'Direct Integration of Client App with Keycloak OIDC or via a microservice?

I have a setup like this:

  1. Keycloak OIDC Server for Identity and Access Management Service - Running in Cloud - A
  2. Backend RESTful Microservices - Running in Cloud - B
  3. Backend RESTful Microservices - Running in On-prem servers across multiple locations - C
  4. User Mobile app - Multiple users across locations - X
  5. User web app - Multiple users across locations - Y
  • X, Y uses Password grant to access B - i.e. X, Y calls login API of B with username and password; B gets the access token from Keycloak and then sends it in response and they (X,Y) use it for further API calls towards B to get authorized.

Now, this is the doubt that I have:

  • Should we do the same for C? i.e. Should there be an API in B available for C to call to post the client-id and client-secret (client-credentials grant), to get the access token? Is this a good pattern/ valid implementation?

The need for this method of access:

  • Ops team is planning to hide A from being exposed to the internet. So, B will be acting as an abstraction layer for it.
  • Is keeping the IAM service from being exposed to internet a good idea? I have never seen an IAM service, abstracted before. Please clarify.
oauth-2.0keycloakopenid-connect


Solution 1:[1]

HOSTING

The usual hosting best practice is to place the Identity system behind a reverse proxy / gateway such as NGINX Plus. This is because the Identity system connects to sensitive data sources, whereas the reverse proxy can be the entry point, eg in a DMZ. You can then limit the OIDC endpoints exposed to the internet.

Avoid writing home grown proxying to the Identity system. since that is likely to be less resilient than a battle tested system such as NGINX. See the IAM Primer for an overview.

SECURITY DESIGN PATTERNS

A reverse proxy also supports plugins that can do many utility security jobs, such as translating secure cookies to access tokens. So it is a highly useful part of the architecture. See this article for an example plugin using the high level LUA programming language.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Gary Archer

Related Questions

No authentication handler is registered for the scheme 'Cookies'. The registered schemes are: Application, Bearer, ASOS

What is the best approach to logout from keycloak after authentication via pkce?

How do I validate a JWT using JwtSecurityTokenHandler and a JWKS endpoint?

Change the preferred_username in token for client credential grant flow

ASP.NET Web API and OpenID Connect: how to get Access Token from Authorization Code

What are the default Lifetime values for openiddict tokens

Web API with Microsoft Identity Platform Authentication

RFC - Adding Group Claims from OKTA to Role Claims in .net Framework Using OIDC

Blazor WebAssembly Hosted on IIS - only API is working

OpenIdConnectProtocolValidator - nonce error

Logout from Keycloak does not logout Active Directory User

OpenIDConnect provider's HTTPS certificate doesn't match configured thumbprint

How to configure Keycloak to work with Guacamole's OpenID plugin?

Web App SPA & OIDC: How to properly authenticate before accessing the front?

Null Reference Exception when calling GraphServiceClient from a .net core Razor application that uses OpenIdConnect