be interested in the identity and JBoss Business Central seems to want realm roles and identity.

What is the simplest way to achieve this?

At the moment the front-end reports CORS error when it redirects to Keycloak after login when hitting the application API. I’ve tried different things in Web Orgin from “*”, “+” to backend and front-end URLs.