Hello,
In my backend I have many (millions of) documents. We use role based access control today with the role living inside the JWT from keycloak. We want to have finer grain access control such single users or group of users, can be given read/write access, along with those in the organisation with an administrator role.
There are APIs (both REST and GraphQL) which allow things such as reading and modifying the documents. Today we enforce privileges (think that’s the right terminology) on the URL level. E.g. on a REST URL we would have some middleware on a route like /document/{id}/update that checks the role in the JWT and that the JWT is valid.
My big question is, is the resource in keycloak a endpoint (REST or GraphQL API) or the actual document?
If the resource is meant to be the actual document, does that mean, inside the keycloak database I am expected to have mappings such as userId->list and maintain these mappings through the keycloak admin rest API?
What is the best practice here? For fine grain access control, does some of the logic live in keycloak (e.g. roles) and then the rest live in another part of the backend (either a dedicated authorization service OR a specialized authorization service for the local service [bounded context, if you’re trying to DDD]). I have found no discussion or answers on this subject.
Are there any good tutorials/guides/blogs that really go through fine grained access control using keycloak when you have millions of resources.
Merry Christmas