Seeking advisories for keycloak authorizrion

Hi everyone, I am new to Keycloak. My system has many microsevices like grafana, pgadmin and some other web services. I’m using docker swarm and traefik reverse proxy. I want to protect these services and also restrict user access so I set up a traefik FowardAuth to route user request to Oauth. Then they can sign in Keycloak for authentication.

Currently, everyone in the organization can access all services with a gmail account. I want to restrict them like the personal A can only access the Grafana, the person B can access pgadmin and the person C can have full access to all services. I am thinking about the role in keycloak, so that I can create user group: grafana-user, pgadmin-user, admin. I also create some user role for a specific service like admin, guest, editor.

How can I implement these thing for checking user permission? I saw that we have a keycloak gatekeeper but assomeone said it is similar to OAuth2. Or I have to implement a adapter service for it?
Any suggestions are welcome.

IMHO the best option is to use built-in app authorization (and authentication). Expose groups/roles in the id/access token, so app can use them for authorization. For example Grafana has role mapping with role_attribute_path. Grafana admin can manage that role mapping on their own. Some apps don’t have built-in authorization, so then you need authorization proxy (e.g. gogatekeeper). But make sure, that protected apps can read proxy provided user identity (usually exposed via request headers).

Another option will be to have dedicated client for each app and do authorization in the authentication process - e.g. scripted mapper in the Keycloak. I don’t like this option, because IDP (Keycloak) is for authentication, not authorization. It is very weird, when authentication return authorization error. It is also very custom approach and you will need to rewrite authorization from the scratch, when you switch to different IDP.

1 Like

Hi Jangaraj, Could you explain a bit about the IMHO( or the link for this)? About the garfana role_attribute_path you mentioned, I found a post that might similar Janik Vonrotz - Grafana OAuth with Keycloak and how to validate a JWT token.

See Grafana doc - OAuth authentication | Grafana Labs

Hi @jangaraj, in case I have a web server build in Python Flak and I want to restrict the user access for some URLs how can I set it up in keycloak client. I have followed some posts with keycloak client authorization but it not work for me.

I have thought about parsing the access token in request header, extracting user information, then build a decorator to check the user role and group. But I think it is not an efficient way.

I would use Flask-OIDC — Flask-OIDC 1.1 documentation .