Harnessing the Power of Keycloak and Quarkus: A Comprehensive Guide

In today’s world of microservices and cloud-native applications, the need for efficient and secure Identity and Access Management (IAM) solutions is more important than ever. In this comprehensive guide, we will explore the integration of two powerful open-source technologies – Keycloak and Quarkus – and how they can work together to provide a seamless and secure user experience in modern applications.

Introduction to Keycloak and Quarkus

Overview of Keycloak

Keycloak is an open-source IAM solution developed by Red Hat that provides Single Sign-On (SSO), Identity Brokering, and Social Login capabilities out of the box. It supports various authentication and authorization protocols, such as OAuth 2.0, OpenID Connect, and SAML 2.0. Keycloak enables organizations to manage user authentication and authorization in a centralized and secure manner, simplifying the process of protecting applications and APIs.

Overview of Quarkus

Quarkus is a Kubernetes-native Java stack tailored for GraalVM and OpenJDK HotSpot, designed to optimize Java specifically for containers and enable it to become an effective platform for serverless, cloud, and Kubernetes environments. Quarkus boasts faster startup times, reduced memory footprint, and a developer-friendly environment that allows for live coding and easy integration with popular frameworks and libraries.

Setting up Keycloak and Quarkus

Installing Keycloak

To get started with Keycloak, you will first need to download and install the Keycloak server. You can obtain the latest version of Keycloak from the official website (https://www.keycloak.org/downloads). Once you have downloaded the appropriate package, follow the installation instructions for your specific operating system.

After the installation is complete, you can start the Keycloak server by executing the appropriate command for your platform. For example, on Linux, you can run the following command:

./bin/kc.sh start-dev

On Windows, you can use the following command:

.\bin\kc.bat start-dev

Once the Keycloak server is running, you can access the administration console by navigating to http://localhost:8080/auth/admin/ in your web browser.

Setting up a Quarkus Project

To create a new Quarkus project, you will need to have Java and Maven installed on your machine. You can then use the Quarkus Maven plugin to generate a new project. Run the following command in your terminal:

mvn io.quarkus:quarkus-maven-plugin:create \
-DprojectGroupId=com.example \
-DprojectArtifactId=keycloak-quarkus-app \
-DclassName=”com.example.KeycloakQuarkusResource” \

This command will create a new Quarkus project with a simple REST endpoint at the “/hello” path. Next, navigate to the project directory and start the Quarkus development server by running the following command:

./mvnw quarkus:dev 

Now that you have both Keycloak and Quarkus up and running, it’s time to integrate the two and harness their combined power to secure your applications and APIs.

Integrating Keycloak with Quarkus

Configuring Quarkus to Use Keycloak

The first step in integrating Keycloak with your Quarkus application is to configure the Quarkus security extension. Add the following dependency to your project’s pom.xml file:

After adding the dependency, you will need to configure your Quarkus application to use Keycloak as the OIDC (OpenID Connect) provider. To do this, add the following configuration to your application.properties file:

Replace myrealm, myclient, and mysecret with the appropriate values for your Keycloak realm, client, and client secret.

Defining Security Constraints in Quarkus

With the Quarkus OIDC extension configured, you can now define security constraints for your application. For example, you can secure specific endpoints or require certain roles to access specific resources.

To secure an endpoint, you can use the @RolesAllowed annotation on your resource class or method. For example:

import javax.annotation.security.RolesAllowed;
import javax.ws.rs.GET;
import javax.ws.rs.Path;

public class SecuredResource {

public String getSecuredData() {
return “This is secured data.”;

In this example, only users with the “user” role will be allowed to access the /secured endpoint.

Securing RESTful APIs with Keycloak and Quarkus

Securing API Endpoints

To secure API endpoints in your Quarkus application, you can use the same @RolesAllowed annotation as shown in the previous example. This annotation can be applied at the class level or the method level to enforce role-based access control.

In addition to role-based access control, you can also use Keycloak’s fine-grained authorization features, such as policies and permissions, to secure your APIs. To enable this functionality, you will need to configure the Keycloak Authorization extension in your Quarkus application.

Using Keycloak JWT Tokens in Quarkus

When a user authenticates with Keycloak, they receive a JSON Web Token (JWT) that contains their identity information and access rights. Quarkus can automatically validate these JWT tokens and use them to enforce access control in your application.

To access the JWT token within your Quarkus application, you can inject the io.quarkus.security.identity.SecurityIdentity object into your resource class or method:

import io.quarkus.security.identity.SecurityIdentity;
import javax.inject.Inject;
import javax.ws.rs.GET;
import javax.ws.rs.Path;

public class UserProfileResource {

SecurityIdentity identity;

public String getUserProfile() {
return “Hello, ” + identity.getPrincipal().getName();

Handling Token Expiration and Refresh

Keycloak JWT tokens have an expiration time, which is usually set to a reasonable default value. When a token expires, the client must request a new one from Keycloak using the refresh token that was provided during the initial authentication.

Quarkus can automatically handle token expiration and refresh for you, as long as you have properly configured the OIDC extension in your application.properties file. If you need to customize the token expiration or refresh behaviour, you can do so by modifying the corresponding configuration properties in your application.properties file.

Managing User Authentication and Authorization

Implementing Single Sign-On (SSO) with Keycloak and Quarkus

By integrating Keycloak with your Quarkus application, you can take advantage of Keycloak’s powerful SSO features.

Users can authenticate with a single set of credentials and gain access to multiple applications and services without needing to log in multiple times. This provides a seamless and secure user experience across your entire application ecosystem.

To implement SSO with Keycloak and Quarkus, ensure that all applications are configured to use the same Keycloak realm and client. This will allow users to authenticate once and have their session managed by Keycloak, granting access to all connected applications.

User Management with Keycloak in a Quarkus Application

Keycloak provides a centralized user management system that allows you to manage users, roles, groups, and permissions across all your applications. By integrating Keycloak with your Quarkus application, you can leverage this powerful user management system to control access to your application’s resources.

Keycloak offers a web-based administration console that enables you to manage users, roles, and groups, as well as configure authentication flows and authorization policies. You can also use Keycloak’s RESTful API to manage user data programmatically.

Fine-Grained Authorization with Keycloak and Quarkus

In addition to basic role-based access control, Keycloak also supports fine-grained authorization using policies and permissions. This allows you to define more complex access control rules based on attributes, context, or other factors.

To enable fine-grained authorization in your Quarkus application, you will need to configure the Keycloak Authorization extension. This involves adding the appropriate dependency to your pom.xml file, as well as configuring the authorization settings in your application.properties file.

Once you have configured the Keycloak Authorization extension, you can use Keycloak’s policy management features to define and enforce fine-grained access control rules in your Quarkus application.

Advanced Use Cases and Features

Customizing Keycloak Themes for a Quarkus Application

Keycloak provides a flexible theming system that allows you to customize the look and feel of the login pages, account management pages, and other user-facing components. By creating custom themes, you can ensure that your Keycloak integration matches the branding and style of your Quarkus application.

To create a custom theme, you can start by copying one of the built-in themes and modifying the HTML, CSS, and image assets as needed. You can then configure Keycloak to use your custom theme by updating the theme settings in the Keycloak administration console.

Implementing Multi-Factor Authentication (MFA) in Quarkus

Multi-factor authentication (MFA) provides an extra layer of security by requiring users to provide additional forms of verification, such as a one-time password (OTP) or a hardware token, in addition to their username and password. Keycloak supports MFA out of the box and can be easily configured to enable various MFA methods.

To enable MFA in your Quarkus application, you will need to configure the appropriate authentication flow in the Keycloak administration console. This involves adding the desired MFA methods, such as OTP or WebAuthn, to the authentication flow and configuring any required settings.

Once you have configured MFA in Keycloak, your Quarkus application will automatically enforce the additional authentication requirements for users who have enabled MFA on their accounts.

Keycloak Extensions and Add-Ons for Quarkus

Keycloak supports a wide range of extensions and add-ons that can enhance its functionality and provide additional integration options with other systems and services. Some popular Keycloak extensions that can be useful in a Quarkus application include:

  • Keycloak Identity Brokering: Allows you to connect Keycloak to external identity providers, such as social media logins or enterprise identity systems.
  • Keycloak User Storage SPI: Enables you to integrate Keycloak with custom user storage systems, such as LDAP or custom databases.
  • Keycloak Event Listener SPI: Allows you to listen for and react to specific Keycloak events, such as user login or logout, and execute custom logic or actions.

To use a Keycloak extension in your Quarkus application, you will need to follow the specific installation and configuration instructions for the extension. In most cases, this will involve adding the extension’s JAR file to your Keycloak server’s classpath and updating your Keycloak configuration to enable and configure the extension.

Monitoring and Troubleshooting Keycloak and Quarkus

Monitoring Keycloak Performance and Metrics

Monitoring the performance and health of your Keycloak server is an essential part of maintaining a secure and reliable authentication and authorization system. Keycloak provides built-in support for exposing metrics that can be used to monitor various aspects of its performance, such as the number of active sessions, the response time for authentication requests, and the rate of successful and failed logins.

To enable Keycloak metrics, you will need to configure the appropriate settings in your Keycloak server’s standalone.xml or standalone-ha.xml configuration file. Once enabled, you can use monitoring tools like Prometheus and Grafana to collect and visualize the metrics data.

Troubleshooting Quarkus Security Issues

If you encounter security issues in your Quarkus application, such as access control violations or token validation errors, it’s essential to identify the root cause and implement the appropriate fixes. Some common troubleshooting techniques include:

  • Reviewing the Quarkus and Keycloak log files for error messages or warnings related to security issues.
  • Verifying that your Quarkus application is correctly configured to use Keycloak as the OIDC provider, including the correct auth-server-url, client-id, and credentials.secret values in your application.properties file.
  • Checking your Keycloak configuration, including user roles, groups, and authorization policies, to ensure that they match the intended access control rules for your Quarkus application.
  • Using debugging tools like the Quarkus Dev UI or the Keycloak administration console to inspect the JWT tokens and access rights associated with specific users.


Integrating Keycloak and Quarkus provides a powerful and flexible solution for managing user authentication and authorization in modern cloud-native applications. By leveraging the features and capabilities of both technologies, you can create secure and scalable applications that provide a seamless and user-friendly experience.

Throughout this comprehensive guide, we’ve explored the basics of Keycloak and Quarkus, demonstrated how to set up and configure a Quarkus project to use Keycloak, and discussed various advanced use cases and features. With this knowledge, you are well-equipped to harness the combined power of Keycloak and Quarkus in your own applications and deliver secure, robust, and efficient solutions for your users and organization.