Securely invoking the backend REST API
Now, open http://localhost:3000/
and click on the Public endpoint link. You will see a message saying Public message!. The public endpoint is not secured by Keycloak and can be invoked without an access token.
Next, let’s try the secured endpoint that is protected by Keycloak. Open http://localhost:3000/
again. This time, click on the Secured endpoint link. Now you will see a message saying Access denied. This request is not permitted since it requires a valid access token to invoke the endpoint.
Let’s now try to invoke the secured endpoint from the frontend. Open http://localhost:8000/
and click on Invoke Service. You will now see a message displayed saying Secret message!. If instead you get the message Access Denied, this is most likely caused by the user not having the myrole
role.
When you click Invoke Service, the frontend sends an AJAX request to the backend service, including the access token in the request, which allows the backend to verify that the invocation is done on behalf of a user who has the required role to access the endpoint.