Keycloak authentication and authorization between two microservices (server-to-server)

To make a microservice (ms-A) authenticated and authorized to make a request to another microservice (ms-B) secured with kc you have to properly configure spring security configuration on ms-B.
You can choose to had one or more authorities to a specific path (code 1) or leave all as is and authorize only your endpoint (code 2)

Code 1 - Spring Security


Code 2
Spring Security:


Rest Controller:


Once ms-B is configured you have to do just a couple of changes into ms-A
First of all import these maven dependencies:


Tested dependencies version:


Then before call the endpoint of ms-B you must create the keycloak object authenticated on ms-A’s client, retrieve the access token and it to request headers

Keycloak keycloak = KeycloakBuilder.builder()

AccessTokenResponse accessToken = keycloak.tokenManager().getAccessToken();

once you have an access token you can add it to request headers for example using basic RestTemplate:

RestTemplate restTemplate = new RestTemplate();

HttpHeaders headers = new HttpHeaders();
headers.set(“Authorization”, "Bearer " + accessToken.getToken());
HttpEntity httpEntity = new HttpEntity(headers);

ResponseEntity response =

The last important thing you have to do is assign the role of ms-B client to ms-A client Service Account on Keycloak

  • Open keycloak
  • Go to “Clients” and select ms-A client
  • Click on tab “Service Account Roles”
  • Choose from “Client Roles” list the ms-B client
  • Add the needed rolesPreformatted text
1 Like