Keycloak Spring boot configuration

I went through the same and here are my findings.

org.springframework.security.access.vote.RoleVoter assumes that your roles start from

private String rolePrefix = "ROLE_";

There is no such assumption in Keycloak (unless you name all your roles ROLE_someName), therefore no roles are actually found matching.

Similar explanation can be obtained from Spring Security Javadoc of SecurityExpressionOperations class for hasRole method

This is similar to {@link #hasAuthority(String)} except that this method implies
that the String passed in is a role. For example, if "USER" is passed in the
implementation may convert it to use "ROLE_USER" instead. The way in which the role
is converted may depend on the implementation settings.

To sum it up, I've ended with exactly the same solution as you did, using hasAuthority instead of hasRole now.

I solved it myself by replacing hasRole() by hasAuthority(). I still don't know why keycloak role is mapped to spring security authority. Any explaination is welcomed. Thank you.