Configure Proxy for Keycloak with Spring Boot (Client and Resource Server (OAuth2)) with Nginx inside Docker

Welcome to this comprehensive guide on configuring a proxy for Keycloak with Spring Boot (Client and Resource Server using OAuth2) along with Nginx inside Docker. This article will walk you through the entire process, ensuring you have a seamless and secure setup.

Table of Contents

Prerequisites
Overview of the Architecture
Step 1: Set up Keycloak
Step 2: Create Spring Boot Client and Resource Server
1. Client Project
2. Resource Server Project
Step 3: Configure Nginx as a Reverse Proxy
Step 4: Dockerize the Application
Step 5: Start the Application
Testing the Application
Troubleshooting Tips

Prerequisites

Before we dive in, make sure you have the following installed on your machine:

Docker
Docker Compose
Java 11 or later
Maven or Gradle (for building Spring Boot projects)
A basic understanding of Docker, Spring Boot, and OAuth2

Overview of the Architecture

The architecture we will be implementing consists of the following components:

Keycloak (OAuth2 Server)
Spring Boot Client (using OAuth2 to authenticate with Keycloak)
Spring Boot Resource Server (protected by OAuth2 and authenticated by Keycloak)
Nginx (reverse proxy to route requests to the Resource Server)
Docker (to containerize all components)

Step 1: Set up Keycloak

First, we’ll create a Docker container for Keycloak:

docker run -d --name keycloak \
  -p 8080:8080 \
  -e KEYCLOAK_USER=admin \
  -e KEYCLOAK_PASSWORD=admin \
  -e KEYCLOAK_REALM=myrealm \
  quay.io/keycloak/keycloak:15.0.2

This command starts a Keycloak container with a realm named “myrealm” and default admin credentials. You can access the Keycloak console at http://localhost:8080.

Step 2: Create Spring Boot Client and Resource Server

Next, we’ll create two separate Spring Boot projects: one for the client and one for the resource server.

Client Project

Create a new Spring Boot project with the following dependencies:

<dependencies>
  <dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-web</artifactId>
  </dependency>
  <dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
  </dependency>
  <dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-oauth2</artifactId>
  </dependency>
</dependencies>

In the application configuration file (application.properties or application.yml), add the following:

spring:
  security:
    oauth2:
      client:
        registration:
          keycloak:
            client-id: myclient
            client-secret: mysecret
            authorization-grant-type: authorization_code
            redirect-uri-template: '{baseUrl}/login/oauth2/code/{registrationId}'
        provider:
          keycloak:
            authorization-uri: http://keycloak:8080/auth/realms/myrealm/protocol/openid-connect/auth
            token-uri: http://keycloak:8080/auth/realms/myrealm/protocol/openid-connect/token
            user-info-uri: http://keycloak:8080/auth/realms/myrealm/protocol/openid-connect/userinfo
            user-name-attribute: preferred_username

Resource Server Project

Create another Spring Boot project with the following dependencies:

<dependencies>
  <dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-web</artifactId>
  </dependency>
  <dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
  </dependency>
  <dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
  </dependency>
</dependencies>

In the application configuration file, add the following:

spring:
  security:
    oauth2:
      resourceserver:
        jwt:
          issuer-uri: http://keycloak:8080/auth/realms/myrealm

Step 3: Configure Nginx as a Reverse Proxy

Create a new file named nginx.conf with the following content:

http {
  upstream resource_server {
    server resource-server:8081;
  }

  server {
    listen 8080;
    location / {
      proxy_pass http://resource_server;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
    }
  }
}

This configuration sets up Nginx to route requests from http://localhost:8080 to the Resource Server running on http://resource-server:8081.

Step 4: Dockerize the Application

Create a docker-compose.yml file with the following content:

version: '3'
services:
  keycloak:
    image: quay.io/keycloak/keycloak:15.0.2
    environment:
      - KEYCLOAK_USER=admin
      - KEYCLOAK_PASSWORD=admin
      - KEYCLOAK_REALM=myrealm
    ports:
      - "8080:8080"

  client:
    build: ./client
    ports:
      - "8082:8082"
    depends_on:
      - keycloak

  resource-server:
    build: ./resource-server
    ports:
      - "8081:8081"
    depends_on:
      - keycloak

  nginx:
    image: nginx:latest
    ports:
      - "80:80"
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf:ro
    depends_on:
      - resource-server

This configuration defines four services: Keycloak, Client, Resource Server, and Nginx. The Client and Resource Server services are built from the respective Spring Boot projects, and Nginx is configured to use the nginx.conf file.

Step 5: Start the Application

Run the following command to start the application:

docker-compose up -d

This command starts all services in detached mode.

Testing the Application

To test the application, access the Client at http://localhost:8082. You should be redirected to the Keycloak login page. After authentication, you’ll be redirected back to the Client, which will then access the protected Resource Server through the Nginx reverse proxy.

Component	URL
Keycloak	http://localhost:8080
Client	http://localhost:8082
Resource Server	http://localhost:8081 (not accessible directly)
Nginx	http://localhost:80 (routes to Resource Server)

Congratulations! You have successfully configured a proxy for Keycloak with Spring Boot (Client and Resource Server using OAuth2) along with Nginx inside Docker.

Troubleshooting Tips

If you encounter any issues, make sure to check the Docker container logs for errors. You can do this by running docker-compose logs -f.

Common issues include:

Keycloak not starting correctly: Check the Keycloak container logs for errors.
Client or Resource Server not connecting to Keycloak: Verify the OAuth2 configuration in the application.properties file.
Nginx not routing requests correctly: Check the nginx.conf file for errors.

I hope this comprehensive guide has helped you set up a secure and scalable architecture using Keycloak, Spring Boot, and Nginx with Docker. Happy coding!

Here are the 5 Questions and Answers about “configure proxy for keycloak with spring boot(client and resource server(oauth2)) with nginx inside docker”:

Frequently Asked Question

Get ready to dive into the world of Keycloak, Spring Boot, and Nginx, all wrapped up in a Docker container! Below, we’ll tackle the most pressing questions on configuring a proxy for Keycloak with Spring Boot (client and resource server OAuth2) and Nginx inside Docker.

What is the purpose of configuring a proxy for Keycloak with Spring Boot and Nginx inside Docker?

Configuring a proxy for Keycloak with Spring Boot and Nginx inside Docker allows you to secure your application with OAuth2 authentication, while also providing a single entry point for clients to access your application, decoupling them from the internal infrastructure. This setup also enables load balancing, SSL termination, and caching, making your application more scalable and efficient.

How do I configure Keycloak as an OAuth2 provider in my Spring Boot application?

To configure Keycloak as an OAuth2 provider in your Spring Boot application, you need to add the Keycloak Spring Boot adapter dependency to your project, configure the Keycloak server URL and credentials in your application.properties file, and enable OAuth2 in your Spring Security configuration. You can then use the @RegisteredOAuth2AuthorizedGrantTypes annotation to specify the grant types supported by your application.

What is the role of Nginx in this setup, and how do I configure it as a reverse proxy?

Nginx acts as a reverse proxy, sitting between clients and your Spring Boot application, providing an entry point for clients and routing requests to the appropriate backend services. To configure Nginx as a reverse proxy, you need to create a Dockerfile for your Nginx image, configure the nginx.conf file to proxy requests to your Spring Boot application, and then create a Docker Compose file to orchestrate the containers.

How do I configure Keycloak to use the Nginx proxy for authentication?

To configure Keycloak to use the Nginx proxy for authentication, you need to set the proxy URL in the Keycloak server configuration, and then update the Keycloak adapter configuration in your Spring Boot application to use the Nginx proxy URL. This will allow Keycloak to redirect authentication requests to the Nginx proxy, which will then forward them to the Spring Boot application.

What are some common issues to watch out for when configuring this setup?

Some common issues to watch out for when configuring this setup include incorrect URL configurations, mismatched SSL certificates, and misconfigured Docker networking. Additionally, ensure that your Nginx proxy is properly routing requests to the correct backend services, and that your Keycloak adapter is correctly configured to use the Nginx proxy URL.