RBAC for frontend and backend using Keycloak

Opcito Technologies
4 min readSep 5, 2022


User authentication is necessary to safeguard your organization’s data and systems. Granting system/data access to a person that he is not supposed to access can be disastrous. A Verizon report suggests that 82% of breaches are caused due to human elements such as misuse, errors, and social attacks. Organizations have seen a growth of 13% in ransomware breaches — more than the last five years combined. In a world where data security tops the list of priorities for any organization, you must take measures to confirm the authenticity of the user before they gain access to your network and systems.

Keycloak is a fantastic identity and access management solution that helps organizations safeguard their networks by providing RBAC. Let’s dive deeper into Keycloak, look at how it supports RBAC, and learn how to set it up.

What is RBAC?

Role-based access control (RBAC) helps restrict users’ network access based on their organisational role and clearance level. Not all employees have access to all company-wide information. RBAC manages information access, ensuring employees can access only the information that they are supposed to.

With RBAC, organizations can easily add or change roles across operating systems, platforms, and applications without the need for paperwork. Roles can be either assigned, or access can be taken off, especially to keep a tab on external third-party users. Factors like responsibility, authorization, and job competency play a significant role in deciding who gets access to what. RBAC is vital to organizations with many employees, those who employ third-party vendors, contractors, and external consultants.

In a day-to-day scenario, every system has an admin and users. Both have set roles and accesses. For this example, I am going to consider admin and employees. If you log in as an admin then you should be able to add, edit or delete users. But for an employee, he won’t be able to update or delete other users. To make sure these roles and access stay functional you need RBAC.

In one of my earlier blogs, I have already talked about Customizing login and signup pages in Keycloak. Keycloak provides an easy authentication mechanism for services and applications. It follows industry-specified protocols and supports SAML 2.0, OpenID Connect (OAuth 2.0 + Authentication Layer) & OAuth 2.0. It uses its user database but can also be integrated with existing user directories like LDAP servers and Active Directory.

Let’s look at the steps to incorporate Keycloak for RBAC for the front-end and back-end.

Install & setup Keycloak 15.0.2

To start configuring the Keycloak settings for RBAC, install and set up Keycloak. This can be done either from the zip file or by using Docker.

Create Realm

Create a new Realm to start the RBAC configuration. A master Realm exists by default. You can add our test Realm by clicking on ‘add Realm.’ Add the Realm name and hit save.

Create user role

Create a role “admin” inside the roles. Set this role as the default role for all employees. Now, click on the role, and select the default role tab. You will see the employee role inside the available roles. Click on the role and hit the add-selected button. Your role will be selected as the default role for registered employees.

Create client

To handle the complete authorization, you will need two different clients. Let’s consider the first as a front-end client and the other as a back-end client.

Setup frontend client

For this client, you must set a mapper to get user roles in the user info API after logging in. Select the client, go to the mappers tab, and then click on create.

Select mappers type as user Realm role and make sure that your “Add to user info” option is enabled. All other settings like the main URL and logout URL will be the same.

Setup backend client

Create the new backend client by clicking on clients and then on create. Go inside the settings of that client and configure the below settings:

  • Client protocol must be OpenID-connect
  • Select access type as confidential
  • Enable the authorization tab

Save these settings, and a new authorization tab will appear on top.

Create scope

In the authorization tab, select the authorization scope and create some new scopes by clicking on create button. Example: scopes:list, scope:create

Create resource

In the resource tab, create new resource res: employee by clicking on create. Add the resource name and then select the scopes you want to assign this resource with. Hit save to save changes…read more.



Opcito Technologies

Product engineering experts specializing in DevOps, Containers, Cloud, Automation, Blockchain, Test Engineering, & Open Source Tech