Demo application landscape to show various and different kinds of user- and client authentication with Keycloak in a distributed environment with web applications and services.

It’s kind of a web shop, selling books.

Users can access the shop and the checkout, both are web apps. They have to authenticate themselves using their credentials with Keycloak and web apps using the Authorization Code Flow to get the users access token via code-to-token exchange from the Keycloak server (using backchannel in shop app). The shop is a Quarkus based application, using Quarkus Extensions, the checkout is a React.JS based application, using the keycloak-js JavaScript Adapter.

The shop gets its products from the pim (product information management) service, also a Quarkus based service, dealing with BearerOnly token validation. The pim only accepts tokens with the role serviceAccount, which regular users doesn’t have, only the service account of the shop web apps.

The cart service (Quarkus based) stores the products a user wants to "buy". So, it has to be accessed in the context of the user, but users can’t access it directly, that’s why the web apps (both, shop and checkout) have to propagate the users access token to the cart.

There is a public Docker image available with this distributed bookshop example. Simply pull the image from the official Docker Hub:

The configuration of the apps and services in the Docker image is aligned with the bookshop-realm.json realm JSON export available here in the repository root.

The apps and services expect Keycloak to be available under hostname/port http://keycloak:8080.