Keycloak just as Authorization Server

Hello Gurus, I liked the Keycloak as AuthZ server, in our ecosystem AuthN is very well established and many applications are already using it. I have to build a central Authorization service, Keycloak has all the feature, but I don’t want to federate it with IDPs.
Is it possible or recommended to use Keycloak just as AuthZ server without anything related to AuthN.

Please share your thoughts/ concerns.

It is possible. Whether it is ideal or not, would very much depend on your use cases.

But does this possibility come with a lot of rider ? Is there anyway to remove the authentication part from KeyCloak?

Keycloak is an Identity Provider, thus a server/system made for authentication. Removing authentication parts from Keycloak would most probably result in chaos.

I’d suggest to better investigate in pure authorization solutions, perhaps something like OPA or similar. Less stress and optimized for authorization.

Thanks dasniko, OPA looks promising, would you mind to suggest other competitors of it ? Like oso, ory , have you ever got chance to compare all these ?

I second @dasniko 's thoughts on the idea of removing the authn parts from Keycloak.

I am currently looking at Oso and Casbin. I can’t make a strong recommendation either way yet, but both appear to be current, well-supported projects with good communities.

Just to be clear, when I say remove, I did not mean removing authentication from code what I meant, not using authentication feature at all.

Without having the users in Keycloak, I can’t imagine how using the authorization feature alone would work. It assumes that you’ve got the users and Keycloak and you are using it for authentication.

Fair point, I was assuming user information can be provided via SPI, writing some custom code to lookup user via REST API. We have different application which maintains the user and provides a REST endpoint to fetch users detail. So we don’t need authentication from KeyCloak and don’t want users to be created in KeyCloak , just want to store Policies, Permissions and token generation from KeyCloak.

Technically, it‘s possible to implement a custom User Storage SPI and manage the authorization policies in KC. But this adds complexity and overhead to a system what is made for something different.
And - TBH - the authorization services in Keycloak are one of the worst I ever saw, IMHO.

Use the right tool for the right job!!

Thanks dasniko, can’t agree more with you.

First there is a question of vocabulary. I guess that what you call “authorization server” is what is called PDP, Policy Decision Point, in OAuth. In other words, it’s where you send a token, and it evaluates policies, and returns permissions.

The term “authorization server” can also be used to describe the server that provides the token. Should it be the identity server? Not necessarily, it can just delegate identification to some other server, or take a token as input (token exchange). (to confuse matters, the endpoint for both usages is the same in Keycloak, it didn’t use to be)

So you want to use Keycloak as a PDP and PMP (Policy Management Point, where you define the policies).

I’m actually curious as to whether that’s possible, even though I tend to agree with others that it’s not the primary purpose of Keycloak. You would need to only reference stuff from the JWT in your policies, whereas Keycloak policies can actually fetch stuff from user profiles, groups etc.

I have found problems with Keycloak as a policy evaluator (PDP): oauth - Keycloak JavaScript APIs do not provide effective roles and attributes from groups - Stack Overflow
I have found problems with Keycloak as a token provider (as opposed to identity provider, see above): Token exchange (external to internal) and mapping don’t work together - Miscellanaeous - Keycloak

I have not found any problems with Keycloak as an identity provider, complete with federation.

The main policy engine that I hear about is OPA. For a comparison with Casbin, there is this… OPA vs Casbin · GitHub
(it reads a bit like a vi vs emacs page, they are very close )

Thanks jrobinss - You are right, I want to use Keycloak as PDP and PMP. Here is what I would like my AuthZ service to work.

1. Get OIDC token from IDP (Already have IDP in ecosystem, can’t use Keycloak for this purpose).
2. Make request to AuthZ service with OIDC token + Scopes of Target applications.
3. AuthZ service, takes the user info from token, looks for allowed scope and attach permission as claims.
4. If client has any protected resource like “views” “pages” it serve based on permissions inside token.
5. If client want to receive data from any data provider (target application), same token can be passed, if any target application still need finer level access details, it can make call to AuthZ server (PDP) with Token + Requested permission + Resource, based on these information PDP return allow/ no allow.

I liked OPA very much as it does what exactly I need PDP + PMP, only concern is, it runs as proxy inside sidecar. Not all applications in my ecosystem are built using Kubernetes , there few on google app engine as well.

I am open for any suggestion .

If you just want Keycloak to act as PDP, I suppose you would still have to declare your IDP as an external IDP in Keycloak. If only because Keycloak needs to trust the token to evaluate the policies. And it will synch users in Keycloak automatically (choose “force synch” to forget about synch issues).

I have not tested this. If it doesn’t work, it would be because Keycloak is expecting a token from itself. In which case you need first token exchange, then evaluation. Things get more complicated than you wished for.

BTW does Keycloak validate the audience “aud” of the JWT? JWT validation is policies, sure, but also validation of expiration date, not-before date, audience etc.

Thanks jrobniss - This explanation helps, appreciate your help.