I have a trusted client that should be able to execute something like is_authorized(user_id, scopes, resource_id)
and return a boolean for whether the user is authorized to perform the operation in the realm, while letting Keycloak do the heavy-lifting.
However, it seems authorization checks are only supported with a valid user token, e.g. something like is_authorized(user_token, scopes, resource_id)
. This requires access to user credentials, or impersonation.
Is there any way to query Keycloak authorization on a trusted client without bricking the whole security model with impersonation? I am surprised that it is so hard to figure out how to do this; trusted clients can easily create users, resources, scopes, and policies, but can’t get a yes/no answer on authorization decisions?