Authorization Options

dodger0401 · January 21, 2025, 4:23pm

I’m new to Keycloak and put together a proof of concept using NextJS15 and AuthJS 5 for authentication. The setup includes:

two application websites
a dedicated client per application
multiple organizations that have access to one or both clients/apps

Authentication is working and I’m getting the access token with the claims that I’m expecting. I’m now adding authorization and researching options prior to implementation. Some questions that I have are:

I’m aware of krasamo/keycloak-typescript, react-keycloak/keycloak-ts, and keycloak-js. Are there others I should consider and what are the pros/cons?
There was a comment in the forums stating that UMA is not getting adoption. Does that still hold true, and if so, what other options should I consider?

Thank you

embesozzi · January 28, 2025, 3:26pm

Easy peasy! Here’s a general overview (double-check with your authz requirements):

Protection with OAuth 2.0 → Authorization rules based on scopes or identity claims.
Define your authorization model → RBAC, ABAC, ReBAC, Policy-Based, etc.
Policy Decision Point (PDP) → Internal or external.
Policy Enforcement Point (PEP) → Internal or external → External: Proxy / API Gateway

Topic		Replies	Views
How Authorization is supposed to work? Getting advice oidc	1	343	February 17, 2024
Keycloak just as Authorization Server	14	3232	March 8, 2022
Keycloak authorization integration support with OPA (Open Policy Agent) Securing applications	1	2675	April 10, 2023
Keycloak-js - Authorization Client Getting advice	0	489	February 18, 2020
Keycloak as an Authorization Service Getting advice	11	3792	December 18, 2025

Authorization Options

Related topics