[keycloak-user] authentication / authorization / 3rd party web services

[Fox, Kevin M]

Hi All,

I'm trying to get a handle on Keycloak and have a use case it may be good for, but it is unclear how I proceed.

I would like to use Keycloak to provide unified authentication and provide some additional info useful for authorization. So this is OpenID Connect type things. Allow a user to login with Kerberos or some social provider such as Google/Github.  And then tack on some groups/roles/whatever to allow authorization downstream. Keycloak seems to support this piece very well.

I'd like to be able to do something similar to google or github, where you have a self service website a user can go to, to get client credentials to allow external web services to auth to the web services on the users behalf. As things like Kubernetes become more widely deployed, I see users needing to launch their own web serivces and hook them into the auth system easily. I see pieces of this in keycloak but not sure how this should work.

I can see the organization providing some services, and other users providing services. How would you arrange it so that one tenants services could be authorized by a user to be used by another tenants services.

Like, in the attached diagram, I could see user logging in, then going to the Processing web service, then being asked to give access permissions to the Storage web service so that it can retrieve data.

To do something like this, would you have one master Domain users login through, and then have per tenant domains which are an openidc client of the master domain and give each tenant their own admin acccess to their own tenant?

Is there a totally different way to do this? Is this something that is out of scope for Keycloak?

Thanks,
Kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: keycloak.png
Type: image/png
Size: 63146 bytes
Desc: keycloak.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180905/4f34a608/attachment-0001.png