Aniket Yelameli’s Post

Understanding Keycloak Tokens — The Backbone of Secure Authentication When working with Keycloak, developers often encounter confusion regarding the different types of tokens it issues and their specific use cases. After successful authentication, Keycloak provides three primary tokens, each serving a distinct purpose: - Access Token (JWT) - Used for authorization - Sent in API requests ("Authorization: Bearer <token>") - Contains roles, permissions, and scopes - Short-lived for better security - ID Token (JWT) - Used for authentication (user identity) - Contains user details (name, email, username) - Used by frontend/client apps - Not meant for securing APIs - Refresh Token - Used for session continuity - Generates new access tokens without re-login - Long-lived compared to access token - Must be stored securely (avoid localStorage) How they work together: 1. User logs in via Keycloak 2. Tokens are issued 3. Access Token is used for API calls 4. When expired, the Refresh Token generates a new one 5. User stays logged in seamlessly Common Mistake: Using the ID Token for API authorization breaks security design. Always use the Access Token for backend validation. Best Practices: - Keep access tokens short-lived - Store refresh tokens securely - Validate tokens at the resource server - Follow the least-privilege principle Understanding these tokens properly can significantly improve your system’s security, scalability, and performance. #Keycloak #Security #OAuth2 #JWT #Authentication #Authorization #BackendDevelopment #Microservices #Java #SpringBoot

🚀 Understanding Spring Security with JWT Authentication (Complete Flow) Just built and visualized the complete authentication & authorization flow using Spring Boot + Spring Security + JWT 🔐 📌 Key Highlights from the Architecture: ✔️ Client sends login request → /api/auth/login ✔️ Authentication handled via Authentication Manager ✔️ Credentials verified using DAO Authentication Provider ✔️ User fetched from DB using UserDetailsService ✔️ On success → JWT Token generated (with roles & user info) ✔️ Token sent back to client 🔁 For every next request: ➡️ Client sends JWT in Authorization Header ➡️ JWT Filter validates token ➡️ SecurityContext is set ➡️ Role-based access control using @PreAuthorize ❌ Invalid token → 403 Forbidden ✅ Valid token → 200 OK 💡 This setup ensures: Stateless authentication Secure APIs Role-based access control (ADMIN, USER, etc.) 🔥 Currently working on building a full-stack system around this (like Airbnb-style backend). #SpringBoot #Java #BackendDevelopment #JWT #SpringSecurity #RESTAPI #FullStackDeveloper #LearningInPublic #TechJourney

Building a REST API with Spring Boot? Sooner or later, the big question arises: "how to secure endpoints without sacrificing scalability?" That’s exactly where JWT (JSON Web Token) comes to the rescue. In this step-by-step guide, I show you how to set up JWT in Spring Boot so your API remains stateless, secure, and production-ready. Why modern Backend chooses JWT: 👉 Stateless Architecture: The server doesn't need to store sessions in memory — this is key to horizontal scaling. 👉 Mobile-friendly: The same token can be used across web and mobile applications. 👉 Decoupling: Complete separation of client and server. 👉 Granular Control: Fine-tuned access control using Claims (Roles/Authorities). What is often forgotten during implementation: 🔹 Secure Storage: Use httpOnly cookies on the client side to protect against XSS. 🔹 Time-to-Live (TTL): A combination of Access + Refresh tokens is a must for secure systems. 🔹 Secret Keys: Use strong signing algorithms (at least HS256 with a long key) and store them in environment variables or a Vault. Which authentication approach do you prefer? Do you stick with classic sessions, use OAuth2/OpenID Connect, or go with a custom JWT implementation?. Let’s discuss in the comments! 👇 #SpringBoot #Java #JWT #Backend #WebSecurity #Programming #SpringSecurity #RestAPI

Understanding JWT( JSON Web Token) Authentication in Spring Boot Most of the time, I was just using JWT in projects without really knowing what was happening behind the scenes. So I spent some time digging into how it actually works. 🔐 What happens during login? * Backend verifies credentials * Generates a JWT token * Sends it to the client After that, the client sends this token with every request instead of credentials. 🧩 The interesting part is Spring Security: Every request passes through a filter chain before reaching the controller. 👉 I implemented a custom JWT filter: * Extract token from header * Validate signature & expiry * If valid → set authentication in Security Context Only then the request is processed. 💡 Took me time to understand this flow — especially tracing how requests move through the filter chain. * JWT = stateless (no session stored on server) * Authentication = who you are * Authorization = what you can access * Everything is decided before controller logic runs 🛠 Still figuring out: * Exact execution point of the filter * Role of SecurityContextHolder * Debugging filter chain flow 📌 Earlier JWT felt like just a library feature. Now it feels like a request validation mechanism at the filter level. Still learning, but this changed how I see backend security. #Java #SpringBoot #SpringSecurity #JWT #BackendDevelopment

Managing user sessions in microservices can get complex. Instead of storing sessions on the server, JWT (JSON Web Token) makes authentication stateless and scalable by embedding user info and a signature directly into the token. To use JWT effectively:   1. Keep access tokens short-lived (e.g., 30 minutes)   2. Use refresh tokens for longer sessions (e.g., 24 hours)   3. Always store tokens securely on the client side In my application, I’ve configured the access token to expire after 30 minutes and the refresh token after 24 hours. Both are generated using generateAccessToken and generateRefreshToken methods in jwtUtil, and the backend response includes these two tokens for the client to use. In this short video, I break down: JWT structure (Header, Payload, Signature) JWT lifecycle (Login → Token issued → Verified → Access granted) Access vs Refresh tokens with a practical example Best practices for secure, scalable authentication How do you handle JWT expiration and refresh in your projects? #BackendDevelopment #Java #SpringBoot #Microservices #JWT

🔐 Building Secure Authentication with JWT in Spring Boot Currently working on implementing JWT-based authentication in a Spring Boot application, focusing on handling both access tokens and refresh tokens for a more secure and scalable system. Access tokens are short-lived and used for every request, while refresh tokens help generate new access tokens without forcing users to log in again — improving both security and user experience. Along the way, I’ve been learning key concepts like: • Designing a stateless authentication flow • Proper token lifecycle management (generation, validation, expiration, rotation) • Securing endpoints using Spring Security filters • Handling edge cases like token expiry and invalidation • Structuring clean and maintainable authentication logic This hands-on implementation is helping me better understand how real-world backend systems handle security at scale. 🚀 #SpringBoot #Java #BackendDevelopment #JWT #Authentication #Security #DeveloperLife #LearningJourney

🔐 How JWT Authentication Works (Step-by-Step) This infographic explains the complete flow of JWT (JSON Web Token) authentication in a simple and structured way: 👉 User Login – The user enters credentials (username & password) from the frontend and sends a request to the server. 👉 Credential Verification – The Spring Boot backend validates the user credentials against the database. 👉 JWT Generation – If authentication is successful, the server generates a secure JWT token. 👉 Token Storage – The JWT token is stored in the browser using localStorage or sessionStorage. 👉 API Request with Token – The client sends requests to protected APIs by attaching the token in the header (Authorization: Bearer <token>). 👉 Token Validation – The server verifies the token. If valid, access is granted; otherwise, the request is denied. 💡 Summary JWT helps in building secure, stateless, and scalable authentication systems in modern web applications. As a Java Full Stack learner, understanding this flow is an important step toward real-world backend development 🚀 Still learning and improving every day 💻 #Java #SpringBoot #JWT #Authentication #FullStackDevelopment #BackendDevelopment #WebDevelopment #LearningInPublic #SoftwareEngineering

Folks, After understanding OAuth2.0, the next critical step is what actually protects your APIs in real-world systems — JWT Validation & Spring Security. Ever thought what happens after a token is generated? Here’s the real backend flow: 🔹 Client sends request with JWT in Authorization header 🔹 Spring Security filters intercept the request 🔹 Token is validated (signature, expiry, issuer, claims) 🔹 Roles & authorities are extracted 🔹 Access is granted or denied 💡 Key Takeaway: Security doesn’t end at token generation. Validating every request is what truly protects your APIs. This is how modern microservices stay: ✔️ Stateless ✔️ Secure ✔️ Scalable If you're building production-grade backend systems, mastering this layer is a must. — Asad | Java Backend Developer #Java #SpringBoot #JWT #OAuth2 #Security #Microservices #BackendDevelopment #LearningSeries

Understanding JWT Authentication is a must for every backend developer 🔐 Recently, while working on a Spring Boot project, I explored how authentication actually works behind the scenes — and this flow made everything crystal clear. Here’s what happens step-by-step: 👉 A user logs in with credentials (username & password) 👉 The server validates the data from the database 👉 If valid, a JWT (JSON Web Token) is generated 👉 This token is sent back and stored on the client side 👉 For every API request, the token is sent in the Authorization header 👉 The server verifies the token (signature + expiry) 👉 If valid → access granted (200 OK) 👉 If expired → refresh token is used to generate a new one 👉 If invalid → access denied (401 Unauthorized) This flow ensures: ✔ Secure communication ✔ Stateless authentication ✔ Scalability in modern applications Learning this helped me understand how real-world applications handle security and user sessions. If you’re working with Spring Security or building REST APIs, mastering JWT is a game changer ⚡ #Java #SpringBoot #SpringSecurity #JWT #BackendDevelopment #WebDevelopment #APIs #Developers #LearningInPublic

🔐 Day 9 of Learning Spring Security — CSRF, Sessions & REST API Config Today I finally understood why POST requests fail when you enable Spring Security — and how to fix it the right way. The problem: When Spring Security is enabled, it blocks all POST/PUT/DELETE requests by default. Only GET works. The culprit? CSRF Protection. What I tried (both approaches): Approach 1 — Manual CSRF Token Hit a GET endpoint → grab the CSRF token → add it as X-CSRF-TOKEN header → POST works ✓ Approach 2 — Custom Security Config (better for REST APIs): @Configuration @EnableWebSecurity public class SecurityConfig {  @Bean  public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {   return http    .csrf(c -> c.disable())    .authorizeHttpRequests(r -> r.anyRequest().authenticated())    .httpBasic(Customizer.withDefaults())    .sessionManagement(s -> s     .sessionCreationPolicy(SessionCreationPolicy.STATELESS))    .build();  } } The key insight — when to enable vs disable CSRF: ✅ Keep CSRF ENABLED when: - Browser-based web apps - Session / Cookie-based authentication - Server-side rendered (Thymeleaf, JSP) ❌ Safe to DISABLE CSRF when: - REST APIs with JWT authentication - Stateless APIs (no sessions) - Mobile app backends - Service-to-service communication Rule of thumb: Auth in a Cookie → Enable CSRF. Auth in an Authorization Header → Safe to disable. Why STATELESS session? SessionCreationPolicy.STATELESS means the server never stores sessions. Every request is independent — scales horizontally with zero shared state. What's next? → JWT Authentication to replace Basic Auth completely. Building in public, one concept at a time. If you're on a similar Spring journey, let's connect! #SpringSecurity #SpringBoot #Java #BackendDevelopment #REST #LearningInPublic #100DaysOfCode #WebDevelopment #Developer #CSRF