How to secure REST API of my JEE project with Keycloak?

Question

I am working on a project which has a front-end (Angular) and REST API back-end(JEE-Wildfly).

My goal is to secure my REST endpoints.

I've created 2 clients in Keycloak:

• backend-client, which has access type bearer only
• frontend-client which has access type public

What I want is to have an OAuth2 flow and to secure my REST APIs. So far I've tried having my backend with access type confidential and using POSTMAN I've been able to get my access token, but as I understand to create the whole OAuth flow, I need my backend to be Bearer Only, is that true? How can I get the access token then? Cause I get this error:

{
    "error": "invalid_client",
    "error_description": "Bearer-only not allowed"
}

Is bearer only correct for OAuth2 flow? What I'd like to have is:

• I try to access my Angular app, get redirect to Keycloak authentication
• I get access token and refresh token, I put the access token in every request I make to the REST endpoints

Is the access token I get in my Angular APP the same bearer token my backend is expecting?

Thanks a lot

Answer 1

If I understand correctly, then you want to secure 'one application', your backend API, so you'll only need to define one client in Keycloak for this.

Set the 'Access Type' of that client to 'confidential'.

Then it is up to you which OAuth flow you would like to use:

1. Authentication Code flow : to allow users to login with their username/password for your client. (See Authenction code flow, its Auth0 documentation, but it explains the flow)
2. Client Credential flow : to make your frontend 'securely' access your backend without specific users. (see Client credential flow, its Auth0 documentation, but it explains the flow)

To enable option 1 on your client, then enable the 'Standard flow'. To enable option 2 on your client, then enable the 'Service Account'.

The access token you'll get during the login is the one you'll sent back and forth between your FrontEnd and BackEnd.