I recently got acquainted with the Keycloak tool and want to implement an authentication and authorization system based on it.
In my backend application, I have three roles:
- admin /api/v1/*
- manager /api/v1/manager/*
- client /api/v1/client/*
And I want to isolate the API for different roles. I have configured authentication, and the user receives an access token. From the token, I can obtain information about the user’s role and control access in my backend application.
But then why does Keycloak have an authorization function if the process itself is carried out in my backend application? I tried to configure resources depending on roles. In the Keycloak Evaluate tab, it shows that access is denied, but this does not affect the issuance of the access token using postman. Or does the logic in authorization only work for the personal account in Keycloak?
Can I configure Keycloak to issue or not issue a token depending on the roles, and if the user has no role, then not issue a token?
Suppose a client receives an access token. And then tries to access my backend application to the API /api/v1/manager/, how can Keycloak determine this and prevent it?
But I have some misunderstanding regarding authorization. I would appreciate it if you could answer these questions for me. Thank you in advance!