Essential Keycloak Adapter Settings for Spring Security Integration

Common Keycloak Adapter Properties

When integrating Keycloak with Spring Security, several additional configuration properties are required. These are typically placed in the Spring Boot configuration file.

realm

Keycloak realm name – a mandatory field.

resource

The client_id of the application, which is a unique identifier registered on the Keycloak server. This is required.

realm-public-key

The realm public key in PEM format. It is not recommended to configure this on the client because the Keycloak adapter automatically retrieves it.

auth-server-url

The base URL of the Keycloak server, usually in the form https://host:port/auth. This is required.

ssl-required

Specifies the HTTPS requirement for communication with the Keycloak server. Options are: external (default) – external requests must use HTTPS. all – all requests must use HTTPS. none – HTTPS is disabled.

confidential-port

The secure port of the Keycloak server, defaulting to 8443.

use-resource-role-mappings

If set to true, the adapter checks whether the token’s user roles match the resource; otherwise it queries the realm for the user’s roles. Default is false.

public-client

When true, no client secret is required; otherwise the keycloak.credentials.secret must be configured. The secret is generated by setting the client’s access type to confidential in the Keycloak console.

enable-cors

Enables CORS support. Default is false. Setting it to true activates the cors- prefixed configuration items.

bearer-only

For services, set to true so the adapter validates bearer tokens without attempting user authentication. If a request lacks a bearer token, a 401 response is returned. Default is false.

autodetect-bearer-only

When the application serves both web pages and API services, enabling this makes Keycloak intelligently decide whether to redirect unauthenticated users to a login page or return 401, based on the request type.

enable-basic-auth

Enables Basic Authentication for the adapter; a secret must be provided. Default is false.

expose-token

JavaScript CORS requests can obtain a token via the /k_query_bearer_token endpoint, commonly used by Node.js back‑ends.

credentials

When the client’s access type is confidential, a client token is required. Supported types are secret and jwt . See the description of public-client for details.

Summary

The above list covers most of the frequently used Keycloak adapter properties. Additional properties and advanced customizations are documented in the official Keycloak Java adapter reference.

Reference

[1] Keycloak Java Adapter Configuration: https://www.keycloak.org/docs/latest/securing_apps/index.html#_java_adapter_config