Is there a dead simple guide to keycloak authorization policies?
I basically want to prevent all users from accessing an application unless they have a specific role (which grants them access through their group)
The policy seemingly always evaluates as deny for now, even though there's sometimes a permit, but even with it evaluating to deny, I can still login to the application?
I personally haven't used oauth systems like keycloak for authorisation policies, but instead I've used scopes in the bearer tokens for this high-level access control.
Each ingress gateway (and even each micro service behind that) has an "applicationName-r" and an "applicationName-rw" scope for read and read-write access.
Usually that, plus the user context (subject) on the bearer token is enough to make good access policy decisions inside the target application.
One (maybe naive) criticism I have of central auth policies within keycloak is that the constant traffic to the policy server sounds impractical for scaling, and if you need more than the RBAC-style logic already provided by scopes then you are necessarily mixing domain and business logic into your author server.
But maybe I am missing some patterns that make these concerns invalid.
I do see that centralizing this can be helpful for auditability and observing access.
A space for Bonfire maintainers and contributors to communicate
