Securing Java Microservices with OAuth2.0: Integrating Keycloak with Windows AD

Introduction

Securing Java microservices is a critical aspect of modern software development. With OAuth2.0 as a widely accepted authentication standard, Keycloak simplifies identity and access management by providing a centralized authentication server. When integrated with Windows Active Directory (AD), organizations can leverage existing user credentials for seamless authentication and Single Sign-On (SSO).

This guide walks you through:

• Deploying Keycloak
• Connecting it to Windows AD
• Configuring OAuth2.0 for Java microservices
• Securing endpoints with role-based access control

1. Deploying Keycloak

To integrate Keycloak with Windows AD, you first need a running Keycloak instance. The simplest way to do this is using Docker.

1.1 Running Keycloak in a Docker Container

docker run -d -p 8080:8080 --name keycloak \
-e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin \
quay.io/keycloak/keycloak start-dev        

Once the container is running, access the Keycloak admin console at: https://localhost:8080/admin

Default credentials:

• Username: admin
• Password: admin

1.2 Creating a New Realm

1. Log in to the Keycloak admin console.
2. Click Add Realm, name it (e.g., company-realm), and save.

A realm is an isolated space where users, roles, and clients are managed.

2. Connecting Keycloak to Windows AD

To allow authentication via Windows AD, configure Keycloak’s User Federation.

2.1 Adding an LDAP Provider

1. In Keycloak, go to User Federation > Add Provider > LDAP.
2. Fill in the details:
3. Set Edit Mode to READ_ONLY (users are managed via AD).
4. Enable Sync Registrations and Periodic Full Sync.
5. Click Save and test the connection.

Once configured, users from AD can log in using their domain credentials.

3. Configuring OAuth2.0 in Java Microservices

Now, configure a Java microservice to validate JWT tokens issued by Keycloak.

3.1 Adding Dependencies

In pom.xml, add:

3.2 Configuring OAuth2.0 in Spring Boot

Modify application.yml to integrate with Keycloak:

3.3 Securing Endpoints with Roles

Use @PreAuthorize to control access:

4.2 Accessing a Secured Endpoint

curl -X POST https://localhost:8080/realms/company-realm/protocol/openid-connect/token \
-d "client_id=myclient" -d "username=myuser" -d "password=mypassword" \
-d "grant_type=password" -d "client_secret=mysecret"        

Successful response:

4.2 Accessing a Secured Endpoint

Pass the token in an API request:

curl -H "Authorization: Bearer YOUR_ACCESS_TOKEN" https://localhost:8081/secure        

Expected response:

5. Handling Token Expiration

Since access tokens expire, they must be refreshed periodically.

To refresh a token:

curl -X POST https://localhost:8080/realms/company-realm/protocol/openid-connect/token \
-d "grant_type=refresh_token" -d "client_id=myclient" \
-d "refresh_token=YOUR_REFRESH_TOKEN" -d "client_secret=mysecret"        

To refresh a token:

curl -X POST https://localhost:8080/realms/company-realm/protocol/openid-connect/token \
-d "grant_type=refresh_token" -d "client_id=myclient" \
-d "refresh_token=YOUR_REFRESH_TOKEN" -d "client_secret=mysecret"        

Conclusion

By integrating Keycloak with Windows AD, you create a centralized authentication system that enhances security and simplifies user management. Implementing OAuth2.0 ensures that Java microservices remain secure while providing seamless authentication for users.

Benefits of This Approach:

• Centralized authentication with enterprise-level security.
• Seamless SSO using Windows AD credentials.
• Secure API access with role-based control.