Hi,

We are evaluating Keycloak for possible use in a microservices-based SaaS platform that we are building, and I have a few questions around the suitability of Keycloak within the architecture that we are planning on using.

Briefly, we will have a handful of end-user applications with their own UIs and a large number of backend services with which those UIs will speak. Some of those services will act as aggregating/gateway services which will delegate to other services further downstream, so there will be a lot of service-to-service comms. Our design currently calls for each logical application (i.e. a UI plus a handful of supporting services) to have its own set of roles that make sense within the context of that application. Because many/most roles will only make sense in that one context, it does not make sense for a user's token to contain all possible roles across the entire realm (the tokens would be insanely large). We came up with the idea of having an authentication/identity token (containing no application-specific roles) to represent the logged in user, and then passing this token to downstream services which would then (e.g. via a filter in front of that service) retrieve and cache application-specific tokens (with roles) from the SSO service for that combination of authenticated identity and application/client (relying on the fact that the identity token is valid and not expired as proof of an active session).

Firstly, does this seem like a reasonable approach?

Secondly, how much support is there in Keycloak to support something like this? We are not using an app server, so it doesn't appear to be a simple case of leveraging one of the existing adapters. We have a custom Java(-SE)-based framework (happens to use Undertow for HTTP, but only undertow-core). What support exists for custom, programmatic authentication and JWT retrieval outside of the set of adapters provided in the Keycloak distribution? Are there any examples along these lines? Is it a case of us needing to trawl through all the REST endpoints exposed via keycloak-services to figure out what is do-able, or are the non-admin endpoints documented somewhere in the same way that the admin endpoints have been documented?

I noticed this on the Keycloak blog about a month ago:

If a service needs to invoke another service it can pass on the token it received, which will invoke the other service with the users permissions. Soon we'll add support for services to authenticate directly with Keycloak to be able to invoke other services with their own permissions, not just on behalf of users.

Is there any news on these plans? It sounds like the sort of thing that we would require.

Cheers,

Shannon