Hello everyone,
I’m trying to figure out the right token handling approach for Keycloak + Next.js + FastAPI.
This is not a pure SPA, and in the main flow, requests to FastAPI are mostly made server-side.
Because of that, I’m trying to understand whether a server-side / BFF-style token handling approach is the more natural fit.
I chose Keycloak because I need an on-prem solution and flexible Group / Role modeling. My use case requires a hierarchy like Organization > Team > User, and I’m currently thinking of modeling both Organizations and Teams as Keycloak Groups, then using Team roles for FastAPI authorization.
I also want MFA to be opt-in per Organization, likely using an Organization-level role or attribute to branch the authentication flow.
My main questions are:
-
Is server-side token handling the more natural approach in this kind of architecture?
-
If so, would you use Redis or PostgreSQL for token storage or related session data?
-
How would you handle token refresh in a setup like this?
Would appreciate any advice from anyone who has built something similar.