wiki

Internal company logins

Simple username/password authentication

LDAP (Lightweight Directory Access Protocol) is a central user directory

It only verifies username and password

It tells the application YES / NO (valid user or not)

User enters username & password

Application sends credentials to LDAP

LDAP verifies user

LDAP returns YES / NO

Application creates its own session

No social login

No JWT / access tokens

No Single Sign-On (SSO)

Hard to manage roles & permissions dynamically

Old technology

Weak for modern APIs and mobile applications

Not provide any public api for authentication or user management

Keycloak is an open‑source identity and access management server developed by Red Hat.Keycloak is OpenID Connect–based.

User login

Roles & permissions management

JWT token generation

Single Sign-On (SSO)

Application → redirects to Keycloak → user logs in → application receives JWT token

We can customize the Keycloak login page using our own theme. We can also manage users through the Keycloak admin interface or by calling Keycloak APIs from our system.

Language independent (works with any backend)

Open-source

GUI‑based role & user management

No role & permission stored in application DB

No role & permission hardcoded in code

SSO ready

Highly scalable

Provide public apis.

Login API

Token generation

Token validation

Create user

Assign role

Update user

Disable user

User clicks Login on application

User is redirected to Keycloak login page

User enters credentials

Keycloak verifies user

Keycloak generates JWT token

User is logged into the application

User data stored in LDAP

Login handled by Keycloak

Keycloak validates user from LDAP

Keycloak issues JWT token to application

No user database in application

No passwords stored in application

Centralized authentication & authorization

But for Keyclock we need to install a keyclock in our server & need to run on another port.

We can install under Same domain

Step : install → run → connect with PHP

User & Role Hierarchy – Keycloak Integration

Keycloak can fully support our existing role and permission structure without any limitation.

Our application currently has the following user roles, each with different permissions:

Super Admin

Our Agents

Admin

SPOC

Approver

Employee

How Roles Will Be Managed in Keycloak

Each existing role will be created in Keycloak as a Realm Role:

ROLE_SUPER_ADMIN

ROLE_TAXIVAXI_AGENTS

ROLE_ADMIN

ROLE_SPOC

ROLE_APPROVER

ROLE_EMPLOYEE

Each user will be assigned one main role based on their type.

How Permissions Will Be Managed

Permissions (what a user can do) will be managed separately using Client Roles.

Create booking

View booking

Approve booking

View invoices

Access admin panel

View reports

This allows flexibility without changing application code.

Role & Permission mapping

SPOC

CREATE_BOOKING

EMPLOYEE

CREATE_BOOKING

After successful login, the system receives a JWT token from Keycloak containing the user’s roles and permissions.

Example: SPOC Token

{

"roles": ["ROLE_SPOC"],

"permissions": ["CREATE_BOOKING",”VIEW_BOOKING”]

}

Example: Employee Token

{

"roles": ["ROLE_EMPLOYEE"],

"permissions": ["CREATE_BOOKING"]

}

Then our system will check if there is an option create booking then show create booking option.

if (userHasPermission('CREATE_BOOKING')) {

  showCreateBookingButton();

}

If One user has multiple roles:

So permissions should depend on the selected role at login time, not on all roles together.

How it works

User logs in

The system asks: “Login as which role?”

Approver

Employee

SPOC

User selects one role

Keycloak issues JWT token only with permissions of the selected role

Application uses that token

Authentication & Authorization for Microservices

Keycloak fits very well for microservices.Keycloak acts as a central authentication & authorization server.

User logs in via Keycloak

Keycloak verifies credentials

Keycloak issues JWT token

Token is sent with every API request

Each microservice:

Reads permissions from JWT

Allows or denies access

Keycloak with Multiple Microservices

One login for all services (SSO)

Same token works across services

No duplicate user DBs

Operational Complexity (Learning & Adoption Effort)

For developer

Basic Keycloak concepts (Realm, Client, Roles)

JWT token structure

Token validation in services

GUI-based user & role management

Keycloak installation

LDAP / DB integration

Role & permission setup

Token configuration

End-to-End Authentication & Authorization Flow

User authentication and token generation are handled by Keycloak, token validation is done at the gateway, and each backend service authorizes requests by checking permissions from the JWT token

Flow

User opens the application and initiates login.
React application redirects the user to Keycloak for authentication.

Keycloak (Login + Token)

User enters credentials.

Keycloak verifies the user (via DB / LDAP).

On success, Keycloak generates a JWT access token.

React UI (Receives JWT)

React receives the JWT token.

React UI → API Call

For every API request, React sends the JWT token in the request header:

API Gateway (Token Validation)

Gateway intercepts the request.

Validates the JWT token:

If the token is invalid → request is rejected.

Node Microservice (Permission Check)

Backend service reads roles/permissions from the JWT payload.

Checks whether the user has the required permission for the API.

If permission is missing → access denied (403).

Response

Node microservice sends the response back to the client through the gateway.

React UI displays the result to the user.