πŸš€ Introducing ABAPer β€” AI-powered development tools for SAP ABAP developers.
Logo
Login Contact Us

Kanishk Kaushik - May 07, 2025

πŸ” Role-Based Access Control in Your App with Keycloak Authorization

Managing who can access what in your application is a fundamental requirement for any secure system. With Keycloak, an open-source identity and access management tool, you can go beyond simple role checks and implement a fine-grained authorization system using RBAC (Role-Based Access Control). In this blog, we’ll explore how to protect your application endpoints using Keycloak Authorization Services.

🌍 What is Role-Based Authorization?

Role-Based Authorization means access to resources is granted based on the roles assigned to a user. For example:

  • A user with the admin role can create and delete users.
  • A user with the viewer role can only read data.

RBAC allows us to define clear and manageable access control policies for users without hardcoding them into our application logic.

Screenshot Image

πŸ›‘οΈ Keycloak Authorization Concepts

Here’s how Keycloak helps implement RBAC using the following core concepts:

βœ… Resources

Resources represent what you are protecting (e.g., endpoints, data objects). Example: /teams, /users/{id}

πŸ” Scopes

Scopes define what actions can be performed on a resource. Example: view, create, delete, update

πŸͺͺ Permissions

Permissions map roles or policies to resources and scopes. Example:

  • admin β†’ /teams + create, delete
  • viewer β†’ /teams + view

πŸ“œ Policies

Policies determine who is allowed to access what. Policies can be based on roles, group membership, client IP, time, or custom JS logic.

πŸ› οΈ Small Example: Protect /teams Endpoint

Suppose we have an API endpoint /teams and want only users with the team-admin role to access it.

  1. Create Role
    In Keycloak Admin Console:
    Go to Clients > Your Client > Roles
    Add role: team-admin

  2. Create Resource
    Go to Authorization > Resources:

    • Name: teams-endpoint
    • URI: /teams
    • Scopes: view, create

  3. Create Scope
    Under Authorization > Scopes, create:

    • view
    • create

  4. Create Policy
    Under Authorization > Policies:

    • Type: Role-based
    • Name: Team Admin Policy
    • Apply to role: team-admin

  5. Create Permission
    Under Authorization > Permissions:

    • Name: Teams Access
    • Resources: teams-endpoint
    • Scopes: view, create
    • Apply Policy: Team Admin Policy

πŸ§ͺ How to Enforce Access in Your App

1. Get Access Token (Client Credentials) 

curl --location --request POST 'http://<KEYCLOAK_HOST>/realms/<realm>/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=<client_id>' \
--data-urlencode 'client_secret=<client_secret>'

2. Request RPT Token (UMA Authorization) 

curl --location --request POST 'http://<KEYCLOAK_HOST>/realms/<realm>/protocol/openid-connect/token' \
--header 'Authorization: Bearer <access_token>' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:uma-ticket' \
--data-urlencode 'audience=<client_id>' \
--data-urlencode 'permission=/teams#create'

If the user has the right role (team-admin), you’ll get a valid RPT (Requesting Party Token). Otherwise, the server responds with an error.

3. Protect Endpoint in Your Backend

In your app (e.g., in Go, Python, Node.js), verify the JWT token and optionally check for permissions in the RPT token.

For example, in Go:

// decode and verify RPT JWT
// check if it contains permission: /teams with scope create

πŸ§ͺ Discovering Protected Resources

You can also discover resources via:

GET /auth/realms/<realm>/authz/protection/resource_set?uri=/teams&deep=true
Authorization: Bearer <PAT>

This allows your app or API gateway to dynamically check which permissions apply to a URI.

πŸš€ Final Thoughts

Keycloak makes it easy to manage RBAC and enforce it with its powerful Authorization Services. By clearly defining resources, scopes, roles, and permissions, you can protect your application endpoints dynamically and securely.

We’ve successfully applied this to our own app for team and project creation, ensuring that only users with the admin role can perform create operations β€” all without hardcoding roles or permissions in our application code.

Next time you’re building a secure app, consider handing off your authorization logic to Keycloak β€” and focus more on building features, not access checks.

Need a walkthrough? Contact your Customer Success Manager or email us at info@bluefunda.com.

Share this article
LinkedIn