6:10 a.m.
On 6/29/2015 12:47 AM, Shannon Lloyd wrote:
Hi,
We are evaluating Keycloak for possible use in a microservices-based
SaaS platform that we are building, and I have a few questions around
the suitability of Keycloak within the architecture that we are planning
on using.
Briefly, we will have a handful of end-user applications with their own
UIs and a large number of backend services with which those UIs will
speak. Some of those services will act as aggregating/gateway services
which will delegate to other services further downstream, so there will
be a lot of service-to-service comms. Our design currently calls for
each logical application (i.e. a UI plus a handful of supporting
services) to have its own set of roles that make sense within the
context of that application. Because many/most roles will only make
sense in that one context, it does not make sense for a user's token to
contain all possible roles across the entire realm (the tokens would be
insanely large). We came up with the idea of having an
authentication/identity token (containing no application-specific roles)
to represent the logged in user, and then passing this token to
downstream services which would then (e.g. via a filter in front of that
service) retrieve and cache application-specific tokens (with roles)
from the SSO service for that combination of authenticated identity and
application/client (relying on the fact that the identity token is valid
and not expired as proof of an active session).
I don't think you need to do that. In Keycloak each token is built
specifically and tailor made for each client and you have complete
control over what goes into the token via the client's Scope and Mappers.
Firstly, does this seem like a reasonable approach?
Secondly, how much support is there in Keycloak to support something
like this? We are not using an app server, so it doesn't appear to be a
simple case of leveraging one of the existing adapters. We have a custom
Java(-SE)-based framework (happens to use Undertow for HTTP, but only
undertow-core). What support exists for custom, programmatic
authentication and JWT retrieval outside of the set of adapters provided
in the Keycloak distribution? Are there any examples along these lines?
Is it a case of us needing to trawl through all the REST endpoints
exposed via keycloak-services to figure out what is do-able, or are the
non-admin endpoints documented somewhere in the same way that the admin
endpoints have been documented?
Tokens are just JWTs wrapped in a JWS. Since you're using Undertow, I
think it is possible to use our adapter. I'd have to do some research
to remember how, but our Security Proxy does something very similar if
you want to look at that code. Our Security Proxy is just Undertow set
up with a handler chain which is what you probably want.
I noticed this on the Keycloak blog about a month ago:
If a service needs to invoke another service it can pass on the token it
received, which will invoke the other service with the users
permissions. Soon we'll add support for services to authenticate
directly with Keycloak to be able to invoke other services with their
own permissions, not just on behalf of users.
Marek is work on that the next few weeks.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com