Securing a single REST API is a good start—but in real-world enterprise environments, you’re likely dealing with multiple microservices, user roles, and external clients. The ideal way to manage all this is with an Identity Provider like Keycloak and an API Gateway such as Spring Cloud Gateway or Kong Gateway.
In this article, we’ll go a step further and:
-
Set up Keycloak for identity and access management
-
Secure Spring Boot microservices using Keycloak + OAuth2
-
Use API Gateway to enforce SSL, route requests, and validate tokens centrally
By the end, you’ll have a production-grade security architecture for your Spring Boot apps.
Architecture Overview
Here’s how the components interact:
-
The client authenticates with Keycloak
-
Gets a JWT Access Token
-
Sends requests to API Gateway
-
Gateway validates token, routes to the correct Spring Boot service
-
Microservice trusts the gateway and verifies any additional roles/scopes
Set Up Keycloak Identity Provider
You can run Keycloak using Docker:
Access Keycloak UI at http://localhost:8081
Create Realm, Client, and Users
-
Create Realm: e.g.,
spring-boot-realm
-
Create Client: e.g.,
spring-api-client
-
Access Type:
confidential
-
Valid redirect URIs:
*
(for testing) -
Enable:
Authorization
,Standard Flow
,Direct Access Grants
-
-
Create Roles:
USER
,ADMIN
-
Create Users: Assign roles and credentials
Secure Spring Boot Microservice with Keycloak
Dependencies (pom.xml
):
application.properties
:
Security config:
Now, Spring Boot validates JWTs issued by Keycloak.
Test Keycloak Authentication and Tokens
Obtain a token with curl
:
Use the access_token
to hit the Spring Boot API:
Use Spring Cloud Gateway to Validate Tokens and Route
Create a new Spring Boot app for the gateway.
Dependencies (Spring Cloud Gateway):
application.yml
:
Enable security filter:
This configuration ensures:
-
Gateway validates the token
-
Rejects unauthorized users before forwarding to backend
-
Backend only deals with valid, pre-authenticated requests
SSL Termination at the Gateway (Optional)
You can terminate SSL at the gateway level using Spring Boot or put NGINX in front of it (as discussed earlier).
If Spring Gateway handles SSL:
Now you’ve centralized:
-
Authentication
-
Routing
-
Token validation
-
SSL
in the API gateway.
Conclusion
Securing modern microservices goes beyond encrypting traffic with SSL—it requires authentication, authorization, and centralized management. With this architecture, we’ve combined several powerful technologies:
-
Keycloak for federated identity and OAuth2 token issuance
-
Spring Boot for REST microservices secured by JWT
-
Spring Cloud Gateway for API routing, HTTPS, and centralized token validation
This setup offers multiple advantages:
✅ Centralized token validation and routing
✅ Fine-grained role-based access in microservices
✅ SSL termination handled securely in one place
✅ Scalable and modular—easy to plug in rate limiting, CORS, and logging
✅ Dev/prod ready—swap Keycloak with any OAuth2 provider (Auth0, Okta, etc.)
This architecture lays the foundation for secure, cloud-native applications that are resilient, modular, and compliant with modern standards. You can further extend it by:
-
Adding refresh token support in frontend apps
-
Enabling audit logging and request tracing
-
Integrating with Kubernetes Ingress for autoscaling
-
Using Let’s Encrypt for automated SSL certificate renewal
By following these practices, you lay the foundation for secure communication, reduce the risk of data breaches, and instill confidence in your API consumers. Security is never optional, and integrating SSL with Spring Boot is an investment in the long-term integrity and credibility of your applications.