Re: [keycloak-user] cascaded microservice security

On Dec 16, 2015, at 10:30 AM, Dirk Franssen <dirk.franssen(a)gmail.com&gt; wrote: Hi, as I didn't receive any feedback on this question yet, I will resend it (perhaps due to pending subscription) On Tue, Dec 8, 2015 at 12:09 PM, Dirk Franssen <dirk.franssen(a)gmail.com <mailto:dirk.franssen@gmail.com>> wrote: Hi, how would one configure Keycloak to obtain following scenario's? Scenario 1: client A: public (angular app) client B: bearer-only (microservice) client C: bearer-only (microservice) - microservice B is allowed to call microservice C, but an authenticated user in the js app A should be forbidden to call microservice C directly. Scenario 2: client A: public (angular app) client B: confidential (1 war with a REST service AND a JSF application, both using the same EJB business layer which is accessing microservice C) client C: bearer-only (microservice) - a user authenticated in the angular app can use the REST service of app B and will see the results of microservice C, but the user may not call microservice C directly - a user authenticated in the JSF application will see the results of microservice C when using the JSF application, but should not be able to use microservice C directly (if the user would reuse the same access_token) - should there be different roles for the REST part and the JSF part of app B (for accessing microservice C)? Kind regards, Dirk _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user