Authentication and Authorization using Keycloak and OAuth 2.0

Hey everyone :wave:,

If anyone is interested how to implement user authentication and role-based authorization in a Hilla app using Keycloak and OAuth 2.0, here are two examples:

Hilla with Keycloak and the Authorization Code Flow of OAuth 2.0

When using the Authorization Code Flow, authentication takes place via a Keycloak user interface. Other authentication options, such as MFA, can be added or configured via Keycloak in this case.

Hilla with Keycloak and the Resource Owner Password Flow of OAuth 2.0

When using the Resource Owner Password Flow, authentication takes place via a Hilla user interface. In this case, you have more control over the user experience and users are not redirected to another application to log in there.

3 Likes

That’s really nice-looking documentation! One thing I’d maybe emphasize is that you can add security checks for any backend service invocations for additional hardening. That way you’re not only relying on the endpoint security.

2 Likes

I agree. That is why I mentioned it in the outlook section of each blog post.

That’s the endpoint security, yes. Once you have multiple endpoints with different security measures, though, you need to be careful that the endpoint service Java code doesn’t accidentally invoke any other services that should be restricted from the current user. You can check the current Principal’s roles before the service invocations to make sure that doesn’t happen.

4 Likes

All right, now I know what you mean :+1: Thank you for describing it again. I agree with you, of course.

1 Like

Nice implementation examples and blog posts within the security domain! Thank you for creating it! :bowing_man:

(Very detailed, thorough with lot of code examples within the blog post)

1 Like