Authorization Services & Policy Enforcers

[Andreas W.]

Hello community,

I'm new to Keycloak and I do now quite understand the concept for authorization. It seems Keycloak has a fine-grained authorization system using ressources, scopes, policies and permissions. A policy-enforcement-point on the resource server side communicates with the policy-decision-point on the authorization server side, probably the token endpoint.

My questions:

1) Apparently two kinds of policy-enforcement-points are left for securing services: Java-based and mod_auth_openidc + other generic OIDC/OAuth2 proxies. Correct?

2) I suppose some detailed information exchange between policy-enforcement-point and policy-decision-points required. At least the request path is required, often also parameters are involved in the decision if an request represents an create, update, delete etc. Which policy-enforcement-points support providing this information? I cant see this in mod_auth_openidc.

3) To me it seems mod_auth_openidc is basically limited to RBAC or similar things available from the access_token. Is that right?

4) What happens if the user is authenticated already, an access_token was issued for lets say /myservice/order. Now /myservice/shipping is called, a different resource. Will  mod_auth_openidc ask for a new token to check for the permissions on this diffrent ressource?

Many thanks in advance!

Andreas