Authentication with keycloak

Keycloak is an open source Identity and Access Management solution. This is the preferred authentication mode for Optimization Server.

All the clients need to get an authentication token from the defined keycloak instance deployed within the infrastructure to access the Master API: Optimization Server authentication with Keycloak

Default configuration of the DecisionBrain Keycloak docker image

The pre-configured realm is “decisionbrain” and the client is “optimserver”. The role “optimserver” gives access to master API. The group “web-console” has role “optimserver”.

A default user is provided, part of group “web-console”, with the following credentials: “optimserver” / “optimserver”.

Get token from code

The following example can be used for any Java based application to get a token:

Maven users

Add this dependency to your project’s POM:


Gradle users

Add this dependency to your project’s build file:

compile "org.keycloak:keycloak-authz-client:4.8.2.Final"

Get an access token

You can then get an access token with a simple code :

public String getToken() {
    final Configuration configuration = new Configuration("keycloakUrl", 
                "decisionbrain", // keycloak realm
                "optimserver", // keycloak client
                Collections.singletonMap("secret", ""), 

    try {

        return AuthzClient.create(configuration).obtainAccessToken("optimserver", "optimserver").getToken(); // keycloak user and password
    } catch (Exception e) {
        throw new IllegalArgumentException("Token can't be obtained", e);

This token can be used in all HTTP requests to call the Master API. It should be passed in an AUTHORIZATION Http Request Header with the prefix Bearer.

Example :

curl -H 'Authorization: Bearer TOKEN' http://MASTER_URL