Migrating from an overly complex CAS based solution to what will hopefully be a simpler Keycloak solution and am running into a few challenges.
Is this a good use case for a resource server model?
Background:
- Multiple spring-based web applications handle different aspects of a CRM like solution.
- The customer within the CRM domain is owned by a parent organization.
- Different keycloak users should have access to different data within each application based on the owner.
- Actual access is fairly granular, but is based on group. Group A provides read access to entities owned by ABC in application 1, and read / write access to entities owned by ABC in application 2.
- Each user may be assigned multiple groups.
- Each group may have multiple users.
- Thousands of parent organizations exist. Note that the parent organization is not a keycloak user, just the concept of who owns the entity.
My Challenge:
- Is this a good use case for a resource server based model? If so, how can multiple applications both share the data as the resource server is defined at a client level, and each application is a separate client.
- What is the best approach for Spring to verify a keycloak user has access to an entity? Should we lookup what effective resource server access is, or verify with each entity?