'Keycloak with Microfrontends

Given the shown architecture:

Architecture

  • MFE = Microfrontend
  • SPA = Javascript browser app
  • API-Gateway = Session to Token translation

Is it possible via Oauth2, that the user grants consent for the pizza ordering to send him notifications, but not for the kebap ordering?

My thoughts so far, solving the problem in "Oauth" space: Register a keycloak confidential client for each microservice (=oauth2 client) and allow the user (resource owner) to give consent accessing the notification service (scope / resource server) to each client individually.

But registering multiple clients for a single SPA seems very odd to me... Also, the backend would need to persist if the user gave consent and if so, attach optional scopes when requesting the token.

Is this the solution to go or are there better ways to accomplish the requirement?

EDIT: Additional note: The pizza ordering and kebap ordering system might be provided by external companies, so we prefer not to "trust them that they behave properly", but to technically enforce that they only send notifications if the user agreed.

(Please let's forget the situation that the kebap client could call the pizza-api ... ;)

oauth-2.0microserviceskeycloaksingle-page-application


Solution 1:[1]

CONSENT

The user should only consent when their personal assets are involved. Eg the app can use my email but not my home address. Permissions to send notifications are just preferences - manage them within the app - eg via a complete your profile workflow after the initial login.

SCOPE

Permissions to your app's own data are a different concept. The best practice is to manage them via scopes and claims rather than consent.

The scope best practices article may be useful to you here. It explains how a single client can use multiple types of data.

It also describes how microservices can call each other if needed, while securely maintaining the user identity. UIs and APIs will not always have a 1 to 1 mapping.

YOUR EXAMPLE

I think the user could consent to use of the email scope, to grant access to their email inbox. Then manage finer details via some kind of settings screen within the app.

Then it is your backend's responsibility to manage data connections and access. Scopes are useful for cross component calls, though I would avoid a scope for each type of food. Partner connections will each use their own mechanism, but you don't need to involve the user in that.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1

Related Questions

No authentication handler is registered for the scheme 'Cookies'. The registered schemes are: Application, Bearer, ASOS

Modern Oauth2 authentication for sending mails using Nodemailer nodejs

Spring Security: How to use a UserDetailsService with JwtAuthenticationProvider?

How do I validate a JWT using JwtSecurityTokenHandler and a JWKS endpoint?

Change the preferred_username in token for client credential grant flow

How to convert guild.permissions number into an array of persmissions discord.js oauth2

how to config apache jmeter 2.6 oauth 2.0

oauth-private.key does not exist or is not readable

ASP.NET Web API Google OAuth keep return "Access Denied"

Java - OAuth 2 using restTemplate to get login with refresh token (StackOverFlowError)

AWS Cognito; unauthorized_client error when hitting /oauth2/token

AWS Cognito; unauthorized_client error when hitting /oauth2/token

Salesforce OAuth User Agent Flow: obtain refresh token with

JWT "invalid_grant" in Signature in Google OAuth2

"Full authentication is required to access this resource" on spring oauth2 authorization server on /oauth/token request