Authentication Flow

This document provides an overview of the authentication setup and login flow in TUMApply, using Keycloak and OAuth 2.0 / OIDC.

🔗 Overview

TUMApply uses Keycloak as an identity provider. The client authenticates via OAuth 2.0 and obtains a JWT token. This token is sent with each request and validated by the Spring Boot server.

A Realm called tumapply
A public client called tumapply-client
Three test users with password login:

Username Password Role
admin1 admin ADMIN
professor1 professor PROFESSOR
applicant1 applicant APPLICANT

Username	Password	Role
`admin1`	`admin`	`ADMIN`
`professor1`	`professor`	`PROFESSOR`
`applicant1`	`applicant`	`APPLICANT`

These users can authenticate with a password and receive a valid access token (JWT).

🚀 Starting Keycloak

To start Keycloak, please follow the instructions in the Keycloak Setup document.

🧠 What's in the Token?

Use jwt.io to inspect the decoded token.

Example decoded JWT:

{
  "preferred_username": "admin1",
  "given_name": "Admin",
  "family_name": "One",
  ...
}

🔐 Authorization Flow in Application

Client sends Authorization: Bearer <token> in every request
Server extracts and validates the token, retrieves user info like preferred_username, given_name, family_name, ...

info

The user's role is not synced from Keycloak, but instead assigned and managed inside the TUMApply database.

✅ Summary

Keycloak manages authentication, but not roles.
User data is stored and managed in the TUMApply database.
On first login, a new user is created with default role.

🔗 Overview​

🚀 Starting Keycloak​

🧠 What's in the Token?​

🔐 Authorization Flow in Application​

✅ Summary​

🔗 Overview

🚀 Starting Keycloak

🧠 What's in the Token?

🔐 Authorization Flow in Application

✅ Summary