Fine grained authorization with millions of resources

I’m currently designing how we will secure our microservices with Keycloak. We have a microservice that has individual resources let’s call widgets. We intend to have millions of widgets total will perhaps 10’s of thousands of widgets per user. We have a separate microservice that contains the group hierarchy of users. I’d like to grant access to individual widgets based on user and group so for example, there should be a permission that gives a user access to any widgets in their group or sub-groups of their group.

I have a few questions and concerns about the Keycloak integration:

  1. Should I create resources for individual widgets in keycloak? This seems like it would create a lot of load on keycloak that I’d like to avoid.
  2. When I want to do policy enforcement on an individual widget or when querying a collection of widgets (data filtering), what’s the best way to get the group information for the user? It seems like I could either replicate the group information within Keycloak (not sure if it supports multiple hierarchies like we have in our microservice), inject this information through a Claim Information Point (don’t fully understand how to do this yet), or store this data with the widget service.
  3. When I enable the policy enforcer, won’t this create a query to Keycloak every time my widget service is queried? This doesn’t seem like it would scale well because the widget service will need to support a high rate of queries per second.

Thanks for the help!

There is a good thread on this topic here https://lists.jboss.org/pipermail/keycloak-user/2018-September/015567.html
You might wanna implement UMA2.0 on your microservices and use that same feature from Keycloak.
In certain cases you might even want to consider moving the management and traffic control between microservices to Service Mesh (https://maistra.io/ )