Best Approach for Integrating Keycloak with ERP System for IAM and SSO in Microservices Architecture

We are in the process of architecting an ERP system for a small enterprise. Our technology stack is relatively simple, with backend modules developed using Spring Boot (e.g., HRMS, CRM, Logistics, QC, etc.) and the frontend built with Angular. Currently, we have a single Angular application that integrates with multiple backend modules.

Our goal now is to integrate Keycloak for Identity and Access Management (IAM) and implement Single Sign-On (SSO) for our users. We also need to assign different roles to users across the various applications in our system.

I am looking for guidance on the best approach to architect the integration with Keycloak. Specifically:

  1. What is the best way to integrate Keycloak for centralized user authentication and authorization across the Spring Boot backend modules and the Angular frontend?
  2. How can we handle role-based access control (RBAC) for different applications, ensuring each user has appropriate roles across different modules (e.g., HRMS, CRM)?
  3. Which authentication flow should we adopt for SSO? Should we go with Authorization Code Flow with PKCE or Implicit Flow?
  4. Is it mandatory to introduce a Service Gateway? I am considering using an API Gateway as the centralized point for token validation. After the token is validated at the API Gateway, it will be passed to the Spring Boot applications for role validation and access control. Does this architecture make sense, or are there better alternatives?
  5. As I’m new to Keycloak and IAM concepts, any insights on Keycloak’s authentication flows, its role in token management, and how it can work in a microservices-based system would be greatly appreciated.

Looking forward to your suggestions and best practices!

  1. Follows the identity standards. OIDC :point_right: AuthN and OAuth 2.0 :point_right: AuthZ (more accurately, access delegation)
  2. It’s all about your “P*P” architectures (PIP, PDP, PEP, etc.)
  3. SPA or Native Apps :point_right: Authorization Code Flow with PKCE
  4. Depends on your point 2). It’s not mandatory, but it’s common.Nevertheless, Spring Boot comes Spring Security’s OAuth 2.0 . Here’s a reference for other approach [1]
  5. Review OIDC [2], OAuth 2.0 [3]
    [1] Mastering Access Control: Low-Code Authorization with ReBAC, Decoupling Patterns and Policy as Code | by Martin Besozzi | Medium
    [2] Final: OpenID Connect Core 1.0 incorporating errata set 2
    [3] RFC 6749 - The OAuth 2.0 Authorization Framework
1 Like

Thank You so much for guiding help. I really appreciate the help.