Demo application landscape to show various and different kinds of user- and client authentication with Keycloak in a distributed environment with web applications and services.

It’s kind of a web shop, selling books.

Users can access the shop and the checkout, both are web apps. They have to authenticate themselves using their credentials with Keycloak and web apps using the Authorization Code Flow to get the users access token via backchannel from the Keycloak server. The shop is a Quarkus based application, using Quarkus Extensions, the checkout is a Spring Boot based application, using Spring Security and the Keycloak Spring Security Adapter.

The shop gets its products from the pim (product information management) service, also a Quarkus based service, dealing with BearerOnly token validation. The pim only accepts tokens with the role serviceAccount, which regular users doesn’t have, only the service accounts of the both web apps.

The cart service (Quarkus based) stores the products a user wants to "buy". So, it has to be accessed in the context of the user, but users can’t access it directly, that’s why the web apps (both, shop and checkout) have to propagate the users access token to the cart.

Finally, the msgBroker (Spring Boot based, using Spring Security dependencies only) service receives a message from the checkout web app, as soon a user made an order (e.g. to spread it to other consumers). Like the pim, the msgBroker is also only accessible for access tokens containing the serviceAccount role, which is again NOT the user, but the service account of the msgBroker client.

There is a public Docker image available with this distributed bookshop example. Simply pull the image from the official Docker Hub:

The configuration of the apps and services in the Docker image is aligned with the bookshop-realm.json realm JSON export available here in the repository root.

The apps and services expect Keycloak to be available under hostname/port http://keycloak:8080.