I’m working on a problem statement that involves an AWS IAM kind of setup for multiple teams. There is one realm that takes care of AuthX for a bunch of applications. The kind of users that would want to interact with Keycloak to obtain tokens would be:
- The team’s human users with federated login via an external IDP. - Password Grant Flow
- The team’s machine users (or clients in Keycloak lingo) - Client Credentials Flow
- The team’s root user who can add or remove users and clients. - Password Grant Flow
How would one model this in Keycloak?
It is important that the tokens tell the backend, the team the user/machine requests belong to since they link this to resource ownership.
One approach I have been toying with is to use attributes like a “team_id” on each user of the same team. This attribute would eventually land in the token which would solve the resource ownership problem.
But I wouldn’t know how I can achieve the same for Keycloak clients.
This approach also does not solve the “root” user problem though.
Am I thinking in the right direction? What else can I try ?