I have Spring boot microservices running behind a Zuul API gateway. And a keycloak server for security. I want to secure(authorize) some of the API endpoints, and a few endpoints will be whitelisted from our microservices.

As per my thought process, I will authorize the requests at Zuul Gateway based on the configured roles(defined on the Keycloak server). Below are the queries :

Is it a correct approach?

1. If yes, could you help me here with a sample code example.
2. If not, please let me know the correct approach with a sample example.