I’m currently designing how we will secure our microservices with Keycloak. We have a microservice that has individual resources let’s call widgets. We intend to have millions of widgets total will perhaps 10’s of thousands of widgets per user. We have a separate microservice that contains the group hierarchy of users. I’d like to grant access to individual widgets based on user and group so for example, there should be a permission that gives a user access to any widgets in their group or sub-groups of their group.
I have a few questions and concerns about the Keycloak integration:
- Should I create resources for individual widgets in keycloak? This seems like it would create a lot of load on keycloak that I’d like to avoid.
- When I want to do policy enforcement on an individual widget or when querying a collection of widgets (data filtering), what’s the best way to get the group information for the user? It seems like I could either replicate the group information within Keycloak (not sure if it supports multiple hierarchies like we have in our microservice), inject this information through a Claim Information Point (don’t fully understand how to do this yet), or store this data with the widget service.
- When I enable the policy enforcer, won’t this create a query to Keycloak every time my widget service is queried? This doesn’t seem like it would scale well because the widget service will need to support a high rate of queries per second.
Thanks for the help!