Reputation: 99
Separate access in one app with keycloak
I have the following setup - the Spring SAAS REST service, which allows different companies to manage different events. And there is a rest client (a mobile app) also, shipped separately for each company. I want to use keycloak for security stuff, and I have a question of how to separate one company from another.
I need companyA to not be able to access companyB event, and also need different roles within the company - some can create events, some can only read it.
First I thought each company will have own realm created in keycloak, but I learned that realm actually specified in the spring boot REST service parameters like
keycloak.realm=demo-realm
Which means it is only one realm per REST application. And I don't want to configure REST service instance per client. I only want one REST rule them all.
Am I trying to use something which really doesn't fit my use case?
Will it be right way to have a keycloack Group configured for each company, and make a logic in such a way that users of one group won't have access to what is created by other group. But then it actually feels wrong, since as I understand group are supposed to be used in a different way - to have admin group and user group, etc, segregating users "vertically" by "privileges", and not "horizontally".
Can you please suggest a right approach for this problem?
Upvotes: 0
Views: 759
Answers (1)
Reputation: 31679
I would implement a custom protocol mapper which loads extra user permissions for your application and stores them in a token. This way, you use a single realm and if there are more companies in the future it scales well. Here you've got an example of how to implement it.
Basically, the otherClaims field of the access token is a JSON field that allows a map of properties to be set. You could add a field here such as:
userAccessibleCompanyIds: [1,3,4]
How to load the company ids for the concrete user? You can access your application database from the mapper or get them using the REST API.
Then in your application you need to have a control of what the user accesses. What I do is decode the token and see if the user request suits. If not, return a 403 response.
Upvotes: 1
Related Questions
- Spring Security / Keycloak: Securing the same request path with multiple realms
- Spring Keycloak authentication - serves both web application and web service
- Keep authentication between 2 applications with Keycloak SSO
- Keycloak and spring boot rest api - user specific data strategy
- Keycloak authenticated client of one application couldn't access another client application in same realm
- Managing user permissions in keycloak and spring rest api
- Keycloak - how to handle multiple work contexts
- how to both security web browser request and Restful request in spring security with keycloak
- Spring Boot keycloak and basic authentication together in the same project
- Keycloak security for Spring base rest apis