wiki

User Tools

Site Tools

Trace:
solution_for_authentication_authorization

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
solution_for_authentication_authorization [2026/01/22 06:27] – created pradnyasolution_for_authentication_authorization [2026/01/23 12:25] (current) – Imported from DOCX sonali
Line 1: Line 1:
 +LDAP only verifies users, but it is not sufficient for modern security requirements. Keycloak is a complete open-source SSO solution that can integrate with LDAP and provides secure APIs through JWT tokens.
  
 +**Entity Management Tool – LDAP vs Keycloak**
  
-**LDAP only verifies users, but it is not sufficient for modern security requirementsKeycloak is a complete open-source SSO solution that can integrate with LDAP and provides secure APIs through JWT tokens.**+===== 1. LDAP =====
  
-**Entity Management Tool – LDAP vs Keycloak** +==== Best for ==== 
-=====   1. LDAP   =====+ 
 +Internal company logins 
 + 
 +Simple username/password authentication 
 + 
 +==== What LDAP does (Simple terms) ==== 
 + 
 +LDAP (Lightweight Directory Access Protocol) is a **central user directory** 
 + 
 +It only verifies **username and password** 
 + 
 +It tells the application **YES / NO** (valid user or not) 
 + 
 +==== How LDAP login works ==== 
 + 
 +User enters username & password 
 + 
 +Application sends credentials to LDAP 
 + 
 +LDAP verifies user 
 + 
 +LDAP returns YES / NO 
 + 
 +Application creates its own session 
 + 
 +==== Limitations of LDAP ==== 
 + 
 +No social login 
 + 
 +No JWT / access tokens 
 + 
 +No Single Sign-On (SSO) 
 + 
 +Hard to manage roles & permissions dynamically 
 + 
 +Old technology 
 + 
 +Weak for modern APIs and mobile applications 
 + 
 +Not provide any public api for authentication or user management 
 + 
 +===== 2. Keycloak ===== 
 + 
 +==== What is Keycloak? ==== 
 + 
 +Keycloak is an **open‑source identity and access management server** developed by **Red Hat**.Keycloak is OpenID Connect–based. 
 + 
 +==== Main responsibilities ==== 
 + 
 +User login 
 + 
 +Roles & permissions management 
 + 
 +JWT token generation 
 + 
 +Single Sign-On (SSO) 
 + 
 +==== How Keycloak works ==== 
 + 
 +Application → redirects to Keycloak → user logs in → application receives JWT token 
 + 
 +We can customize the Keycloak login page using our own themeWe can also manage users through the Keycloak admin interface or by calling Keycloak APIs from our system. 
 + 
 +==== Key benefits ==== 
 + 
 +Language independent (works with any backend) 
 + 
 +Open-source 
 + 
 +GUI‑based role & user management 
 + 
 +No role & permission stored in application DB 
 + 
 +No role & permission hardcoded in code 
 + 
 +SSO ready 
 + 
 +Highly scalable 
 + 
 +Provide public apis. 
 + 
 +===== Public APIs ===== 
 + 
 +===== Authentication ===== 
 + 
 +Login API 
 + 
 +Token generation 
 + 
 +Token validation 
 + 
 +==== User Management ==== 
 + 
 +Create user 
 + 
 +Assign role 
 + 
 +Update user 
 + 
 +Disable user 
 + 
 +===== 3. Keycloak Login Flow ===== 
 + 
 +User clicks Login on application 
 + 
 +User is redirected to Keycloak login page 
 + 
 +User enters credentials 
 + 
 +Keycloak verifies user 
 + 
 +Keycloak generates JWT token 
 + 
 +User is logged into the application 
 + 
 +===== 4. Keycloak with LDAP Integration ===== 
 + 
 +==== Keycloak works with LDAP. ==== 
 + 
 +==== Flow ==== 
 + 
 +User data stored in **LDAP** 
 + 
 +Login handled by **Keycloak** 
 + 
 +Keycloak validates user from LDAP 
 + 
 +Keycloak issues **JWT token** to application 
 + 
 +==== Advantages ==== 
 + 
 +No user database in application 
 + 
 +No passwords stored in application 
 + 
 +Centralized authentication & authorization 
 + 
 +But for Keyclock we need to install a keyclock in our server & need to run on another port. 
 + 
 +We can install under Same domain 
 + 
 +Step : install → run → connect with PHP 
 + 
 +**User & Role Hierarchy – Keycloak Integration** 
 + 
 +**Keycloak can fully support our existing role and permission structure without any limitation.** 
 + 
 +==== Existing Roles in Current System ==== 
 + 
 +Our application currently has the following user roles, each with different permissions: 
 + 
 +Super Admin 
 + 
 +Our Agents 
 + 
 +Admin 
 + 
 +SPOC 
 + 
 +Approver 
 + 
 +Employee 
 + 
 +**How Roles Will Be Managed in Keycloak** 
 + 
 +Each existing role will be created in Keycloak as a **Realm Role**: 
 + 
 +ROLE_SUPER_ADMIN 
 + 
 +ROLE_TAXIVAXI_AGENTS 
 + 
 +ROLE_ADMIN 
 + 
 +ROLE_SPOC 
 + 
 +ROLE_APPROVER 
 + 
 +ROLE_EMPLOYEE 
 + 
 +Each user will be assigned **one main role** based on their type. 
 + 
 +**How Permissions Will Be Managed** 
 + 
 +Permissions (what a user can do) will be managed separately using **Client Roles**. 
 + 
 +Create booking 
 + 
 +View booking 
 + 
 +Approve booking 
 + 
 +View invoices 
 + 
 +Access admin panel 
 + 
 +View reports 
 + 
 +This allows flexibility without changing application code. 
 + 
 +Role & Permission mapping 
 + 
 +==== Roles and Permissions ==== 
 + 
 +**SPOC** 
 + 
 +CREATE_BOOKING 
 + 
 +\\  
 + 
 +**EMPLOYEE** 
 + 
 +CREATE_BOOKING 
 + 
 +===== JWT Token After Login ===== 
 + 
 +After successful login, the system receives a **JWT token** from Keycloak containing the user’s roles and permissions. 
 + 
 +Example: SPOC Token 
 + 
 +
 + 
 +  "roles": ["ROLE_SPOC"], 
 + 
 +  "permissions": ["CREATE_BOOKING",”VIEW_BOOKING”]
  
-====   Best for   ====+
  
-  *+Example: Employee Token
  
-**Internal company logins** +{
-  *+
  
-**Simple username/password authentication** +  "roles": ["ROLE_EMPLOYEE"],
-====   What LDAP does (Simple terms)   ====+
  
-  *+  "permissions": ["CREATE_BOOKING"]
  
-**LDAP (Lightweight Directory Access Protocol) is a central user directory** +}
-  *+
  
-**It only verifies username and password** +Then our system will check if there is an option create booking then show create booking option.
-  *+
  
-**It tells the application YES / NO (valid user or not)** +if (userHasPermission('CREATE_BOOKING'){
-====   How LDAP login works   ====+
  
-  -+    showCreateBookingButton();
  
-**User enters username & password** +}
-  -+
  
-**Application sends credentials to LDAP** +**If One user has multiple roles:**
-  -+
  
-**LDAP verifies user** +So **permissions should depend on the selected role at login time**, not on all roles together.
-  -+
  
-**LDAP returns YES / NO** +How it works
-  -+
  
-**Application creates its own session** +User logs in
-====   Limitations of LDAP   ====+
  
-  *+The system asks: “Login as which role?”
  
-**No social login** +Approver
-  *+
  
-**No JWT / access tokens** +Employee
-  *+
  
-**No Single Sign-On (SSO)** +SPOC
-  *+
  
-**Hard to manage roles & permissions dynamically** +User selects one role
-  *+
  
-**Old technology*+Keycloak issues JWT token **only with permissions of the selected role**
-  *+
  
-**Weak for modern APIs and mobile applications** +Application uses that token
-  *+
  
-**Not provide any public api for authentication or user management** +**Authentication & Authorization for Microservices**
-=====   2. Keycloak   =====+
  
-==== **What is Keycloak?** ====+**Keycloak fits very well for microservices.Keycloak acts as a central authentication & authorization server.**
  
-**Keycloak is an open‑source identity and access management server developed by Red Hat.Keycloak is OpenID Connect–based.**+User logs in via Keycloak
  
-====   Main responsibilities   ====+Keycloak verifies credentials
  
-  *+Keycloak issues JWT token
  
-**User login** +Token is sent with every API request
-  *+
  
-**Roles & permissions management*+**Each microservice:**
-  *+
  
-**JWT token generation*+**Reads permissions from JWT**
-  *+
  
-**Single Sign-On (SSO)** +**Allows or denies access**
-====   How Keycloak works   ====+
  
-**Application → redirects to Keycloak → user logs in → application receives JWT token**+**Keycloak with Multiple Microservices**
  
-**We can customize the Keycloak login page using our own theme. We can also manage users through the Keycloak admin interface or by calling Keycloak APIs from our system.**+One login for all services (SSO)
  
-====   Key benefits   ====+Same token works across services
  
-  -+No duplicate user DBs
  
-**Language independent (works with any backend)** +**Operational Complexity (Learning & Adoption Effort)**
-  -+
  
-**Open-source** +**For developer**
-  -+
  
-**GUI‑based role & user management** +Basic Keycloak concepts (Realm, Client, Roles)
-  -+
  
-**No role & permission stored in application DB** +JWT token structure
-  -+
  
-**No role & permission hardcoded in code** +Token validation in services
-  -+
  
-**SSO ready** +==== For Operations / Admin Team ====
-  -+
  
-**Highly scalable** +GUI-based user & role management
-  -+
  
-**Provide public apis.** +==== Initial Setup (One-time) ====
-=====   Public APIs   =====+
  
-===== **Authentication** =====+Keycloak installation
  
-  *+LDAP / DB integration
  
-**Login API** +Role & permission setup
-  *+
  
-**Token generation** +Token configuration
-  *+
  
-**Token validation** +**End-to-End Authentication & Authorization Flow**
-====   User Management   ====+
  
-  *+User authentication and token generation are handled by Keycloak, token validation is done at the gateway, and each backend service authorizes requests by checking permissions from the JWT token
  
-**Create user*+**Flow**
-  *+
  
-**Assign role** +User opens the application and initiates login.\\ React application redirects the user to Keycloak for authentication.
-  *+
  
-**Update user*+**Keycloak (Login + Token)**
-  *+
  
-**Disable user** +User enters credentials.
-=====   3Keycloak Login Flow   =====+
  
-  -+Keycloak verifies the user (via DB / LDAP).
  
-**User clicks Login on application** +On success, Keycloak generates a JWT access token.\\ 
-  -+
  
-**User is redirected to Keycloak login page** +**React UI (Receives JWT)**
-  -+
  
-**User enters credentials** +React receives the JWT token.
-  -+
  
-**Keycloak verifies user** +\\ 
-  -+
  
-**Keycloak generates JWT token** +**React UI → API Call**
-  -+
  
-**User is logged into the application** +For every API request, React sends the JWT token in the request header:
-=====   4. Keycloak with LDAP Integration   =====+
  
-==== **Keycloak works with LDAP.** ====+**API Gateway (Token Validation)**
  
-====   Flow   ====+Gateway intercepts the request.
  
-  *+Validates the JWT token:
  
-**User data stored in LDAP** +If the token is invalid → request is rejected.
-  *+
  
-**Login handled by Keycloak** +\\ 
-  *+
  
-**Keycloak validates user from LDAP*+**Node Microservice (Permission Check)**
-  *+
  
-**Keycloak issues JWT token to application** +Backend service reads roles/permissions from the JWT payload.
-====   Advantages   ====+
  
-  *+Checks whether the user has the required permission for the API.
  
-**No user database in application** +If permission is missing → access denied (403).
-  *+
  
-**No passwords stored in application** +\\ 
-  *+
  
-**Centralized authentication & authorization*+**Response**
-  *+
  
-**But for Keyclock we need to install a keyclock in our server & need to run on another port.** +Node microservice sends the response back to the client through the gateway.
-  *+
  
-**We can install under Same domain** +React UI displays the result to the user.
-  *+
  
-**Step : install → run → connect with PHP** 
-  
solution_for_authentication_authorization.1769063264.txt.gz · Last modified: by pradnya