Keycloak authorization

Question

Hi I'm pretty new with Keycloak and I don't understand some basic things about authorization. I have a REST API that exposes some resources and I want the users to have different roles depending on that resources. For example: I have users, cars and two roles (roleA, roleB). I want to assign roleA to userA for carA. Can I do this in Keycloak? How?

Thanks!

Answer 1

Yes, That can be done. This can be easily done via the admin console of KEYCLOAK.

1. Create a realm
2. Create a client in the realm for your application
3. Create roles (either realm roles or client roles)
4. Create resources
5. Create role based policies by selecting the relevant role
6. Create permissions by associating the created resources and the created policies

Answer 2

The question is a bit vague, but yes, you can do this in Keycloak.

Out of the box, Keycloak supports users and roles. It provides apis and UIs to manage these. If your app is configured to use Keycloak as a source of identity, you can access Keycloak user and role information in your app.

I'm not totally clear on how your "car" concept relates to users and roles, or where you want to manage it. But you have a couple of options:

1. Turn your app into an OAuth resource server and have Keycloak provide identity information via tokens. Do your cars business logic in your app. You'll want to read up on how OAuth works if you're not familiar with it.
2. It is possible to extend Keycloak to add custom domain objects, such as Car. More on how to do that here.