Hello everyone!
I would like to ask for some advice on switching from an auth0 solution to a keycloak one. The reason for the switch is that I need a self hosted solution but figuring out the details hasn’t been going very well. The resources I found on the internet were quite conflicting or too complicated for my use case.
My auth0 setup currently looks like this:
I have a single page web app and a rest api. The api is registered in the auth0 tenant (applications → api). Here I can define permissions for the api. They look like this for example read:items, update:item etc. These are assigned to users. I also have the single page app registered in auth0. When I log in to my spa through auth0 I get a JWT token signed by the api’s secret key (that’s defined in auth0) and I also get the permissions assigned to the user in the JWT token. I use this token to send request against my api. In my restapi server I validate the JWT token using the secret key I get from auth0 and also check against the permissions.
Basically I want to achive the same thing using keycloak. So far I only managed to create a client in keycloak for the web app and now I’m stuck.
So basically my questions are:
How do I define an api in keycloak?
How do I create permissions for that api?
How do I tell keycloak in the login process for which api I need a token? (In auth0 it’s an audience parameter containing the api identifier)
How do I get the key with which I can verify the token in the restapi server?
So far I only managed to figure out that I probably need a client with bearer-only access type, but then I can’t define permissions for it?
It’s quite possible my approach was totally wrong in the first place even with auth0, so I’m open to any suggestions.