Keycloak: Identity & Access Management

Secure your microservices with industrial-strength OIDC/JWT authentication powered by Keycloak.

Centralized Identity

Identity management is a first-class citizen in GO-DUCK. Every microservice is pre-configured to validate JSON Web Tokens (JWT) issued by Keycloak. This ensures that only authenticated users and services can access your data.

JWT Validation & Security

The generated middleware.JWTMiddleware() handles several critical security tasks:

Digital Signature Verification: Validates the token against Keycloak's public keys (JWKS).
Expiration Enforcement: Ensures tokens are still within their valid time window.
Role Extraction: Seamlessly extracts user roles and injects them into the Gin context for downstream authorization.
Context Safety: Populates KeycloakID in the context to prevent header spoofing in audit and metering modules.

Authorization: Beyond simple authentication, the middleware extracts the realm_access.roles from the token. You can use these roles to implement fine-grained RBAC inside your controllers.

Configuration

Connecting your GO-DUCK app to Keycloak is a simple matter of YAML configuration:

go-duck:
  security:
    oidc:
      issuer: "http://keycloak:8080/realms/go-duck-master-app"
      client-id: "backend-service"
      # Public key URL for token verification
      jwks-url: "http://keycloak:8080/realms/go-duck-master-app/protocol/openid-connect/certs"

Keycloak: Identity & Access Management

Centralized Identity

JWT Validation & Security

Configuration

External Resources