We have applications using keycloak 18 for authentication and have successfully upgraded Keycloak to version 24.
We were reading the documentation and studying the Authorization Service and User Managed Access. We currently use a proprietary solution parallel to Keycloak for authorization of resources to the SPA and services.
What is the main reason for adopting authorization
for confidential clients
and not for public clients
?
It would be extremely interesting to make this implementation available for public clients, even to centralize user access control (also taking into account the adoption of organizations
for multitenancy to facilitate the creation of SaaS applications).
It would also be interesting, in the process of obtaining user permissions, to return information other than a UUID and Name, such as attributes and type (perhaps?).
In my opinion, implementing Authorization Service in a large monolithic application would make access management very complex, especially if you want to make apis available for policy management by the tenant.
I would very much like to understand what the team and the community think about this feature and its future.