Roles defined in OAuth 2.0:

  • Resource owner
  • Resource server
  • Client
  • Authorization server

Which flow to use:

  • Client Credentials flow if the application is accessing the resource on behalf of itself (the application is the resource owner)
  • Device flow if the application is running on a device without a browser or is input-constrained (i.e. smart TV)
  • Otherwise Authorization Code flow.

Do not use Implicit flow or Resource Owner Password Credentials flow at all.

Strategies that can be used to limit access for a specific access token:

  • Audience
  • Roles
  • Scope

To verify an access token:

  • Retrieve public key from JWKS endpoint
  • Verify the signature
  • Verify that token is not expired
  • Verify the issuer, audience and type of token
  • Verify any other claims that your application cares about

Internal applications (first-party) are those owned byt the enterprise. It may be self-hosted of SaaS. No need for user’s consent.

External applications (third-party) should require user’s consent.

Possible architectures of an application we are securing:

  • Server side
  • SPA (Single Page Application) with dedicated REST API under the same domain.
  • SPA with intermediary API under the same domain (which it turn may call external APIs)
  • SPA with external API

Securing native and mobile applications. How to return authorization code to the application:

  • Claimed HTTPS scheme. Native application claims scheme like Such URL then open in the app instead of a browser.
  • Custom URI scheme. Such request is sent (open) by application. Example: .
  • Loopback interface. Application opens temporary web server on random port,i.e.
  • Special redirect URI, i.e. urn:ietf:wg:oauth:2.0:oob - authorization code is displayed by Keycloak for manual copy & paste.

Example authorization strategies:

  • role-based access control (RBAC). Keycloak has realm and client-level roles.
  • group-based access control (GBAC)
  • OAuth2 scopes
  • attribute-based access control (ABAC)

Keycloak cal act as a cenralized authorization service through a functionality called Authorization Services.

For production set up:

  • properties.frontendURL
  • properties.forceBackendUrlToFrontendURL
  • properties.adminURL (make it private URL)
  • TLS
  • production database (encryption in transit and at rest)
  • possibly clustering and load balancing
  • password policy
  • enable refresh token rotation
  • use ECDSA (Elliptic Curve Digital Signature Algorithm) for signatures instead of RSA

Keycloak uses Apache Freemaker for templates.