Setting permissions in Keycloak

Question

I want to create role-based access control system using Keycloak's authorizaion system.

I'm using OAuth 2.0 in microservice architecture and faced the following problem: I have records with unique IDs (they are rooted to other entities) and what I want to achieve is that only certain users or a group of users can see (modify) entries with these IDs. And I would like to be able to explicitly bind users (or groups) to these IDs (and it is possible to receive them in JWT for example).

How could this problem be solved using Keycloak and what best practices to do this? Perhaps I misunderstood something and this problem can be solved in another way?

Thanks in advance!

Answer 1

There are 2 ways to handle this:

1. Using Client roles:

i) ie. create some set of pre-defined roles (viewer, admin, editor, etc).
ii) Now whenever your IDs are generated, then generate one client in keycloak and assign any of above roles.
iii) in JWT, it will be visible in path : 
    "resource_access" --> <CLIENT_IDs> --> "roles": [your defined roles]

Then, in service layer can autorised using granted Authority or by roles-group.

2. Using Realm roles:

i) in JWT: this will be fetched from path:  "realm_access"-> "roles":[your defined roles].

If you have only 2 roles (eg: admin and viewer), then 2nd option would be preferred.

Let me know if this helps. :)