Keycloak client secret and spring boot docker compose

Question

I have a Spring Boot app that uses keycloak for auth.

On deployment, all services including app, keycloak, db are started by a single docker-compose --profile=prod up where an external configuration is passed.

Up to here, everything works as expected.

However, the keycloak client "Access Type" currently is public, and should be changed to confidential. Then a secret needs to be passed to the requests. This can be obtained from Client-> Credentials, where the secret string can be copied or regenerated.

This string can then be copied in the application.yml or application.properties of spring boot app, as below, and everything works as expected.

keycloak:
  auth-server-url: http://localhost:8080/auth
  realm: qwerty
  resource: login-app
  ssl-required: external
  bearer-only: true
  use-resource-role-mappings: true
  credentials:
    secret: FyQjmAJclqqcLD22szwca1aEskSpqUPr

However, this required the start of keycloak service first, then get the secret, then copy it on the source code of app, build the app, start it.

So this breaks the "one click" deployment that is done in docker-compose....

From what I saw, you cant have a predefined string for secret and pass it on the realm when importing configuration or something.

Am I missing something? what would you suggest?

Answer 1

After some time we found the answer; we realized its possible to provision the secret on the realm export json. It is as below:

  "id": "sad978adsf6sdfadfs",
  "clientId": "app",
  "surrogateAuthRequired": false,
  "enabled": true,
  "alwaysDisplayInConsole": false,
  "clientAuthenticatorType": "client-secret",
  "secret": "someverysecret",
  "redirectUris": [
    "*"
  ],

Whole process

1. set a secret
2. Export realm, secret will hidden like "secret": "*********",
3. Replace the **** with your specified secret eg someverysecret
4. reprovision realm. Now at keycloak admin screen the value will be "someverysecret" which will be grayed out