I am implementing the complete authorization and authentication flow using keycloak as identity provider and oauth2.
I have some questions that I would like to share with you in order to get more opinions and find the best solution.
My infrastructure basically has:
LB >> WAF >> API GATEWAY >> IDENTITY PROVIDER >> SERVICES
My questions relate mainly to exposing Keycloak endpoints publicly for authentication.
For example: It’s a good practice to expose the Identity provider after WAF? (Following the infra described above the requests will hit ID provider directly bypassing api gateway).
Which approach have you been using?