How to configure Thorntail 2.5.0.Final to authorize users with JWT token from Keycloak?

I have problems authorizing users via Bearer TOKEN that I receive from Keycloak.

The task is to authorize user requests that come from an Angular application to my back-end Thorntail 2.5.0.Final micro-service. I have the front-end part covered and the application appends Authorization: Bearer {TOKEN} to every request to my service.

I have tried following these 2 guides:

with thorntail microprofile and keycloak-micropfofile-jwt-fractions, but none of them seem to work.

    @ConfigProperty(name = "message")
    private String message;
    private JsonWebToken callerPrincipal;

    @ApiOperation(value = "Pridobi uporabnike", notes = "Pridobi vse uporabnike iz baze.", response = Uporabnik.class)
    public Response getUsers() {
        return Response.ok(callerPrincipal.getRawToken() + " is allowed to read message: " + message).build();

and got the following response

null is allowed to read message: Very Secure 42!

The 2. thing I tried is adding the keycloak fraction and sending the token via header following this example

I added the resources/keycloak.json

  "realm": "Intra",
  "auth-server-url": "",
  "ssl-required": "external",
  "resource": "prenosOSBE",
  "verify-token-audience": true,
  "credentials": {
    "secret": "e9709793-9333-40a7-bb95-2026ad98b568"
  "use-resource-role-mappings": true,
  "confidential-port": 0

and the from the example.
If I try to make a call to my endpoint I get 401 Unauthorized or 403 Forbidden if I don’t send a token with my request.

So what I want to know is which fraction is meant to be used if my task is to authorize users via Bearer token on my Thorntail microservice?

microprofile-jwt, keycloak-microprofile-jwt or keycloak and what is the minimal required configuration for it to work?

Leave a Reply

1 Comment threads
0 Thread replies
Most reacted comment
Hottest comment thread
1 Comment authors
Jason Recent comment authors
newest oldest most voted
Notify of

The keycloak fraction is the Keycloak adapter for WildFly per It lets you use the common security mechanisms from Java EE (<security-constraint>s in web.xml etc.) You can see an example here: The microprofile-jwt lets you use bare MicroProfile JWT (that is, @RolesAllowed on JAX-RS resources, etc.). You have to configure the expected issuer, its public key etc., as described in MP JWT documentation. You can see an example here: The keycloak-microprofile-jwt is a bit of a mix. It doesn’t expose the Keycloak adapter, but uses it internally to validate tokens issued by Keycloak, and exposes the tokens… Read more »