Best regards,
I trust this message finds you well. I am currently working on my undergraduate thesis in systems engineering in Colombia, using Spring Boot 3.1.4 and Angular 16.0.2 with Keycloak for security management.
Attached, you will find a microservices architecture diagram that I am developing. In my Angular application, I successfully implemented login functionality using the keycloak-angular library. Now, as I explore the idea of microservices in Spring Boot, particularly a microservice named “user,” a question has arisen:
Should I discontinue the use of the keycloak-angular library when implementing microservices and entrust the entire authentication and authorization management to the new microservice? Or can I retain the keycloak-angular library for handling authentication while the microservice manages user creation, roles, and privileges?
I would greatly appreciate your guidance and any contacts you can provide for assistance with this matter.
Attached is the architecture diagram:
Thank you for your time and support!
Danilo Nuñez Gil
Hi @danilonunezgil,
I don’t quite follow your question. Nevertheless, I will provide some hints about the authorization architecture components. It’s common to have the following:
- Authorization Server (IdP): In your case, Keycloak for handling standard protocols and providing support for OpenID Connect and OAuth 2.0.
- Policy Enforcement Point (PEP): In your diagram, the API Gateway (perhaps for CGA) and the API Usuario (for CGA or FGA).
- Policy Decision Point (PDP): It is responsible for applying policies or rules and returning a decision on whether a particular access is permitted.
- And others…
Going back to the API side, it is common for it to act as an OAuth 2.0 Resource Server - it’s quite easy to implement with Spring Security. Therefore, you can protect the API with scopes or identity claims [1] (I’m oversimplifying the idea because nowadays there are a lot of options).
Once your app (front-app) finishes the OIDC federation, it will get the tokens. Then it could use the access token for calling the API acting as OAuth 2.0 RS.
[1] GitHub - embesozzi/oauth-demoapi-jwt-rbac-spring: API protection based identity claims
