Merry Microservices: Part 3 ‘Policy Service’–Application authorization management based on identity and permissions
This is the repository corresponding to Part 3 of the blog series Merry Microservices. It demonstrates the place for a “policy service” to manage the identity permissions (or policies) specific to each application in the architecture rather than overloading the JWT, at the Identity Provider level, with irrelevant permissions. Here, you'll find the following files and folders:
docker-compose.yml
spins up a Keycloak instance on port 9080 and a "policy service" on port 8080 thatnote
andgateway
will also usekeycloak.yml
andrealm-config
folder are from https://github.com/jhipster/jhipster-sample-app-oauth2/blob/master/src/main/dockernote
folder is a Spring Boot OAuth2 resource server app using Webflux and R2DBC that storesNote
entitiesgateway
folder is a Spring Cloud Gateway app with a React CRUD UI that handles the OAuth2/OIDC dance and relays requests to resource servers (e.g.note
)
- Start
keycloak
(port 9080) andpolicyservice
(port 8080)
docker-compose up
Of course, if you want users to be granted permissions for, say, CanRead
, CanReadConfidentialNotes
or Snowing
, you'll need to configure the "policy service" as per the Part 3 blog post. See "Dealing with an identity provider in Docker" below for challenges with Dockerized identity providers.
- Start
note
on port 8081
(cd note && ./mvnw spring-boot:run)
- Start
gateway
on port 8082
(cd gateway && ./mvnw clean package spring-boot:run -DskipTests)
Rather than just build and start the UI gateway on port 8082, we can split the frontend and backend for a better developer experience.
In one terminal, start the backend on port 8082
(cd gateway && ./mvnw clean spring-boot:run)
In another terminal, start the frontend on port 3000
(cd gateway && npm start)
Now, whenever you save your TypeScript files, you'll get hot-reloading in the browser.
In order to # to the Dockerized "policy service" using Keycloak, you'll need to add the following to your machine's hosts
file (details):
127.0.0.1 keycloak
If you're on a Mac, this will automatically append the line to your /etc/hosts
file:
sudo -- sh -c "echo '127.0.0.1 keycloak' >> /etc/hosts"
This is needed because you will access your application with a browser on your machine (which name is localhost
, or 127.0.0.1
), but inside Docker it will run in its own container, which name is keycloak
. Other than the extra configuration, another downside is that when you connect other services outside of docker, they won't be able to leverage the existing identity provider session (i.e. "SSO") since it's on "keycloak
" rather than "localhost
".