I'm currently trying to design a complete platform using:
- Vue as my frontend framework
- Node as my backend framework (fastify)
- Keycloak as my IAM <--- here is the problem
Quick overview
I am building an architecture where multiple websites will be in place, like for example:
- site1.myapp.com
- site2.myapp.com
- and so on...
What I want to do is to give users SSO so that they will be able to access all websites with one login, having different roles/permissions on different sites (e.g. admin on site1, editor on site2...). Since I previously worked with Keycloak, I know that in order to achieve this there must be one realm, like "master" and all other sites will be clients, each one whit their client-roles and so on...
The issue
My issue is that, for site1 (and actually not only for it, but maybe also for site4 and site6), I will need to let the admin user create new users, with given permissions, on a specific sub-resource in that website.
Let's focus just on site1, for example:
site1 has a set of subresources, like
animals
plants
admin of resource "animals" can create another user that will get access only to the resource "animals" with a given set of permissions (e.g. read animal names, edit names...), without having access to "plants" at all
site1 also has user self-provisioning, so someone could arrive and create a new sub-resource by paying, for example creating "fishes" and automatically becoming admin only of "fishes".
Problem is, with Keycloak I am unable to do that in a simple way, since I think somehow I don't have all the needed layers to have this kind of granularity. So:
site1 = client of realm "master"
animals = resource of client "site1"
how to assign permissions to user A only for "animals" on client "site1"?
how to see those permissions on my Vue app (e.g. in the JWT) so to hide "plants" and "fishes" for user A?
how to do the same to block access to the backend?
From my understanding of Keycloak, I think there is something wrong, since maybe if "site1" was a Realms instead of a Client these issues could be resolved? (But then, the other issue would be how to align Keycloak so that all Clients have same roles available?)
Do you have any suggestion?
Sorry for all the question marks. Thank you all :D