Hello everyone, is it possible to give users access or deny access to clients without this extension? If there is a possibility, I would be very grateful for further information and procedures.
Hi Niko. First of all, nice feature. However, I have 2 questions: 1. Would an unauthorized by not having the role or not complying with the policy count as a failure attempt in the Brute Force Protection feature? I mean, would a user unsuccessfully attempting to login several times be temporarily blocked? 2. In that case, isn't it an error to make this kind of check in the Authentication flow? In my mind, this is more related to an authorization check and it should be separate. Willing to hear your opinion on this.
Hi Niko. The final conclusion was: Prefer to put the RBAC into the application. Would be interesting to hear your thoughts when looking at some kind of service mesh inside Kubernetes. Is it a good idea to externalize the RBAC or some other kind of access policy to a sidecar proxy? And if so, how would Keycloak be integrated in such a scenario?
If you look at the sidecar as part of your application (what it is IMHO, as it is a sidecar to your app), then this would be a possible solution. Keycloak is good for authentication, not for authorization.