Best Practices for Integrating Keycloak and APISIX with Microservices

Getting advice
1

Hello everone,

I am setting up a Keycloak + APISIX system to manage authentication and authorization for microservices. I would like to seek advice from experienced professionals on best practices for the following questions:

:one: Should authorization be managed using Realms or Group/User Roles?

  • I have multiple user groups, each with different permissions for various APIs.
  • Should I create multiple separate Realms, or is it better to use a single Realm with Group/User Roles for better permission management?
  • In a multi-tenant system, which approach is more optimal?

:two: Should authorization be enforced at APISIX or within each microservice?

  • APISIX can validate JWT tokens for user authentication, but should I decode the JWT and check role_name directly within each microservice instead?
  • In which cases should APISIX handle role verification before forwarding the request to the service?
  • When is it better to let microservices handle authorization for greater flexibility?
  • What are the risks or limitations of using APISIX as the authorization layer?

I have searched through many posts but haven’t found one that discusses best practices for this type of implementation, or if there is one, it doesn’t provide a proposed solution.

I sincerely appreciate any advice you can share, even if it’s just a little. Thank you so much! :rocket: :heart_eyes:

Same topic:

  1. Best practice for keycloak multi-tenancy
  2. Best practice for role/permission management
1 Like
2

  1. Regarding user role management: I propose using a single realm and organizing roles into groups. Each group can have multiple subgroups, and within each specific group, there will be roles assigned per client ( 1 client - 1 service). For reference, see: (Using Keycloak for Multi-Tenancy With One Realm | by Dale Bingham | The Startup | Medium).

  2. Regarding permission validation: I propose validating roles at the service level by decoding the JWT token. This approach ensures security at each service and allows for more flexible role management. For example, an admin user can only view the contracts they have created. This enhances system independence and scalability as new requirements emerge.
    We can fully configure security and perform additional role validation in APISIX.