We are in the process of architecting an ERP system for a small enterprise. Our technology stack is relatively simple, with backend modules developed using Spring Boot (e.g., HRMS, CRM, Logistics, QC, etc.) and the frontend built with Angular. Currently, we have a single Angular application that integrates with multiple backend modules.
Our goal now is to integrate Keycloak for Identity and Access Management (IAM) and implement Single Sign-On (SSO) for our users. We also need to assign different roles to users across the various applications in our system.
I am looking for guidance on the best approach to architect the integration with Keycloak. Specifically:
- What is the best way to integrate Keycloak for centralized user authentication and authorization across the Spring Boot backend modules and the Angular frontend?
- How can we handle role-based access control (RBAC) for different applications, ensuring each user has appropriate roles across different modules (e.g., HRMS, CRM)?
- Which authentication flow should we adopt for SSO? Should we go with Authorization Code Flow with PKCE or Implicit Flow?
- Is it mandatory to introduce a Service Gateway? I am considering using an API Gateway as the centralized point for token validation. After the token is validated at the API Gateway, it will be passed to the Spring Boot applications for role validation and access control. Does this architecture make sense, or are there better alternatives?
- As I’m new to Keycloak and IAM concepts, any insights on Keycloak’s authentication flows, its role in token management, and how it can work in a microservices-based system would be greatly appreciated.
Looking forward to your suggestions and best practices!