Concept for single page application and backend service

Hi all,

I have the following setup: First, a single page application (let’s say an angular app) that shows some user information (e-mail, name). Second, a backend service (e.g. spring boot) that allows or denies access to users based on fine grained permissions NOT only roles.

In order to have fine grained permission support I want to use the authorization concept that Keycloak defines (that defines resources, scopes, polices and permissions). To use this feature the client has to be confidential. However, the frontend has to be a public client, since it is a single page application.

Do i need two clients (public for the frontend and confidential for the backend)? After having fetched the token in the frontend (public client), how do i get the corresponding permissions of that user in the backend service? Obviously, the user shouldn’t have to log-in again.

Maybe someone can help me with the security concept for my architecture. Which flows should I use and what clients do i have to define?

Best regards
Eric

Serendipity has an Angular front end (PWA) and a Spring Boot back end (OAuth2 Resource Server).

See:

• Getting started with Keycloak
• Angular, OpenID Connect and Keycloak
• Angular, OAuth 2.0 and Keycloak
• Keycloak, Flowable and OpenLDAP
• Flowable OAuth2 Resource Server
• Keycloak Themes - Part 1
• Keycloak Themes - Part 2

Dear Robinyo,

thank you for your fast reply. Indeed this helps a lot!!! As I can see, Serendipity is defining different client scopes representing the different permissions for the backend.

I am wondering however, why Keycloak defines a separate authorization concept (defining permissions and so on) when we can’t use it for such applications.

Do you have any idea how your concept relates to the fine grained authorization features provided by Keycloak?

Best regards
Eric

Hi @e.b.smateso ,thanks for asking this question, I came here to ask the similar one ,Did you get an idea how to solve this problem ?

Thanks
Samir