Asking for help about configuring keycloak as resource server

23 views
Skip to first unread message

Wesley Montcho

unread,
Sep 18, 2023, 1:19:34 PM9/18/23
to Keycloak Dev

Hello all dev/contributors.

I'm Wesley.
I'm trying to set up a resource server in keycloak, and have some issue

When I try to get resource from my API, in the gateway, I want to check if the user is authorized to get the resource.

Let suppose that I have an endpoint in my API that return a list of all the users, and in keycloak I have registered two users, Admin and Collabo, with the roles, "admin" and "collabo",
I create a client name users-client and register a list of resources in the client.

In fact, for each client created, I thought the best way would be to register the endpoints linked to the associated microservice, so each endpoint is a resource registered in keycloak

For example:

  • documents-service-client: the endpoints documents_list, document_content, documents_created_by_user etc,
  • users-client: users_list, create_user, get_user_info etc:

So for each resource, I want to associate roles that the user must have before accessing it.
Ideally, when the request is sent, in nginx (which I use as an api gateway), I direct the request to the associated microservice, and ask keyclaok to check whether the user can access the resource based on his role(s), if yes, I continue the request, if no I block it, I don't go to the view that should serve the data.

When I go back to my user list example, keycloak should allow me to block the request if the user doesn't have the admin role

Let the nginx config be as follows:

carbon (1).png

In this nginx config, I'm passing the "/protected resource" query to the logic that's supposed to check if the user has access to the resource with the uri=$uri paras through “auth_request”, so I'd like keycloak to identify the url I'm passing to a resource I've set up and check authorisation.

I have tried to use the following endpoint provided by keycloak to check the permission:

carbon.png

To use this, I was supposed to know the resource's id, but since I have a lot of resources registered, it will be difficult to work like that.

Can someone, please help me to create a better architecture or help me to find a way to do what i want to do ?

Reply all
Reply to author
Forward
0 new messages