This is an automated archive.

The original was posted on /r/golang by /u/JetFuelCereals on 2023-09-02 00:24:56+00:00.

I’ve been reading for the past 10 days large amounts of material about OAuth, OIDC and Keycloak. I know I’m listing here far too many questions for a single post. Any help will be appreciated. So far I managed:

  • To understand the general concepts
  • To start and launch keycloak in docker
  • To ask for a Access Token via curl
  • To research which connector/client I should be using. I found gocloak.
  • Afaik, there is no official keycloak adapter for Go. Most go tutorials showcase gocloak.

I’m working on a gateway + microservices setup. I use both GRPC and Kafka to connect to the microservices.

  • I intend to use the gateway as the public REST API where the FE can’t contact the authorisation and token endpoints (resources).
  • I guess it would also be good if the gateway hides the keycloak instance by mirroring it’s authorisation endpoints.

Some of my conclusions about gocloak.

  • Far more usage than tbaehler/gin-keycloak. It also seems to be rather imperative unlike tbaehler/gin-keycloak which is more declarative oriented. tbaehler/gin-keycloak integrates in the go-gin api. gocloak seems to not care which one is the http requests handlers. I find this approach better.
  • The readme is rather skinny, and provides little guidance. It has a bunch of examples but they are somewhat confusing (little guidance given).
  • Just by looking at the models list it’s immediately obvious that this library has far greater support for the features present in keycloak.
  • GPT: GoCloak, being a client library for Keycloak, should be capable of interacting with Keycloak’s OIDC capabilities. You can use GoCloak to perform various tasks related to OIDC, such as user authentication, token issuance, and access control.

Now my issue is that I can’t find a decent example showcasing how to implement the authorisation flow in golang using gocloak. I’ve searched a lot on the web and I can’t find much on the topic. At the moment I don’t have much expertise to start rolling my own patterns. I’d like to follow some established examples instead of me doing guesswork.

This is what I’ve found so far in go:

  • Keycloak with Go web-services. Why not? - Just the early part to configure keycloak. Not much, just some obvious stuff like, real, client, simple user. It uses mux and I use go-gin. Therefore can’t goo too deep here. It provides a basic overview on how things should work but does not properly explain the theory.
  • Building Micro-services in Go using Keycloak for Authorisation - Once again, it’s focused on gorilla/mux. Also using gorm. Provides a nice overview of the various layers: req, model, db. Uses interceptors pattern. Gets the secret from env (good). Showcases only the authorization part. No details about access rights.
  • Awesome Keycloak Curated List - A large list of resources. Sadly not much about golang.

Extra Question: How to design a complex permissions system?

I’m also interested on your advice on how could I go about implementing a more complex system of access rights/permissions. I’m trying to reproduce the way discord works: Users have custom defined roles at discord server level. Each channel can have it’s own permissions/roles. There’s a complex system that computes if an user is allowed to edit/delete a resource.

  • Somehow I feel that roles and groups in keycloak wont cut it. Mostly because each comunity can defined it’s own roles.
  • I don’t see it done with realms either. That’s because using realms means that you can’t share users between “discord servers/communities”. It’s more like in Jira cloud where each company has it’s own users, roles, resources, etc
  • Also setting up clients for each community feels really bad. Clients afaik should be fine tuned for your actual builds. I use Flutter so I’ll probably have only one client for now.
  • This basically means I’d have to write my own logic in go and in the db such that I can map all these relations at granular level. What I’m afraid of is what If I mess it up somehow and I expose access to the wrong users. Any advice about this issue?

TLDR I need an example on how to write the authorisation and tokens enpoints using gocloak lib in golang. I’m also interested in learning how could I authorise users to edit resources in a complex scenario (for example editing messages on discord via different roles).