The goal of this project is to secure movies-app using Keycloak(with PKCE). movies-app consists of two applications: one is a Spring Boot Rest API called movies-api and another is a ReactJS application called movies-ui.

Project diagram



  • movies-api

    Spring Boot Web Java backend application that exposes a Rest API to manage movies. Its secured endpoints can just be accessed if an access token (JWT) issued by Keycloak is provided.

    movies-api stores its data in a Mongo database.

    movie-api has the following endpoints

    Endpoint Secured Roles
    GET /api/userextras/me Yes MOVIES_MANAGER and USER
    POST /api/userextras/me -d {avatar} Yes MOVIES_MANAGER and USER
    GET /api/movies No
    GET /api/movies/{imdbId} No
    POST /api/movies -d {"imdb","title","director","year","poster"} Yes MOVIES_MANAGER
    DELETE /api/movies/{imdbId} Yes MANAGE_MOVIES
    POST /api/movies/{imdbId}/comments -d {"text"} Yes MOVIES_MANAGER and USER
  • movies-ui

    ReactJS frontend application where users can see and comment movies and admins can manage movies. In order to access the application, user / admin must login using his/her username and password. Those credentials are handled by Keycloak. All the requests coming from movies-ui to secured endpoints in movies-api have a access token (JWT) that is generated when user / admin logs in.

    movies-ui uses Semantic UI React as CSS-styled framework.


  • Java 11+

  • npm

  • Docker

  • Docker-Compose

  • jq


    To use the Wizard option to search and add a movie, you need to get an API KEY from OMDb API. In order to do it, access and follow the steps provided by the website.

    Once you have the API KEY, create a file called .env.local in springboot-react-keycloak/movies-ui folder with the following content



As Keycloak supports PKCE (Proof Key for Code Exchange) since version 7.0.0, we are using it in this project.

Start environment

  • In a terminal and inside springboot-react-keycloak root folder run

    docker-compose up -d
  • Wait a little bit until all containers are Up (healthy). You can check their status running

    docker-compose ps

Running movies-app using Maven & Npm

  • movies-api

    • Open a terminal and navigate to springboot-react-keycloak/movies-api folder

    • Run the following Maven command to start the application

      ./mvnw clean spring-boot:run"-Dserver.port=9080"

      Once the startup finishes, class will run and initialize company-services realm in Keycloak. Basically, it will create:

      • Realm: company-services
      • Client: movies-app
      • Client Roles: MOVIES_MANAGER and USER
      • Two users
        • admin: with roles MANAGE_MOVIES and USER
        • user: only with role USER
    • Social Identity Providers like Google, Facebook, Twitter, GitHub, etc can be configured by following the steps described in Keycloak Documentation

  • movies-ui

    • Open another terminal and navigate to springboot-react-keycloak/movies-ui folder

    • Run the command below if you are running the application for the first time

      npm install
    • Run the npm command below to start the application

      npm start

Applications URLs

Application URL Credentials
movie-api http://localhost:9080/swagger-ui.html Access Token
movie-ui http://localhost:3000 admin/admin or user/user
Keycloak http://localhost:8080/auth/admin/ admin/admin


  • The gif below shows an admin logging in and adding one movie using the wizard feature


  • The gif below shows a user logging in using his Github account; then he changes his avatar and comment a movie


Testing movies-api endpoints

You can manage movies by accessing directly movies-api endpoints using the Swagger website or curl. However, for the secured endpoints like POST /api/movies, PUT /api/movies/{id}, DELETE /api/movies/{id}, etc, you need to inform an access token issued by Keycloak.

Getting Access Token

  • Open a terminal

  • Run the following commands to get the access token

    ACCESS_TOKEN="$(curl -s -X POST \
      "http://localhost:8080/auth/realms/company-services/protocol/openid-connect/token" \
      -H "Content-Type: application/x-www-form-urlencoded" \
      -d "username=admin" \
      -d "password=admin" \
      -d "grant_type=password" \
      -d "client_id=movies-app" | jq -r .access_token)"
    echo $ACCESS_TOKEN

Calling movies-api endpoints using curl

  • Trying to add a movie without access token

    curl -i -X POST "http://localhost:9080/api/movies" \
      -H "Content-Type: application/json" \
      -d '{ "imdbId": "tt5580036", "title": "I, Tonya", "director": "Craig Gillespie", "year": 2017, "poster": ""}'

    It should return

    HTTP/1.1 302

    Here, the application is trying to redirect the request to an authentication link.

  • Trying again to add a movie, now with access token (obtained at #getting-access-token)

    curl -i -X POST "http://localhost:9080/api/movies" \
      -H "Authorization: Bearer $ACCESS_TOKEN" \
      -H "Content-Type: application/json" \
      -d '{ "imdbId": "tt5580036", "title": "I, Tonya", "director": "Craig Gillespie", "year": 2017, "poster": ""}'

    It should return

    HTTP/1.1 201
      "imdbId": "tt5580036",
      "title": "I, Tonya",
      "director": "Craig Gillespie",
      "year": "2017",
      "poster": ""
  • Getting the list of movies. This endpoint does not requires access token

    curl -i http://localhost:9080/api/movies

    It should return

    HTTP/1.1 200
        "imdbId": "tt5580036",
        "title": "I, Tonya",
        "director": "Craig Gillespie",
        "year": "2017",
        "poster": ""

Calling movies-api endpoints using Swagger

  • Access movies-api Swagger website, http://localhost:9080/swagger-ui.html

  • Click on Authorize button.

  • In the form that opens, paste the access token (obtained at getting-access-token) in the Value field. Then, click on Authorize and on Close to finalize.

  • Done! You can now access the secured endpoints


  • Go to movies-api and movies-ui terminals and press Ctrl+C on each one

  • To stop and remove docker-compose containers, networks and volumes, run the command below in springboot-react-keycloak root folder

    docker-compose down -v

Useful Commands

  • MongoDB

    List all movies

    docker exec -it mongodb mongo
    use moviesdb

    Type exit to get out of MongoDB shell

How to upgrade movies-ui dependencies to latest version

  • In a terminal, make sure you are in springboot-react-keycloak/movies-ui folder

  • Run the following commands

    npm i -g npm-check-updates
    ncu -u
    npm install


