If anyone is interested how to implement user authentication and role-based authorization in a Hilla app using Keycloak and OAuth 2.0, here are two examples:
Hilla with Keycloak and the Authorization Code Flow of OAuth 2.0
When using the Authorization Code Flow, authentication takes place via a Keycloak user interface. Other authentication options, such as MFA, can be added or configured via Keycloak in this case.
Hilla with Keycloak and the Resource Owner Password Flow of OAuth 2.0
When using the Resource Owner Password Flow, authentication takes place via a Hilla user interface. In this case, you have more control over the user experience and users are not redirected to another application to log in there.
That’s really nice-looking documentation! One thing I’d maybe emphasize is that you can add security checks for any backend service invocations for additional hardening. That way you’re not only relying on the endpoint security.
That’s the endpoint security, yes. Once you have multiple endpoints with different security measures, though, you need to be careful that the endpoint service Java code doesn’t accidentally invoke any other services that should be restricted from the current user. You can check the current Principal’s roles before the service invocations to make sure that doesn’t happen.
,
Thank you for describing it again. I agree with you, of course.