Thanks, bro. This is probably the best video on the subject that I've come across recently. You're good at explaining things. I'd like to see another video on how to perform user registration through REST API and Keycloak. PS and, yeah, it would be great to watch a good video about OAuth and Spring Security REST API. I know you had something similar, but without the REST API."
It is very nice and in-depth explanation. I really appreciate and learn a lot from it. However, the end of the video the converter implementation really makes Spring Security a difficult, confusing, and even if you understand in depth, super ugly framework to work with.
Those following this video, pls disable all the required actions in Configure -> Authentication -> Required actions tab. Applicable for keycloak 24.0.5.
@@BoualiAlii want to implement authorization for angular, but of course angular cannot set the authorization. it should be public access. but how to granularly define which path in angular, assosiiate with which permission in keycloak, and how to actually implement this?
Hi there, great content! Just a quick question is it correct to say principle or principal? As I think we are referring to the request initiator which in this case would be a principal, but we refer to it as principle. Is this a typo or that's how it is supposed to be? Keep up the good work :)
@@BoualiAli For example the field principleAttribute, shouldn’t that be principalAttribute? I don’t get what are you referring to when you say principle? Just needed to clarify this :)
Dear Alibou, I have question about JWT converter, how i can claim user attributes from user details in keycloak and i want use this claims for my controller or service? sorry for my grammar i still learning english. I hope you understand what i mean. Thank you Mr. Alibou great video
Is there any point on assigning client_admin role when we have already assigned the realm admin role with is a composite role associated with the client_admin? Shouldn't it be included in the realm admin role
I still get 403 Forbidden and also see this in postman :Bearer error="insufficient_scope", error_description="The request requires higher privileges than provided by the access token."
I I put @Controller annotation and I am redirecting JSP pages according to the role based ,when I hit endpoint requests ,the access token generated is not being sent with the request how to do it,with postman it is working properly ,because we are giving request with the newly generated access token .what to do,how to do with browser help me
Those who received "invalid_grant, Account is not fully set up" error, please mention the user's firstname, lastname, and email even though they are not marked mandatory.
For those who get this in postman (minute 30:34) { "error": "invalid_grant", "error_description": "Account is not fully set up" } What worked for me was: setting the email, firstname and lastname for the user.
Dear alibou, I wanted to take a moment to say thank you for your amazing tutorial video on RU-vid about Keycloak and its implementation in Spring Boot. Your video was incredibly helpful and easy to understand. I really appreciate how you explained the concepts of Keycloak and showed how it can be integrated with Spring Boot. Your explanations were clear and straightforward, making it easy for me to follow along. If possible, it would be great if you could create a video tutorial specifically focusing on the authentication flow. This would greatly enhance our understanding of the topic. Additionally, I would love to see a video tutorial on debugging in IntelliJ IDEA. As a beginner developer, learning effective debugging techniques is crucial, and I believe your guidance would be highly beneficial. Thank you once again for creating such valuable educational content. Your videos have significantly improved my understanding of Keycloak and Spring Boot, and I eagerly look forward to watching more of your tutorials in the future. Best regards, ArefSa
Now, the question is, how the heck you integrate it with the actual frontend??, I mean, I usually use SpringSecurity with JWT so what I do is I implement a service for the user to actually login which will return a minimal dataset about the user (like the name, the avatar, etc) and also the generated authentication Bearer token, so from ther on, the front end will have to attach that Bearer token to the header any time it wants to consume a service from my backend. Here I'm missing that last part, how does the frontend tell the backend it is authenticated?
I am receiving this error:{ "error": "invalid_grant", "error_description": "Account is not fully set up" } I have the same setup with you. I googled it and didnot solve this problem:(
Hi Ali, I am developing an application using Keycloak and Spring Boot. I have implemented OTP login and Google Sign-In, but there is an issue. If a user has previously logged in with OTP and then tries to log in with Google using the same email, I get a "user already exists" error (federated identity account exists). In this case, I want the accounts to be merged. In other words, the user should be able to log in using both OTP and Google Sign-In with the same email. Could you help me with this?
With quarkus you don't need to write this bunch of classes and settings, just use a single @ROLES notation. Spring still has a lot to evolve compared to other frameworks. Actually what saved Spring was the Graal VM
Hey hi @boualiAli i have implemented the keyCloak integration with spring boot 3 but in case of invalid or expired token it is not throwing any exception can you please help me
Hey thanks for the tutorial, I am new to this so have a few questions.. 1. Instead of appending Role in code can't we just do it in keycloak itself. 2. Can we use some kind of pattern matching like antmatcher and assign roles for endpoints instead of using preauthorize on each endpoint?.. it might become repetitive as endpoints increase to double digits.
Happy you liked it! 1- yes it is possible but you need to configure your spring app to remove the prefix (ROLE_) 2- yes you can do that, check the roles and permissions video and you will have a clearer picture how to implement it
I'm a Java fresher, and this time I want to work on a personal project involving Spring Security combined with JWT and OAuth2. I have watched many of your tutorial videos, and I must say they have been extremely helpful to me. Thank you for all the knowledge you have provided.
The check if the resouceId is null does not work the user can still access onsecured endpoint even when he is not authorized for this backend application
Thanks you so Much for this content, but I found that’s so confusing when you talk so much and you read everything on the screen, you don’t give us some quite time to think and understand.
I finally watched a video that really helped me! Thank you for that! I would like to know how to make it possible to use Keycloak in both the back-end (Java + Spring) and the front-end with React.👏👏👏👏
Hi, thanks for the video! I have a question (maybe someone already found an answer): I tried to just create a new role ROLE_test_admin, and got 403, I guess it was because of principal, but why... What I'm trying to understand why we need to read "preferred_username" instead of "sub"?
That's very strange, but the problem is not in principal "preferred_name" or "sub". "JwtAuthenticationConverter" simply doesn't get "resource_access....roles". It only checks Arrays.asList("scope", "scp"); That's the reason... why...
Hello @BoualiAli thank you for taking your time to provide such detail tutorial on keycloak. I'm having issue logging in my user on postman. I've followed your steps but I keep getting this response: `{ "error": "invalid_grant", "error_description": "Account is not fully set up" }` I'd like your advice on this. Thank you.
Hi Bouali, frist of all thank you for the video! I have to implement a similar project trough keycloak. I' using java 21 and spring boot 3.2.0, and I have to use a JWT bearer instead of a Bearer Token. Is it possibile? It's good idea using this application such base for trying to update my project?
If I create a role with "ROLE_user" as the role for the user then I don't have to worry about the 403 forbidden error and also I don't have to write the extra configuration for it ? to modify the roles from "user" to "ROLE_user" ?
I love your videos, this was really helpful to understand keycloak, but i would love to see if its possible to make a controller that gets the user credentials and with those credentials to make the request to the keycloak for the authentication if you have any tip on this it would be helful. Thanks again for the hard work !
Happy you liked it. if you need such functionality, you just need to invoke the same endpoint I used in postman and pass the required body with the correct values and you will get the token
@@BoualiAli I tried that way and managed to make it work now i skipped the "/authentication" url so it can be accessed without Authorization header. And when i make a new request i pass the new token that i got from authentication to the request so Keycloak can make the check if the user is authenticated and has the right role to access the resources. Thanks again for help !
at 30:45 if any one facing the following error ``` { "error": "unauthorized_client", "error_description": "Invalid client or Invalid client credentials" } ``` also include client_secret as a parameter, the value can be find in your realm -> clients -> credentials -> Client Secret.
Amazing video Bouali. One question: How could I register new users in frontend with keycloak using Angular with springboot? in my frontend in a login form, first I check if the credencials is ok, if it is ok, I return the token for user be able to make request, is it right? Thanks
Great Video. It really helped me while migrating things over. There are some upgrades missing in your github. Let me know if I can contribute anything and make it complient as per latest spring boot version.
thank you for the content. can you demonstrate how to automatically refresh the token once expired without having the user to login again (when microservice1 calls microservice2 for example) ?
Hello, Your tutorial is very good. Can you make a tutorial in which, in addition to Keycloak 21 and Spring Boot 3, Angular 16 is also integrated? There are few tutorials that integrate Keycloak, Spring Boot and Angular, and if there are, they are old because Keycloak has changed a lot in the meantime and many things are no longer the same. Thank you!
Happy you liked it I'm working on a full angular video and it will be released soon. After that I will create another one for keycloak integration with Angular too
well explained video ❤ Could you please make a video where we are implementing social login and own jwt authentication in a single spring boot application.
@@BoualiAli Thank you and I also requested you to make a video where linkedin and twitter is act as a social media platform for oauth2 login instead of google and github with spring boot
Hi, thanks for the video! I am wondering, can i use this guide for microservice architecture? If so, each microservice should have this spring security impl, or can i build my project in a different way, for example using security only for gateway and adding some general security to another microservices?
Thanks for this awesome tutorial. However, I am following your steps but when trying to retrieve a token I keep getting "error": "invalid_grant", "error_description": "Account is not fully set up". I've been trying for 2 hours to figure it out but can't wrap my head around this. Any help is appreciated.
Congratulations, I wanted to use Keycloak to help me implement the project, I followed your steps and it's working, very good, now the question I have left is how I can validate the expiration of the jwt token, any ideas.
Dear Alibou, I want to express my gratitude for you taking time to create a so detailed and rich explanation on how to integrate KeyCloak in Java Spring Boot. Many thanks!
Using Spring boot 3.0.7 your server is not running. Suggested action: "Consider defining a bean of type 'org.springframework.security.oauth2.jwt.JwtDecoder' in your configuration."
Hi, thank you for the great video. I learned a lot and now I know how to build my web service safely. Thanks a lot for that! However, I still have one question: how do I get good tests written for it now? I follow the "test first" approach and of course my tests pop and don't work anymore. It doesn't work at all, because a token is missing to call the API. Can you say something about this, share a link or make a video?
I have a question. On your step cal to postman get token, I can see you don't have client_sercret, but the token still return. I follow you on my website, it return error: { "error": "unauthorized_client", "error_description": "Client secret not provided in request" } That mean I missing client_sercret, please elaborate it. Thanks so much
Hi, Thanks for the video. I would like to point out something about the role settings. Perhaps you need to make it a bit clearer that point. It seems we are defining users for the REALM. We can define Roles for a Realm as well. So any user that is defined under a particular realm can be associated with any role that is created within the same realm. For global permissions roles such as ADMIN, USER, MANAGER etc, may be handled by this realm role definition. Probably for fine-grain authorization within a client, we may need extra role definitions under a particular client such as USER(read but not write), ADMIN(data posting, updating etc).
Thank you very much for this video. I was searching for a good tutorial for a long time, but most tutorials just throw some random code and config in your face, without any explanation. Mostly this does not really work and you have got no change to understand what you are doing and what is going wrong. This one is very different and I got a better understanding what is happening and I have got the feeling to start over by myself.
So, you don't need any keycloak dependencies in POM? Spring security is abstracting it? Also how to make rest api accept any of two tokens , one from keycloak and another one from diff auth server?
Hi, thanks for your video! I have a question about the flow of a real application. Does my frontend connect directly to Keycloak for authentication, or does it go through my backend, which then connects to Keycloak for authentication?
@@BoualiAli Hi, does your angular video show the securing of the angular app by keycloak and that the angular app is supported by a spring boot 3 resource server backend?
Hi Ali, first of all I want to thank you for this very detailed and well-explained guide, it really helped me have a clearer idea on how keycloak integration works in spring boot, but I really want to ask for help on this minor problem, i'm still getting 403 forbidden when even after adding the role
Thank you for this awesome content. Pls can you make a video for multiple implementation of UserDetaisService, so that the system can use multiple table for authenticating user depending on the Login endpoint. Thank you
Happy you liked it The question that you really need to ask: why you have such system design? I guess you need to review you database design and group all the users in one table. Please provide more details and I will try to answer and assist you
i would like to say thanks a lot. it was a great and wonderful tutorial , just I want to ask you if exist any coupon code for {Devenir FullStack Spring boot / Angular par la pratique}
Thank you for this video, but I would like to know how to create users linked to the application. For example, if the application includes a sign-up option, how do I link this registered user to Keycloak?