Hi All,
I'm trying to get a handle on Keycloak and have a use case it may be good for, but it
is unclear how I proceed.
I would like to use Keycloak to provide unified authentication and provide some additional
info useful for authorization. So this is OpenID Connect type things. Allow a user to
login with Kerberos or some social provider such as Google/Github. And then tack on some
groups/roles/whatever to allow authorization downstream. Keycloak seems to support this
piece very well.
I'd like to be able to do something similar to google or github, where you have a self
service website a user can go to, to get client credentials to allow external web services
to auth to the web services on the users behalf. As things like Kubernetes become more
widely deployed, I see users needing to launch their own web serivces and hook them into
the auth system easily. I see pieces of this in keycloak but not sure how this should
work.
I can see the organization providing some services, and other users providing services.
How would you arrange it so that one tenants services could be authorized by a user to be
used by another tenants services.
Like, in the attached diagram, I could see user logging in, then going to the Processing
web service, then being asked to give access permissions to the Storage web service so
that it can retrieve data.
To do something like this, would you have one master Domain users login through, and then
have per tenant domains which are an openidc client of the master domain and give each
tenant their own admin acccess to their own tenant?
Is there a totally different way to do this? Is this something that is out of scope for
Keycloak?
Thanks,
Kevin