Keycloak Integration #3
Description
Both the back-end and front-end needs to be secured using Keycloak. The service must support tenancy/realms.
From what I could find, no existing middleware solution currently properly supports multiple realms via a single middleware. So a custom implementation is most likely needed here, but should be fairly straight forward. Keycloak provides a JWK endpoint that allows us to decode and verify the JWT token. (See https://www.keycloak.org/securing-apps/oidc-layers)
Backend: FastAPI/Starlette Middleware
A middleware is needed to validate and enforce authentication and authorization for API access.
- Token validation (issuer, signature, etc.) using JWKS
- Extract user permissions/roles
- Tenancy support
- Restrict access to service endpoints based on scopes:
write:adminread:admin
Front-end Integration with Keycloak
The front-end authenticates with Keycloak using the keycloak-js package.
Completed:
- Keycloak authentication initialization
- Token management
- Include token in
Authorizationheader for API requests - Support both:
- Standalone context: front-end is loaded directly; handles its own token refresh
- Embedded context (iframe): token refresh is handled by the top-window
- Tenancy handling in the front-end
Notes
- All requests to the back-end should be rejected if they do not include a valid bearer token with appropriate scopes.
- The front-end should cleanly handle login flows, token refresh, and invalid sessions, while taking into account multi-tenancy.