[keycloak-user] cascaded microservice security
Dirk Franssen
dirk.franssen at gmail.com
Wed Dec 16 10:30:20 EST 2015
Hi,
as I didn't receive any feedback on this question yet, I will resend it
(perhaps due to pending subscription)
On Tue, Dec 8, 2015 at 12:09 PM, Dirk Franssen <dirk.franssen at gmail.com>
wrote:
> Hi,
>
> how would one configure Keycloak to obtain following scenario's?
>
> Scenario 1:
>
> client A: public (angular app)
> client B: bearer-only (microservice)
> client C: bearer-only (microservice)
>
> - microservice B is allowed to call microservice C, but an authenticated
> user in the js app A should be forbidden to call microservice C directly.
>
> Scenario 2:
>
> client A: public (angular app)
> client B: confidential (1 war with a REST service AND a JSF application,
> both using the same EJB business layer which is accessing microservice C)
> client C: bearer-only (microservice)
>
> - a user authenticated in the angular app can use the REST service of app
> B and will see the results of microservice C, but the user may not call
> microservice C directly
> - a user authenticated in the JSF application will see the results of
> microservice C when using the JSF application, but should not be able to
> use microservice C directly (if the user would reuse the same access_token)
> - should there be different roles for the REST part and the JSF part of
> app B (for accessing microservice C)?
>
> Kind regards,
> Dirk
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151216/36ff4489/attachment-0001.html
More information about the keycloak-user
mailing list