Tuesday, July 5, 2022

Keycloak 17 , LDAP, Angular 14 And Spring Boot 2



Keycloak is an open source identity and access management for modern applications and services, no need to deal with storing users or authenticating users. it's all available out of the box.

The Documentation keycloak mentioned the following with respect LDAP and Active Directory:  Keycloak comes with a built-in LDAP/AD provider. It is possible to federate multiple different LDAP servers in the same Keycloak realm. You can map LDAP user attributes into the Keycloak common user model. By default, it maps username, email, first name, and last name, but you are free to configure additional mappings.

OpenID Connect

OpenID Connect additional is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.

Downloading and installing docker-test-openldap by Docker

For Install docker-test-openldap you just need the next command: it will check the users available on GitHub repository.

docker run --rm -p 10389:10389 -p 10636:10636 rroemhild/test-openldap

Test connection to LDAP on Apache Directory Studio

Downloading and installing keycloack by Docker

For Install keycloak by docker you just need the next command: I used version 17.0.1

docker run -p 8080:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:17.0.1 start-dev
This will start Keycloak exposed on the local port 8080. It will also create an initial admin user with username admin and password admin.

Setting Up a keycloack server.

Open a browser  http://localhost:8080 or result this.

Creating a Realm

For default the console opens up Master realm, Let's navigate left corner Add realm button.

For this example I created realm demo. we'll click the button create.

Creating a Client

Add a new client with the name spring-boot-keycloak with openid-connect. click button save.

Add Valid Redirect URIs.


Click on User Federation -> ldap:

Ldap Parameters:

Edit Mode: READ_ONLY
Vendor: Active Directory
LDAP attribute name for username: uid
RDN LDAP attribute: cn
UUID LDAP attribute: cn
User Object Classes: top, person, organizationalPerson, inetOrgPerson
Connection URL: ldap://YOUR_IP:10389
Users DN: ou=people,dc=planetexpress,dc=com
Search Scope: One level
Bind Type: none

Click and Save and Synchronize all user.

Go to Manage -> Users and check all users:

Creating a Spring Boot Application

In this examples we're integration Spring Boot, keycloack and Ldap user federation.

  • Configuration Spring boot, Spring Security and keycloack.
  • Spring Controllers  

Spring Boot Rest  API 

This is API



  • Java 17 (Zulu)
  • Spring Boot 2.7.1
  • Maven 
  • IntelliJ IDEA 
  • Docker
  • Test-openldap

Project Structure

Configuration Spring Boot Keycloak project 


<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<relativePath/> <!-- lookup parent from repository -->
<description>Demo project for Spring Boot Keycloak, ldap</description>

<!-- Exclude the Tomcat dependency -->
<!-- Use Jetty instead -->





port: 8081
realm: demo
resource: spring-boot-keycloak
public-client: true
bearer-only: true
principal-attribute: preferred_username

Class Security configuration

I suggest to you, we 'll be reading Spring Boot Adapters, I got from Spring Boot Adapters the configuration class.

import org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver;
import org.keycloak.adapters.springsecurity.KeycloakConfiguration;
import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider;
import org.keycloak.adapters.springsecurity.config.KeycloakWebSecurityConfigurerAdapter;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Import;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.core.authority.mapping.SimpleAuthorityMapper;
import org.springframework.security.core.session.SessionRegistryImpl;
import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy;
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;

@EnableGlobalMethodSecurity(jsr250Enabled = true)//so i need the roles exist environment, @RolesAllowed
public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter

* Registers the KeycloakAuthenticationProvider with the authentication manager.
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {

KeycloakAuthenticationProvider keycloakAuthenticationProvider = new KeycloakAuthenticationProvider();
keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper());

* Defines the session authentication strategy.
protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl());

protected void configure(HttpSecurity http) throws Exception


CorsConfigurationSource corsConfigurationSource() {
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", new CorsConfiguration().applyPermitDefaultValues());
return source;

Spring Rest APIs Controller

import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

import java.util.Collections;
import java.util.Map;


public class HelloWorldController {

public Map<String, String> hello(){
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
String currentPrincipalName = authentication.getName();
return Collections.singletonMap("response", "Hello "+currentPrincipalName);


Run & Test

Run Spring Boot application with command: mvn spring-boot:run. by console, IntelliJ etc.

Keycloak provides a REST API for generating and refreshing access tokens. 

1. We need to acquire an access token from Keycloak from this url. 

  • or localhost .
  • Port: 8080 .
  • realms Url defined by keycloak.
  • demo The name of realm.
  • protocol/openid-connect/token The url defined by keycloak.

2. Configurate on Postman.

Without token:

With token:

Tab Authorizacion: for more users it will check of Test-openldap on GitHub.
       Type: OAuth 2.0
       Grant Type: Password Credentials
       Access Token URL:
       Client ID: spring-boot-keycloak
       Username: zoidberg
       Password: zoidberg
       Client Authentication: Send client credentials in body

Click on Get New Acces token.

Click Proceed and next to Use Token.

Creating  Angular Application

In this examples we're integration Angular, keycloack, Ldap user federation and Spring Boot.

  • Configuration Angular and keycloack.
  • Components
  • Services

Angular Rest  API 

This is API



  • Visual Studio Code 1.68.1
  • Node 16
  • Npm
  • Angular Cli 14
  • Angular Material 14
  • sweetalert2

Project Structure

Configuration Angular Keycloak project 


redirect: When the app is up always start in this component. 



    login: provided ts, scss and html file.


    pages: provided title header in all pages and all components to configure routing file. 


     services: provided services, interceptors, guards, consuming web services etc.

 environments: (environment.ts) provided the endpoints for keycloak and spring boot.

// This file can be replaced during build by using the `fileReplacements` array.
// `ng build` replaces `environment.ts` with `environment.prod.ts`.
// The list of file replacements can be found in `angular.json`.

export const environment = {
  production: false,
  keycloakEndpoint: "",
  wsEndpoint: ""

 * For easier debugging in development mode, you can import the following file
 * to ignore zone related error stack frames such as `zone.run`, `zoneDelegate.invokeTask`.
 * This import should be commented out in production mode because it will have a negative impact
 * on performance if an error is thrown.
// import 'zone.js/plugins/zone-error';  // Included with Angular CLI.


Run & Test

Run Angular application with command: ng serve

Go to http://localhost:4200/
Set credentials for users from LDAP User federation from Keycloak.

username: zoidberg
password: zoidberg

Click on Login

If login is ok.  Show the name from Keycloak and username from Spring Boot project.

Get and set values from login html (login.component.ts).

 const body = new HttpParams()
      .set("username", this.loginForm.value.username!)
      .set("password", this.loginForm.value.password!)
      .set("grant_type", "password")
      .set("client_id", "spring-boot-keycloak")
      .set("client_secret", "")
      .set("scope", "openid");

Call WS KeycloakEndopoint (auth.service.ts).

async currentloginid(payMod: any) {
    //changes this url by your realms
    try {
      const response = await fetch(environment.keycloakEndpoint, {
        method: 'post',
        headers: {
          'Content-Type': 'application/x-www-form-urlencoded; charset=utf-8'
        body: payMod
      const data = await response.json();
      return data;
    } catch (error) {
      console.log('Request failed', error);

Call WS Endpoint Spring Boot Project (content.component.ts).

ngOnInit(): void {
    this.name = this.authService.getUser();
    let url = `${environment.wsEndpoint}/users`;
    this._client.getUserFromBackend(url).subscribe((data) => {
      this.username = data.response;

Go to inspect: Righ click on page -> Inspect or f12.

Tab -> Application -> Storage ->Session Storage 

Show the token.

For will check if token is valid go to jwt.io and copy and paste token.

Source Code

Here on GitHub:



1 comment:

Multiple Data Sources in Spring Boot 3 with Java 21

  In this blog post, we'll explore the configuration and setup for a Spring Boot 3 application with Java 21 that uses multiple data sour...