Delegated Authorization

Hi, Community,
i am evaluating using keycoak as one of our Authorization and Authentication components, and so far, i looks amazing, but i have a very complex use case that i want to know if its possible to do with this solution.

Basically, what i want to implement is implement the Trusted Master Access Delegation Pattern described in the book Advanced API Security by Prabath

that in general says

"The APIs are hosted in different departments, and each department runs its own OAuth authorization server due to vendor incompatibilities in different deployments. Company employees are allowed to access these APIs via web applications while they’re behind the company firewall, regardless of the department to which they belong.

All user data is stored in a centralized Active Directory, and all the web applications are connected to a centralized OAuth authorization server (which also supports OpenID Connect) to authenticate users. The web applications need to access back-end APIs on behalf of the logged-in user. These APIs may come from different departments, each of which has its own authorization server. The company also has a centralized OAuth authorization server, and an employee having an access token from the centralized authorization server must be able to access any API hosted in any department."

is it possible to achieve this whit keycloak?

1 Like