My LDAP server is the source of truth for my org's user/password (authentication) and user-group membership (authorization) data. I'd like upgrade to an IdP like Keycloak.
It seems straightforward to have Keycloak proxy the authentication via OIDC but it's less clear to me how to get apps to check with Keycloak to determine if user X is in group Y and is therefore allowed to access resource Z. The main benefit in a setup like this is the ability to query a single source of truth when it's necessary to audit a user's capabilities within the org.
Is this an achievable or reasonable use case for keycloak? Or should I integrate my apps around a different Zanzibar clone which is designed to quickly serve granular permissions?
It seems straightforward to have Keycloak proxy the authentication via OIDC but it's less clear to me how to get apps to check with Keycloak to determine if user X is in group Y and is therefore allowed to access resource Z. The main benefit in a setup like this is the ability to query a single source of truth when it's necessary to audit a user's capabilities within the org.
Is this an achievable or reasonable use case for keycloak? Or should I integrate my apps around a different Zanzibar clone which is designed to quickly serve granular permissions?