DevSecOps Now!!!

devsecopsnow@gmail.com

Keycloak High-Level System Architecture for Wizbrand

Posted by

Ashwani Kumar

Limited Time Offer!

For Less Than the Cost of a Starbucks Coffee, Access All DevOpsSchool Videos on YouTube Unlimitedly.
Master DevOps, SRE, DevSecOps Skills!

Enroll Now

High-Level System Architecture — “who talks to whom”

1. Access app (User → wizbrand-web)
The user opens your Laravel frontend (wizbrand-web). If there’s no signed-in session, the app will trigger OIDC login (next step).

2. OIDC Auth (wizbrand-web → Keycloak)
wizbrand-web redirects the browser to Keycloak (realm: wizbrand) using Authorization Code + PKCE.
Purpose: prove user identity and get tokens (ID, Access, Refresh).

3. Tokens back (Keycloak → wizbrand-web)
Keycloak calls back to your redirect URI with a code. Your backend exchanges it for tokens that include custom claims:

  • org_memberships: per-org roles like ORG_ADMIN|ORG_MANAGER|ORG_USER
  • tenant_ids: convenience list of the user’s org IDs
  • (preferred_org: added later after org selection)

4. API calls (wizbrand-web → wizbrand-api)
Your frontend (or server side) calls your API with the Access Token (audience includes wizbrand-api).
The API verifies the JWT (JWK), checks aud, exp, and authorization (role + current org).

5. Access sidecar app (User → oauth2-proxy)
For SEO panel, Navidrome, FileBrowser, Piwigo, the user hits a gateway/proxy first (e.g., oauth2-proxy, Traefik ForwardAuth, or Envoy). This proxy is an OIDC client of Keycloak.

6. OIDC (silent/login) (oauth2-proxy ↔ Keycloak)
If the browser still has a Keycloak SSO session, the proxy does silent auth; otherwise it shows the Keycloak login screen. No separate app accounts are needed.

7. Tokens to proxy (Keycloak → oauth2-proxy)
Keycloak issues tokens (with the same claims). The proxy validates them and enforces tenant & role.

8. Forward identity & org headers (oauth2-proxy → Sidecar app)
If authorized, the proxy forwards identity as headers to the sidecar app, for example:

  • X-User-Id: <sub>
  • X-User-Email: <email>
  • X-Org-Slug: <preferred_org> (or org from path/host)
  • X-Org-Roles: ORG_ADMIN,ORG_MANAGER
    The sidecar apps can stay mostly unmodified; the proxy does the authZ gate.

(Dashed) Optional: entitlements API (wizbrand-api → proxy)
If you want extra checks (quotas/features per org), the proxy can call your API to fetch entitlements before allowing access.

Provisioning/Sync Worker → Keycloak
Your backend “worker” (or admin microservice) uses the Keycloak Admin API to:

  • create Groups /orgs/{org_slug} with attributes (org_id, plan, features[])
  • add/remove users to those groups
  • map per-org roles (ORG_ADMIN|ORG_MANAGER|ORG_USER)
Post Views: 25
, , , ,

Ashwani Kumar

Senior Software Development Engineer and Manager at Cotocus

Leave a Reply

Your email address will not be published. Required fields are marked *

Follow Us

Recent Posts

Categories

Tags

Best DAM Software best Digital Asset Management Commands DAM DAM Software Devops DevSecOps Digital Asset Management Error flutter Git How How to Register Your Bike Keycloak laravel laravel 10 Laravel Error Linux linux command linux commands MySql php Solution tools Top 10 Commands Top 10 Linux Commands Troubleshooting What Why Xampp

0
Would love your thoughts, please comment.x
()
x