# Secure Your Spring Application: Keycloak & OAuth2 Integration and Configuration with Spring PetClinic

Video Link: [https://youtu.be/cLSTSznrg14](https://youtu.be/cLSTSznrg14)

### **Secure User Authentication and Role-Based Access Control for a Veterinary Clinic Management System**

**Business Problem:**

A veterinary clinic management system, similar to the **Spring PetClinic** application, requires secure user authentication and role-based access control (RBAC) to ensure that different users (e.g., veterinarians, pet owners, and administrators) can access the system based on their roles. The system manages sensitive information, such as medical records, owner details, and billing data, and requires the following:

1. **Authentication**: Ensure that only authenticated users can access the system.
    
2. **Authorization**: Restrict access to specific data and functionalities based on the user's role (veterinarian, owner, admin).
    
3. **Token Management**: Manage secure tokens for logged-in users to ensure efficient session handling.
    
4. **Seamless Integration**: The solution must integrate seamlessly with the existing system without significant rework.
    

The veterinary clinic seeks a scalable and secure authentication and authorization system to prevent unauthorized access and protect sensitive data.

---

### **Challenges:**

1. **Implementing Role-Based Access Control (RBAC)**: The clinic requires the ability to control which roles can access which resources. For instance:
    
    * **Veterinarians** should have access to manage pet medical records.
        
    * **Owners** should only access their pets' details.
        
    * **Administrators** should have full access to manage clinic operations.
        
2. **Seamless Integration with Existing Systems**: The clinic management system is built using **Spring Boot**, and any integration must fit within the existing architecture with minimal disruption.
    
3. **Secure Token-Based Authentication**: The system needs secure token-based authentication using industry-standard protocols (e.g., OAuth2, OpenID Connect) to provide robust security.
    
4. **Centralized User Management**: The clinic desires centralized identity management to handle user credentials, roles, and permissions efficiently. It must support **Single Sign-On (SSO)** for both web and mobile clients in the future.
    

---

### **Solution: Integration of Keycloak with Spring PetClinic**

**Keycloak** is an open-source Identity and Access Management solution that solves these authentication and authorization challenges. Keycloak provides a comprehensive framework for managing users, roles, tokens, and Single Sign-On (SSO).

We implemented **Keycloak** as the authentication and authorization provider for the Spring PetClinic application to meet the clinic’s security requirements.

Flow Diagram

```plaintext
+-------------+                     +--------------+                      +--------------+
|   Browser   | ---- Login ---->     |  Keycloak    |  ---- Redirect ----> | Spring App   |
|             | <--- Auth Token ---  |              |  <--- Token -------> |              |
+-------------+                     +--------------+                      +--------------+
```

### Prerequisites:

* Java 11 or later
    
* Maven
    
* A running Keycloak instance (you can run it locally or in Docker)
    
* The Spring PetClinic application source code (av[ailable](https://github.com/spring-projects/spring-petclinic) on [GitHub](https://github.com/spring-projects/spring-petclinic))
    

### [Ste](https://github.com/spring-projects/spring-petclinic)p 1: Set Up Ke[ycloak](https://github.com/spring-projects/spring-petclinic)

Install Keycloak:

Run the below shell script inside the Ubuntu machine to install keycloak

```plaintext
#!/bin/bash

# Objective: To install Keycloak in Ubuntu Machine
# Date: 24 SEP 2024
# Author: PRAFUL PATEL
# Web: https://www.praful.cloud
# ---------------------------------------------------------------

# Variables (modify these as per your requirements)
KEYCLOAK_VERSION="25.0.6"  # Latest stable version
KEYCLOAK_USER="keycloak"
KEYCLOAK_HOME="/opt/keycloak"
DB_USER="keycloak"
DB_PASSWORD="admin"
DB_NAME="keycloak"
ADMIN_USERNAME="admin"
ADMIN_PASSWORD="admin"

# Step 1: Update system and install required packages
echo "Updating system and installing required packages..."
sudo apt update -y
sudo apt upgrade -y
sudo apt install -y openjdk-17-jdk curl wget unzip

# Step 2: Download Keycloak
echo "Downloading Keycloak..."
wget https://github.com/keycloak/keycloak/releases/download/${KEYCLOAK_VERSION}/keycloak-${KEYCLOAK_VERSION}.zip -P /tmp

# Step 3: Install Keycloak
echo "Installing Keycloak..."
sudo unzip /tmp/keycloak-${KEYCLOAK_VERSION}.zip -d /tmp/
sudo cp -r /tmp/keycloak-${KEYCLOAK_VERSION}/* ${KEYCLOAK_HOME}/


# Step 4: Create Keycloak user and set permissions
echo "Creating Keycloak user and setting permissions..."
sudo useradd -r -d ${KEYCLOAK_HOME} -s /bin/false ${KEYCLOAK_USER}
sudo chown -R ${KEYCLOAK_USER}:${KEYCLOAK_USER} ${KEYCLOAK_HOME}
sudo chmod +x ${KEYCLOAK_HOME}/bin/kc.sh
sudo chmod -R 755 ${KEYCLOAK_HOME}

# Step 5: Set up database (Optional)
echo "Setting up PostgreSQL database..."
sudo apt install -y postgresql postgresql-contrib

sudo -u postgres psql -c "CREATE DATABASE keycloak;"
sudo -u postgres psql -c "CREATE USER ${DB_USER} WITH PASSWORD '${DB_PASSWORD}';"
sudo -u postgres psql -c "CREATE DATABASE ${DB_NAME};"
sudo -u postgres psql -c "GRANT ALL PRIVILEGES ON DATABASE ${DB_NAME} TO ${DB_USER};"
sudo -u postgres psql -c  "ALTER DATABASE keycloak OWNER TO keycloak;"


# Step 6: Configure Keycloak to use PostgreSQL
echo "Configuring Keycloak to use PostgreSQL..."
sudo tee ${KEYCLOAK_HOME}/conf/keycloak.conf <<EOF
db=postgres
db-url=jdbc:postgresql://localhost:5432/${DB_NAME}
db-username=${DB_USER}
db-password=${DB_PASSWORD}
EOF

# Step 7: Configure Keycloak as a service
echo "Configuring Keycloak as a service..."
sudo tee /etc/systemd/system/keycloak.service <<EOF
[Unit]
Description=Keycloak Server
After=network.target

[Service]
User=keycloak
Group=keycloak
Environment="JAVA_HOME=/usr/lib/jvm/java-17-openjdk-amd64"
Environment="KEYCLOAK_ADMIN=admin"
Environment="KEYCLOAK_ADMIN_PASSWORD=admin"
ExecStart=/opt/keycloak/bin/kc.sh start --http-port=8081 
WorkingDirectory=/opt/keycloak
Restart=on-failure
LimitNOFILE=102642
TimeoutStopSec=120
StandardOutput=journal
StandardError=journal

[Install]
WantedBy=multi-user.target

EOF

# Step 8: Reload systemd, start, and enable Keycloak service
echo "Enabling and starting Keycloak service..."
sudo systemctl daemon-reload
sudo systemctl enable keycloak
sudo systemctl start keycloak

 # Start the keucloak in dev environment
sudo /opt/keycloak/bin/kc.sh start-dev --http-port=8081 --verbose


# Step 9: Display Keycloak Admin Console Information
echo "Installation complete!"
echo "Access Keycloak Admin Console at: http://localhost:8081"
echo "Admin Username: ${ADMIN_USERNAME}"
echo "Admin Password: ${ADMIN_PASSWORD}"
```

#### 1[.1 Ins](https://github.com/spring-projects/spring-petclinic)tall Keycloak (if not already installed)

You can run Keycloak [locall](https://github.com/spring-projects/spring-petclinic)y or using Docker:

```plaintext
bashCopy codedocker run -p 8080:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:latest start-dev
```

This will start Keycloak in development mode. Access Keycloak at [`http://localhost:8080`](http://localhost:8080).

#### 1.2 Create a Realm

1. Log in to the Keycloak Admin Console (default is `admin`[`/admin`](https://github.com/spring-projects/spring-petclinic)).
    
2. Click **Add Realm** and create a realm called `spring-petclinic`.
    

#### 1.3 Create a C[lient](https://github.com/spring-projects/spring-petclinic) for Spring PetCl[inic](https://github.com/spring-projects/spring-petclinic)

1. In your `spring-petclinic` realm, navigate to **Clients** and cl[ick **Cr**](https://github.com/spring-projects/spring-petclinic)**eate**.
    
2. Set the **Client ID** to `spring-petclinic` and **Access** [**Type**](https://github.com/spring-projects/spring-petclinic) to `confidential`.
    
3. Set the **Root URL** t[o your](https://github.com/spring-projects/spring-petclinic) Spring PetClinic application’s URL, e.g., [`http://localhost:8080`](http://localhost:8080).
    
4. [Afte](https://github.com/spring-projects/spring-petclinic)r creating the client, go to the **Credentials** tab and copy the **Client** [**Secre**](https://github.com/spring-projects/spring-petclinic)**t**. You will need this for the Spring Boot application configuration.
    

#### 1.4 Create Role[s](https://github.com/spring-projects/spring-petclinic)

1. [N](https://github.com/spring-projects/spring-petclinic)avigate to **Roles** and create the following roles:
    
    * `admin`
        
    * `vet`
        
    * `owner`
        

#### 1.5 Create Users

1. Go to **Users** and create users for each role. F[or exa](https://github.com/spring-projects/spring-petclinic)mple:
    
    * `admin` [user](https://github.com/spring-projects/spring-petclinic) with the `admin` role.
        
    * `vet` user with the `vet` r[ole.](https://github.com/spring-projects/spring-petclinic)
        
    * `o`[`wner` u](https://github.com/spring-projects/spring-petclinic)s[er wit](https://github.com/spring-projects/spring-petclinic)h the [`owner`](https://github.com/spring-projects/spring-petclinic) role.
        
2. As[sign t](https://github.com/spring-projects/spring-petclinic)he corresponding role to each user in the **Role Mapping**[**s** tab.](https://github.com/spring-projects/spring-petclinic)
    

### Step 2: Configure Spring [PetCli](https://github.com/spring-projects/spring-petclinic)nic to Use Keycloak

You [need t](https://github.com/spring-projects/spring-petclinic)o modify the Spring PetClinic a[pplica](https://github.com/spring-projects/spring-petclinic)tion to authenticate with Keycloak using the **Spring Security Keycl**[**oak Ad**](https://github.com/spring-projects/spring-petclinic)**apter**.

#### 2.1 Add Keycloak Dependencies to `pom.x`[`ml`](https://github.com/spring-projects/spring-petclinic)

[In](https://github.com/spring-projects/spring-petclinic) the `pom.xml` file, add the necessary Keycloak dependencies:

```plaintext
xmlCopy code<dependency>
    <groupId>org.keycloak</groupId>
    <artifactId>keycloak-spring-boot-starter</artifactId>
    <version>21.0.1</version> <!-- Use the latest Keycloak version -->
</dependency>

<dependency>
    <groupId>org.keycloak</groupId>
    <artifactId>keycloak-spring-security-adapter</artifactId>
    <version>21.0.1</version>
</dependency>
```

#### 2.2 Configure Keycloak in [`application.properties`](http://application.properties) or `application.yml`

If you use [`application.properties`](http://application.properties), add the following:

```plaintext
propertiesCopy codekeycloak.realm=spring-petclinic
keycloak.auth-server-url=http://localhost:8080
keycloak.resource=spring-petclinic
keycloak.credentials.secret=YOUR_CLIENT_SECRET
keycloak.ssl-required=none
keycloak.public-client=false
keycloak.principal-attribute=preferred_username
keycloak.bearer-only=false
```

If you use `application.yml`, add the following:

```plaintext
yamlCopy codekeycloak:
  realm: spring-petclinic
  auth-server-url: http://localhost:8080
  resource: spring-petclinic
  credentials:
    secret: YOUR_CLIENT_SECRET
  ssl-required: none
  public-client: false
  principal-attribute: preferred_username
  bearer-only: false
```

Replace `YOUR_CLIENT_SECRET` with the client secret you copied from the Keycloak client settings earlier.

#### 2.3 Configure Spring Security

Create a security configurati[on cla](https://github.com/spring-projects/spring-petclinic)ss that extends `KeycloakWebSecurityConfigurerAdapter` to secure the endpoints and map roles:

```plaintext
javaCopy codeimport org.keycloak.adapters.springsecurity.KeycloakConfiguration;
import org.keycloak.adapters.springsecurity.config.KeycloakWebSecurityConfigurerAdapter;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.core.session.SessionRegistryImpl;
import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy;
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;

@KeycloakConfiguration
public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter {

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) {
        auth.authenticationProvider(keycloakAuthenticationProvider());
    }

    @Bean
    @Override
    protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
        return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl());
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        super.configure(http);
        http
            .authorizeRequests()
            .antMatchers("/vets/**").hasRole("vet")
            .antMatchers("/owners/**").hasRole("owner")
            .antMatchers("/admin/**").hasRole("admin")
            .anyRequest().permitAll();
    }
}
```

### Step 3: Test the Application

1. **Start Keycloak** if it’s not already running.
    
2. **Run the Spring PetClinic Application**:
    
    ```plaintext
    ./mvnw spring-boot:run
    ```
    
3. **Access** [**the Pe**](https://github.com/spring-projects/spring-petclinic)**tClinic App**: Open a browse[r and](https://github.com/spring-projects/spring-petclinic) navigate to [`http://localhost:8080`](http://localhost:8080).
    
    * You [will](https://github.com/spring-projects/spring-petclinic) be redirected to the Keycloak login page when you try to access protected [route](https://github.com/spring-projects/spring-petclinic)s like `/vets`, `/owners`, or `/admin`.
        
    * Log in using the corresponding role-base[d user](https://github.com/spring-projects/spring-petclinic)s you created in Keycloak.
        

### Step 4: Test Authorization

* **Log in as Admin**:
    
    * Navigate to `/admin` and log in using t[he `adm`](https://github.com/spring-projects/spring-petclinic)`in` user.
        
* **Log in as Vet**:
    
    * Navigate to `/vets` and log in using the `v`[`et` use](https://github.com/spring-projects/spring-petclinic)r.
        
* **Log in as Owner**:
    
    * [Na](https://github.com/spring-projects/spring-petclinic)vigate to `/own`[`ers` an](https://github.com/spring-projects/spring-petclinic)d log in using the `owner` user.
        

### Conclusion

By [follow](https://github.com/spring-projects/spring-petclinic)ing these st[eps, y](https://github.com/spring-projects/spring-petclinic)ou have integrated Keycloak as the authenticatio[n and](https://github.com/spring-projects/spring-petclinic) authorization [provid](https://github.com/spring-projects/spring-petclinic)er for the Spring PetClinic application. The applica[tion n](https://github.com/spring-projects/spring-petclinic)ow aut[hentic](https://github.com/spring-projects/spring-petclinic)ates users via Keycloak and restricts access based on user roles.

Create Realm

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1727295486621/29f41667-3975-4525-88a1-47cca651d3a7.png align="center")

Create Client

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1727295776547/ae67df3f-6dd2-4258-a3b8-543f04203764.png align="center")

Create Credentials

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1727295131271/248caf48-fd6b-4f0b-b66b-c293ec323f1b.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1727294976324/466a8bcb-1399-4219-accb-0cbfed64e9d0.png align="center")

Copy Client Secret

J4Hl5BSJYfbOAqTYmaFHL6T0MEX

Create Role

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1727296024615/90e11361-5b5d-4f0d-95cd-e7930b98e277.png align="center")

#### Create Roles

1. Navigate to **Roles** and create the following roles:
    
    * `admin`
        
    * `vet`
        
    * `owner`
        

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1727296136256/89f2a14c-cb28-4778-bb62-3cadc146b85f.png align="center")

#### Create Users

1. Go to **Users** and create users for each role. For example:
    
    * `admin` user with the `admin` role.
        
    * `vet` user with the `vet` role.
        
    * `owner` user with the `owner` role.
        

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1727296189961/d218c01b-ddf5-41e9-95c5-e759d65a0629.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1727296251479/3966a8a8-07c1-4472-a613-e692a3fb4faa.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1727296371528/4039647f-bc1a-40ad-9182-c39848a7f843.png align="center")

Role mapping

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1727296418702/87f0af8b-c43b-4e44-b032-8eeda55267d3.png align="center")

Login

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1727374745724/822d3d80-1c08-4367-a40e-e12cc281a8b3.png align="center")

Error

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1727374777240/8765accd-29b0-4f33-a5b0-194200101851.png align="center")

To Fix this error will have to integrate token controller' in spring petclinic app

To handle the **Keycloak token** in your **Spring PetClinic** application, you need to add the token management code in the appropriate parts of the Spring Boot application based on how you want to retrieve and use the token.

Here’s where and how you should add the necessary code in the **Spring PetClinic** application:

### **Configure Security in Spring Boot**

1. **Create a New Package**:
    
    * Inside `src/main/java/org/springframework/samples/petclinic`, create a new package called `security`.
        
2. **Add the** [`SecurityConfig.java`](http://SecurityConfig.java) Class:
    
    * Inside the `security` package, create a file [`SecurityConfig.java`](http://SecurityConfig.java):
        

### Application level changes to Sprint-Petclinic Application code

Configure Security in Spring Boot

add a new package ‘security’ into java/org/springframworks/samples/petclinic  
file - [SecurityConfig.java](http://SecurityConfig.java)

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1727384569442/876834c5-48a0-46ff-bb2e-d8ad624fd633.png align="center")

Create a New Controller to Retrieve the Token

You can create a new controller class in your Spring PetClinic application that retrieves the Keycloak token from the current session using **Spring Security’s** `SecurityContextHolder`.

#### Steps:

* Create a new controller file in the appropriate package (usually under `org.springframework.samples.petclinic.web`).
    

#### Example: [`TokenController.java`](http://TokenController.java)

```plaintext
javaCopy codepackage org.springframework.samples.petclinic.web;

import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.core.oidc.user.OidcUser;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
public class TokenController {

    // This endpoint returns the Keycloak access token for the logged-in user
    @GetMapping("/token")
    public String getToken() {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();

        // Check if the authenticated user is an OIDC user (Keycloak)
        if (authentication.getPrincipal() instanceof OidcUser) {
            OidcUser oidcUser = (OidcUser) authentication.getPrincipal();
            String token = oidcUser.getIdToken().getTokenValue(); // Retrieve the token
            return "Token: " + token;
        }

        return "No token available";
    }
}
```

* **Where to put this file:**
    
    * This file should be placed under your **web** package, for example, in `src/main/java/org/springframework/samples/petclinic/web/`[`TokenController.java`](http://TokenController.java).
        

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1727383079424/0177caa7-5255-43a1-8511-bdbedd292850.png align="center")

### Update application properties for keycloak and OAuth2

```plaintext
# database init, supports mysql too
database=h2
spring.sql.init.schema-locations=classpath*:db/${database}/schema.sql
spring.sql.init.data-locations=classpath*:db/${database}/data.sql

# Web
spring.thymeleaf.mode=HTML

# JPA
spring.jpa.hibernate.ddl-auto=none
spring.jpa.open-in-view=false

# Internationalization
spring.messages.basename=messages/messages

# Actuator
management.endpoints.web.exposure.include=*

# Logging
logging.level.org.springframework=INFO
# logging.level.org.springframework.web=DEBUG
# logging.level.org.springframework.context.annotation=TRACE

# Maximum time static resources should be cached
spring.web.resources.cache.cachecontrol.max-age=12h


# Keycloak config
keycloak.realm=spring-petclinic
keycloak.auth-server-url=http://localhost:8081
keycloak.resource=spring-petclinic
keycloak.credentials.secret=6HGIBPgV4yCtIvNDJFaWx110ddNNZwEg
keycloak.ssl-required=none
keycloak.public-client=false
keycloak.principal-attribute=preferred_username
keycloak.bearer-only=false
logging.level.org.springframework.security=DEBUG
logging.level.org.keycloak=DEBUG

# OAuth2 settings for Spring Security (OpenID Connect)
spring.security.oauth2.client.provider.keycloak.issuer-uri=http://localhost:8081/realms/spring-petclinic
spring.security.oauth2.client.registration.keycloak.client-id=spring-petclinic
spring.security.oauth2.client.registration.keycloak.client-secret=6HGIBPgV4yCtIvNDJFaWx110ddNNZwEg
spring.security.oauth2.client.registration.keycloak.scope=openid,profile,email
spring.security.oauth2.client.registration.keycloak.authorization-grant-type=authorization_code
```

**Add Keycloak Dependencies to** `pom.xml`:

1. * Open the `pom.xml` file and add the following dependencies:
        
        ```plaintext
        xmlCopy code<dependencies>
          <!-- Keycloak Integration -->
          <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-spring-boot-starter</artifactId>
            <version>21.1.1</version>
          </dependency>
        
          <!-- Spring Security -->
          <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
          </dependency>
        
          <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-config</artifactId>
          </dependency>
        
          <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-web</artifactId>
          </dependency>
        </dependencies>
        ```
        

---

---

### **Add Keycloak Configuration to** `application.yml`

Create or update the `application.yml` file to include Keycloak integration settings:

```plaintext
yamlCopy codekeycloak:
  realm: spring-petclinic
  auth-server-url: http://localhost:8080/auth
  ssl-required: external
  resource: spring-petclinic
  credentials:
    secret: YOUR_CLIENT_SECRET_HERE
  principal-attribute: preferred_username
  use-resource-role-mappings: true

spring:
  security:
    oauth2:
      client:
        registration:
          keycloak:
            client-id: spring-petclinic
            client-secret: YOUR_CLIENT_SECRET_HERE
            authorization-grant-type: authorization_code
            scope: openid, profile, email
        provider:
          keycloak:
            issuer-uri: http://localhost:8080/auth/realms/spring-petclinic
```

---

### **Run the Application**

1. Run the Spring PetClinic application:
    
    ```plaintext
    ./mvnw spring-boot:run
    ```
    
2. Open the application in a browser at [`http://localhost:8080`](http://localhost:8080).
    
3. Attempt to access a protected route, such as `/vets` or `/owners`. You will be redirected to the Keycloak login page.
    
4. Log in with the corresponding Keycloak user, and you will be able to access the route based on the role assigned.
    

---

### **Test Token Retrieval**

Access the `/token` endpoint to retrieve the Keycloak token:

```plaintext
curl http://localhost:8080/token
```

If authenticated, the token should be returned in the response

### Test the Spring Petclinic Application with Keycloak

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1727399371800/7e4682e2-bba3-4fa6-9b76-24dceb44970e.png align="center")

Login Successful with Keycloak OAuth2

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1727399263855/9a1f7f54-5c1c-4e73-ad9d-7dfa6353990b.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1727399315188/6f9c5970-f07d-4107-8557-f62850a02f11.png align="center")

Verify token

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1727399483900/bdb0e449-d168-4c29-8744-b9c7f58dde03.png align="center")

### **Conclusion**

Integrating **Keycloak** with the **Spring PetClinic** application successfully addressed the need for secure, role-based access control and centralized identity management. By implementing token-based authentication with role mapping, we ensured that sensitive veterinary records are protected, while allowing different user groups (vets, owners, admins) to access only the data they are authorized to manage.

This solution provides the clinic with a scalable, secure, and centralized approach to identity and access management, supporting its long-term growth and security needs.

For further details on integrating Keycloak with Spring PetClinic, visit [**praful.cloud**](https://www.praful.cloud).
