The answer to this question usually involves questions such as the following:
- Who is the user?
- What data is associated with the user?
- What are the constraints for accessing the resource?
By having the answers to these three questions, we can then decide if access should be granted based on the data associated with the user, and the constraints that govern access to the resource.
As an identity provider, Keycloak issues tokens to your applications. As such, applications should expect authorization data from these tokens. Tokens issued by Keycloak carry information about the user and the context in which the user was authenticated; the context may contain information about the client the user is using or any other information gathered during the authentication process.
The constraints, however...