[keycloak-user] How to communicate access token in microservice architecture

hmidi slim hmidi.slim2 at gmail.com
Tue Mar 6 18:13:07 EST 2018


HI,
I have a node.js app designed with microservice architecutre and I'm trying
to add some roles for each service to deny the access. Supposed that the
app consists of 3 services called service1, service2 and service3.
To access the main page of the app, a user should enter a login and
password to authenticate the keycloak server. If the authentication
succeeds it will show the index page. In the index page there are two
choices: resource B and resource C.
If a user check resource B a query will be send to service2 to get all the
data contained on it.
If a user check resource C a query will be send to service 3 to get all the
data.
In Keycloak admin console I created a realm MyApp with some realm role
RA_r (resourceA read) and RB_r (resource read) RC_r (resourceC read).
Then I created 3 clients called resource A and resource B resource C.
I created also a User called user and I associate for him the RB_r.
For each service I installed keycloak-connect and make the configurations
and I added the keycloak.json for each of them (
{
"serverUrl": url_auth_server,
"realm": "MyApp",
"clientId": "resource X",
"bearerOnly": true
}
)

In the service 2 I want to protect the get route:
app.get('resource', keycloak.protect('realm:RB_r'), handler)

The query starts from the first service (service1) and arrives to service
2. I got a status code of 403. However when I delete
keycloak.protect('realm:RB_r') I receive the data.
I decode the access token from the headers using jwt.io and I found that
the realm role (RB_r) exists.
So how can I transfer the access token between different service and
protect them using RBAC mechanism? Did I miss something in the config or
should I added a specific configuration?


More information about the keycloak-user mailing list