Menu
I'm part of a frontend project and I need some help to bring our authorization model into keycloak. We're building on node.js and the whole project uses stateless micro services - as well as our frontend middleware as the whole backend services we use. The frontend uses the standard JS adapter for session and token management.
So far we have identified four roles: travel agent, back office, configurator and data security officer. That's easy so far. My problem is how to model the next authorization layer we need.
For example: For the travel agents we want to be able to grant per person whether he can see specific customer data or is able to cancel orders. There are about 6-8 options for the travel agents. Thus, for the back office there shall be options for stock operations or different views on orders.
Like the backend we don't persist any data! That's why I have store all the things in keycloak and find a way to easily bring these information back to our middleware.
Here's what I tried / thought of so far:
* Use groups for the first layer and roles for the second one. --> doesn't work because the groups don't get exposed in the token.
* Use realm roles for the upper and attributes for the lower hierarchy. --> attributes are not included in the access token.
* Use realm roles for the upper and client roles on the lower hierarchy. --> works, but we have to make sure that roles on the second layer are definitely associated with only one role on the first layer. I don't know how yet.
* Use roles for the first layer and resources on the second one. --> That seems to get very close to what we need. But at the moment I can't figure out the correct approach with all these policies and permissions...
Discussions here at Stack Overflow seem very fruitful and I wanted to give it a try, although I don't have any code to offer.
Thanks for any help and please let me know, if I shall provide some further information.
Sven
576
asked Oct 18 '25 18:10
Unlike the downvoter, I find this to be a legitimate question.
It looks like you're on the right path in terms of using Keycloak groups/roles/attributes. You can pick a combination that suits your needs. For example, if you need a hierarchy structure, you might use groups. Or you might want to use roles since these can be composite.
Regardless of which path you choose, your problem is how to expose these in the token. It can be done using mapper configurations.
For example, to expose Roles for the user, you'll want to create a "User Realm Role" mapper that adds your roles as a claim on the tokens. To do this:
There are also mappers for "Group Membership" and "User Attribute" that can be used to add these two concepts as claims. If those aren't enough, or if you need more fine-grained control, you can roll your own custom mapper. See the Keycloak documentation and other questions here on Stack Overflow for how to do this.
155
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
