wiki

User Tools

Site Tools

Trace:
solution_for_authentication_authorization

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
solution_for_authentication_authorization [2026/01/22 06:28] – Imported from DOCX sonalisolution_for_authentication_authorization [2026/01/23 12:25] (current) – Imported from DOCX sonali
Line 148: Line 148:
  
 Step : install → run → connect with PHP Step : install → run → connect with PHP
 +
 +**User & Role Hierarchy – Keycloak Integration**
 +
 +**Keycloak can fully support our existing role and permission structure without any limitation.**
 +
 +==== Existing Roles in Current System ====
 +
 +Our application currently has the following user roles, each with different permissions:
 +
 +Super Admin
 +
 +Our Agents
 +
 +Admin
 +
 +SPOC
 +
 +Approver
 +
 +Employee
 +
 +**How Roles Will Be Managed in Keycloak**
 +
 +Each existing role will be created in Keycloak as a **Realm Role**:
 +
 +ROLE_SUPER_ADMIN
 +
 +ROLE_TAXIVAXI_AGENTS
 +
 +ROLE_ADMIN
 +
 +ROLE_SPOC
 +
 +ROLE_APPROVER
 +
 +ROLE_EMPLOYEE
 +
 +Each user will be assigned **one main role** based on their type.
 +
 +**How Permissions Will Be Managed**
 +
 +Permissions (what a user can do) will be managed separately using **Client Roles**.
 +
 +Create booking
 +
 +View booking
 +
 +Approve booking
 +
 +View invoices
 +
 +Access admin panel
 +
 +View reports
 +
 +This allows flexibility without changing application code.
 +
 +Role & Permission mapping
 +
 +==== Roles and Permissions ====
 +
 +**SPOC**
 +
 +CREATE_BOOKING
 +
 +\\ 
 +
 +**EMPLOYEE**
 +
 +CREATE_BOOKING
 +
 +===== JWT Token After Login =====
 +
 +After successful login, the system receives a **JWT token** from Keycloak containing the user’s roles and permissions.
 +
 +Example: SPOC Token
 +
 +{
 +
 +  "roles": ["ROLE_SPOC"],
 +
 +  "permissions": ["CREATE_BOOKING",”VIEW_BOOKING”]
 +
 +
 +
 +Example: Employee Token
 +
 +{
 +
 +  "roles": ["ROLE_EMPLOYEE"],
 +
 +  "permissions": ["CREATE_BOOKING"]
 +
 +}
 +
 +Then our system will check if there is an option create booking then show create booking option.
 +
 +if (userHasPermission('CREATE_BOOKING')) {
 +
 +    showCreateBookingButton();
 +
 +}
 +
 +**If One user has multiple roles:**
 +
 +So **permissions should depend on the selected role at login time**, not on all roles together.
 +
 +How it works
 +
 +User logs in
 +
 +The system asks: “Login as which role?”
 +
 +Approver
 +
 +Employee
 +
 +SPOC
 +
 +User selects one role
 +
 +Keycloak issues JWT token **only with permissions of the selected role**
 +
 +Application uses that token
 +
 +**Authentication & Authorization for Microservices**
 +
 +**Keycloak fits very well for microservices.Keycloak acts as a central authentication & authorization server.**
 +
 +User logs in via Keycloak
 +
 +Keycloak verifies credentials
 +
 +Keycloak issues JWT token
 +
 +Token is sent with every API request
 +
 +**Each microservice:**
 +
 +**Reads permissions from JWT**
 +
 +**Allows or denies access**
 +
 +**Keycloak with Multiple Microservices**
 +
 +One login for all services (SSO)
 +
 +Same token works across services
 +
 +No duplicate user DBs
 +
 +**Operational Complexity (Learning & Adoption Effort)**
 +
 +**For developer**
 +
 +Basic Keycloak concepts (Realm, Client, Roles)
 +
 +JWT token structure
 +
 +Token validation in services
 +
 +==== For Operations / Admin Team ====
 +
 +GUI-based user & role management
 +
 +==== Initial Setup (One-time) ====
 +
 +Keycloak installation
 +
 +LDAP / DB integration
 +
 +Role & permission setup
 +
 +Token configuration
 +
 +**End-to-End Authentication & Authorization Flow**
 +
 +User authentication and token generation are handled by Keycloak, token validation is done at the gateway, and each backend service authorizes requests by checking permissions from the JWT token
 +
 +**Flow**
 +
 +User opens the application and initiates login.\\ React application redirects the user to Keycloak for authentication.
 +
 +**Keycloak (Login + Token)**
 +
 +User enters credentials.
 +
 +Keycloak verifies the user (via DB / LDAP).
 +
 +On success, Keycloak generates a JWT access token.\\ 
 +
 +**React UI (Receives JWT)**
 +
 +React receives the JWT token.
 +
 +\\ 
 +
 +**React UI → API Call**
 +
 +For every API request, React sends the JWT token in the request header:
 +
 +**API Gateway (Token Validation)**
 +
 +Gateway intercepts the request.
 +
 +Validates the JWT token:
 +
 +If the token is invalid → request is rejected.
 +
 +\\ 
 +
 +**Node Microservice (Permission Check)**
 +
 +Backend service reads roles/permissions from the JWT payload.
 +
 +Checks whether the user has the required permission for the API.
 +
 +If permission is missing → access denied (403).
 +
 +\\ 
 +
 +**Response**
 +
 +Node microservice sends the response back to the client through the gateway.
 +
 +React UI displays the result to the user.
  
solution_for_authentication_authorization.1769063313.txt.gz · Last modified: by sonali