[keycloak-user] Realm-specific authorization following cross-realm authentication

[luis.villaca at petrobras.com.br]

Greetings,

I would like to understand the best strategy to implement a scenario of
realm-specific authorization in Keycloak after cross-realm authentication.

A "brief" context:

My company has its own corporate authentication and authorization services.
The first one returns the status based on user credentials (e.g. already
logged, invalid credentials, etc).
The second one relates a distinct service to each application, and is used
for retrieving application-specific roles. So this service, when provided
with a username and the app credentials, retrieves a list of user roles.

We plan on decoupling the applications from it.
So we configured Keycloak instance to allow the usage of OpenIDConnect. For
security, we created a JKS keystore for our certificate and set the SSL
properties in our standalone.xml.
We created our own Keycloak plugin (implementing
org.keycloak.storage.UserStorageProviderFactory, and extending
UserStorageProvider, UserLookupProvider, and CredentialInputValidator) that
currently interacts with our corporate service for authenticating and
pulling the roles.

This was configured as a UserFederation in realms A and B (for apps A and
B), each along with application-specific settings for interacting with our
corporate service.

We also configured each app (springboot) with its certificate
(PrivateKeyEntry) and a a Keycloak JKS Truststore. Using
spring-security-oauth2-autoconfigure features (application.yml) we
configured keycloak settings. It works fine, since each app redirects to
the IDP (configured with its specific realm) and is able to authenticate
and pull the client mapped roles, further correlated to our secured
resources in our WebSecurityConfigurerAdapter extension (SpringSecurity).

Now we have two applications (A and B) performing this strategy and we want
SSO.

For testing that we picked up the secret from realm A "broker" client, used
it to configure an identity provider in realm B (i.e., pointing to realm A
urls and this broker client).
As we set the redirector in realm B Authentication config, it works as
expected. A user tries to access a protected resource in B, is directed to
realm A, authenticating there and coming back, bringing only Keycloak
default roles to B (uma_authorization, not the "A" roles).

So here is the strategy I thought for this scenario:

1) Create an authentication-only Realm with a configured user federation
that calls our corporate authentication Service only to authenticate users
2) Set realms A and B with above realm broker configured as their identity
providers
3) Assign realm-specific roles in realms A and B. Maybe using their
specific UserFederation? Could it be set under Post Login Flow? It should
call our corporate application-specific authorization Service and assign
those roles to the user (if needed, creating those realm roles).

Any thoughts or references/examples on that (specially step 3)?

Thanks, regards,

Luis 
"O emitente desta mensagem é responsável por seu conteúdo e endereçamento. Cabe ao destinatário cuidar quanto ao tratamento adequado. Sem a devida autorização, a divulgação, a reprodução, a distribuição ou qualquer outra ação em desconformidade com as normas internas do Sistema Petrobras são proibidas e passíveis de sanção disciplinar, cível e criminal."
 
"The sender of this message is responsible for its content and addressing. The receiver shall take proper care of it. Without due authorization, the publication, reproduction, distribution or the performance of  any other action not conforming to Petrobras System internal policies and procedures is forbidden and liable to disciplinary, civil or criminal sanctions."
 
"El emisor de este mensaje es responsable por su contenido y direccionamiento. Cabe al destinatario darle el tratamiento adecuado. Sin la debida autorización, su divulgación, reproducción, distribución o cualquier otra acción no conforme a las normas internas del Sistema Petrobras están prohibidas y serán pasibles de sanción disciplinaria, civil y penal."