Role-Based Access Control with Keycloak
Configure and use role-based access control (RBAC) with Flipt, Keycloak, and OPA.
As described in the Authorization Overview, Flipt supports the ability to secure its core API routes with authorization in a flexible and extensible way.
This guide will cover how to configure and use role-based access control (RBAC) with Flipt with a Rego policy configured for an imaginary organization using Keycloak for authentication.
Role-based access control (RBAC) is not a feature of Flipt itself but rather a pattern that can be implemented using Flipt’s authorization system via OPA.
What You’ll Learn
- 🔒 How to set up Keycloak for authorization
- 🔑 How to create a Rego policy for RBAC with Flipt
- ⚙️ How to configure Flipt to use the policy for authorization
Prerequisites
For this guide, you will need:
- Docker
- Follow the Login with Keycloak guide to set up Keycloak for authentication
Setting Up Keycloak
To set up Keycloak for authorization, you’ll first need to create a new realm, client, and user.
Step 1: Follow the Login with Keycloak Guide
Follow the Login with Keycloak guide to set up Keycloak for authentication.
This guide will walk you through setting up Keycloak and creating a realm, client, and user that you will use for this guide.
Step 2: Create a Realm Role
- Login to Keycloak as an admin user.
- Click on the
Realm Roles
tab. - Click
Create Role
. - Enter
developer
as the role name and description and clickSave
.
Step 3: Assign the Role to a User
- Click on the
Users
tab. - Click on the
user
user. - Click on the
Role Mappings
tab. - Click
Assign Role
. - Select the
developer
role and clickAssign
.
Step 4: Map Client Scopes
Map the roles
scope to the flipt
client:
- Click on the
Clients Scopes
tab. - Click on
roles
in the list of client scopes. - Click on the
Mappers
tab. - Click on
realm roles
in the list of mappers.
- Set the
Token Claim Name
field to something short likeroles
. - Set the
Claim JSON Type
field toString
. - Toggle on
Add to ID token
. - Click
Save
.
Configuring RBAC in Flipt
To configure RBAC with Flipt, you will need to define a Rego policy that enforces the roles and permissions for your organization.
Here’s an example of a simple policy that checks whether a user has the developer
role:
In this example, the policy checks if the user has the developer
role. If the user has the developer
role, the policy will allow the request. Otherwise, the request will be denied.
The authentication
input is provided by Flipt to OPA and contains the authentication information for the request. This information is specific to the authentication method used to authenticate the request.
More complex policies can be defined to enforce fine-grained access control based on your organization’s requirements. For example, you could define policies that check for specific roles and permissions for different resources or actions.
An example policy that allows users with the developer
role to have full access to the Management API and users with the viewer
role to have read-only access might look like this:
Step 1: Write the Rego Policy
- Create a new file called
policy.rego
with the following content:
Step 2: Configure Flipt to Use the Policy
Update the flipt.yaml
configuration file from the Login with Keycloak guide to enable authorization and specify the path to the Rego policy file:
Step 3: Run Flipt
You can now start your Flipt instance using the following command:
Testing the Policy
To test the policy, login to Flipt using the user you created in Keycloak. If the user has the developer
role, they should be able to access the Flipt Management API.
You can create a new user in Keycloak that does not have the developer
role to test that the policy is working as expected.
If the user does not have the developer
role, they should receive an error message in the UI or API response.
Conclusion
In this guide, you learned how to configure and use role-based access control (RBAC) with Flipt using a Rego policy and Keycloak for authentication.
By defining a Rego policy that enforces the roles and permissions for your organization, you can secure your Flipt instance and control access to your feature data with fine-grained permissions and infinite flexibility.
For more information on Flipt’s authorization system and how to configure and use it, see the Authorization Overview.
In the future we plan to provide more examples and best practices for using Flipt’s authorization system with different authentication providers and use cases. If you have any feedback or suggestions for how we can improve this guide, please let us know!
Was this page helpful?