I have a setup like this:
- Keycloak OIDC Server for Identity and Access Management Service - Running in Cloud - A
- Backend RESTful Microservices - Running in Cloud - B
- Backend RESTful Microservices - Running in On-prem servers across multiple locations - C
- User Mobile app - Multiple users across locations - X
- User web app - Multiple users across locations - Y
- X, Y uses Password grant to access B - i.e. X, Y calls login API of B with username and password; B gets the access token from Keycloak and then sends it in response and they (X,Y) use it for further API calls towards B to get authorized.
Now, this is the doubt that I have:
- Should we do the same for C? i.e. Should there be an API in B available for C to call to post the client-id and client-secret (client-credentials grant), to get the access token? Is this a good pattern/ valid implementation?
The need for this method of access:
- Ops team is planning to hide A from being exposed to the internet. So, B will be acting as an abstraction layer for it.
- Is keeping the IAM service from being exposed to internet a good idea? I have never seen an IAM service, abstracted before. Please clarify.
HOSTING
The usual hosting best practice is to place the Identity system behind a reverse proxy / gateway such as NGINX Plus. This is because the Identity system connects to sensitive data sources, whereas the reverse proxy can be the entry point, eg in a DMZ. You can then limit the OIDC endpoints exposed to the internet.
Avoid writing home grown proxying to the Identity system. since that is likely to be less resilient than a battle tested system such as NGINX. See the IAM Primer for an overview.
SECURITY DESIGN PATTERNS
A reverse proxy also supports plugins that can do many utility security jobs, such as translating secure cookies to access tokens. So it is a highly useful part of the architecture. See this article for an example plugin using the high level LUA programming language.