Managing access rights with Keycloak as an IAM system
Posted: Sun Jan 26, 2025 5:53 am
Applications often contain resources that should only be available to certain users. Management users, for example, manage their employees' information, while sales users manage their customers' information. This requires closed areas to which access is controlled by authorizations. In this article, I would like to show you, using a few short examples, how you can manage these access authorizations in Keycloak and assign them to groups of users.
Keycloak is a Java-based open source identity and access management (IAM) solution. IAM systems provide the ability to manage identities and access rights for different applications and fulfill two tasks:
Authentication: The identity of a user is verified by, for example, providing a user name and password.
Authorization: After the identity has been successfully verified, the luxembourg consumer email list user is granted permissions that give him access to his resources.
I will discuss authorization in more detail later in this article. Keycloak is a certified implementation of the OpenID Connect protocol and an established standard solution that provides a number of features out of the box. These include single sign-on, identity brokering and integration of third-party systems (e.g. Google, Twitter).
Basic terminology
The basis in Keycloak are the terms realm, client and role. Each realm manages a set of users and usually contains several clients. These can be used by an application or a backend service to authenticate the users of the realm. In our example, I have created a realm called "My-application" and the clients "my-application-webapp" and "my-application-api" (see Figure 1). For example, the client "my-application-webapp" could be used by the frontend and the client "my-application-api" by backend services.
Figure 1: Overview of the clients in the created realm. I created the clients “my-application-api” and “my-application-webapp”. The other clients are present by default.
Figure 1: Overview of the clients in the created realm. I created the clients “my-application-api” and “my-application-webapp”. The other clients are present by default.
Keycloak is a Java-based open source identity and access management (IAM) solution. IAM systems provide the ability to manage identities and access rights for different applications and fulfill two tasks:
Authentication: The identity of a user is verified by, for example, providing a user name and password.
Authorization: After the identity has been successfully verified, the luxembourg consumer email list user is granted permissions that give him access to his resources.
I will discuss authorization in more detail later in this article. Keycloak is a certified implementation of the OpenID Connect protocol and an established standard solution that provides a number of features out of the box. These include single sign-on, identity brokering and integration of third-party systems (e.g. Google, Twitter).
Basic terminology
The basis in Keycloak are the terms realm, client and role. Each realm manages a set of users and usually contains several clients. These can be used by an application or a backend service to authenticate the users of the realm. In our example, I have created a realm called "My-application" and the clients "my-application-webapp" and "my-application-api" (see Figure 1). For example, the client "my-application-webapp" could be used by the frontend and the client "my-application-api" by backend services.
Figure 1: Overview of the clients in the created realm. I created the clients “my-application-api” and “my-application-webapp”. The other clients are present by default.
Figure 1: Overview of the clients in the created realm. I created the clients “my-application-api” and “my-application-webapp”. The other clients are present by default.