0

I want to create role-based access control system using Keycloak's authorizaion system.

I'm using OAuth 2.0 in microservice architecture and faced the following problem: I have records with unique IDs (they are rooted to other entities) and what I want to achieve is that only certain users or a group of users can see (modify) entries with these IDs. And I would like to be able to explicitly bind users (or groups) to these IDs (and it is possible to receive them in JWT for example).

How could this problem be solved using Keycloak and what best practices to do this? Perhaps I misunderstood something and this problem can be solved in another way?

Thanks in advance!

fire_Rising
  • 70
  • 1
  • 7

1 Answers1

1

There are 2 ways to handle this:

1. Using Client roles:

i) ie. create some set of pre-defined roles (viewer, admin, editor, etc).
ii) Now whenever your IDs are generated, then generate one client in keycloak and assign any of above roles.
iii) in JWT, it will be visible in path : 
    "resource_access" --> <CLIENT_IDs> --> "roles": [your defined roles]

Then, in service layer can autorised using granted Authority or by roles-group.

2. Using Realm roles:

i) in JWT: this will be fetched from path:  "realm_access"-> "roles":[your defined roles].

If you have only 2 roles (eg: admin and viewer), then 2nd option would be preferred.

Let me know if this helps. :)

Shyamashish
  • 26
  • 2
  • If I have 1000 IDs, then there will be 1000 roles in JWT token? Is it possible to write these IDs into the custom attributes of a user group and then get them on a separate request? – fire_Rising Dec 28 '21 at 06:49
  • True, in JWT you will have 1000 roles mapping (client + roles). If you don't have anything else in request header, then this would be sufficient. In one of my project, we had 32K records and each user has custom roles. We increased the header size in service container (tomcat) to max limit. – Shyamashish Dec 28 '21 at 09:03
  • How much of a performance impact does this have on network communication? Did you have a microservice application where you chained tokens? – fire_Rising Dec 28 '21 at 09:14