Connect
GitHub LinkedIn
Hire me

Next.js + Keycloak + Spring Boot (BFF)

Beginner-friendly authentication setup with Keycloak, NextAuth, and Spring Boot in a Backend-for-Frontend pattern. Tokens stay off the browser for improved security.

Next.jsNextAuthSpring BootKeycloakDockerJWTPKCE
GitHub · FrontendGitHub · Backend

🔐 Next.js + Keycloak + Spring Boot (BFF)

A practical beginner’s guide to secure authentication.

  • Frontend: Next.js 15 + NextAuth (Keycloak provider, PKCE)
  • Backend: Spring Boot 3 (JWT resource server with role-based auth)
  • IdP: Keycloak 24.x
  • Pattern: Backend-for-Frontend (BFF) → browser talks only to Next.js, which proxies to Spring.

Why BFF?

  • Tokens never exposed to the browser.
  • NextAuth stores sessions in HttpOnly cookies.
  • Next.js forwards the server-side access token to Spring.
  • Spring validates JWTs and enforces role checks.

Key Features

  • 🔑 Public vs protected routes in Next.js
  • 👤 User self-registration (default USER role)
  • 🛡️ Admin-only routes (/api/admin/only)
  • 🎨 Optional custom Keycloak theme
  • 🚀 Quick local dev via Docker (Keycloak + Spring Boot + Next.js)

👉 Read the full tutorial: coming soon on my site.