In our Keycloak setup, we manage multiple groups, each comprising subgroups such as owner, Accountant, Cashier, etc. A user can belong to multiple subgroups within a group, allowing for varied access levels. For instance, a user might have owner access in one group and Cashier access in another.
We authenticate users using JWT tokens issued by Keycloak, but we face a scenario where users with multiple access roles across different groups need to be restricted in their access across multiple tenants. We aim to enforce this access restriction using Istio. How can we achieve this effectively?
To start, we pass the scope value from client scopes using a mapper with user attributes, as depicted in the workflow diagram. In scenarios where a user possesses multiple access levels, such as account and owner, and is using the same token, accessing all microservices can pose a security risk. To mitigate this, we need to validate the group ID as well. In our case, the groups are dynamic values. How can I assist you further?