Using Keycloak as a centralized authorization server
So far, you have been presented with authorization strategies that rely on a specific access control mechanism. Except for ABAC, these strategies rely on a specific set of data about the user to enforce access in applications. In addition to that, those strategies are tightly coupled with your applications, where changes to your security requirements would require changes in your application code.
As an example, suppose you have the following pseudo-code in your application:
If (User.hasRole("manager") { // can access the protected resource }
In the preceding code, we have a quite simple check using RBAC where only users granted a manager
role can access a protected resource. What would happen if your requirements changed and you also needed to give access to that same resource to a specific user? Or even grant access to that resource for users granted some other role? Or perhaps leverage...