Using Read Only / Anonymous features without using Keycloak

[udinnet]

Hi
Currently I have ROLE_BASED_AUTHZ_ENABLED, CLIENT_CREDENTIALS_BASIC_AUTH_ENABLED and REGISTRY_AUTH_ANONYMOUS_READ_ACCESS_ENABLED enabled with Keycloak support. We have use-cases of

• Only allowed clients can write to the registry
• Any anonymous client should be able to read schemas

Is there a way to enable these features without having to use Keycloak? We're using Apicurio registry version 2.3.0

By looking at the code, I see a way by using registry.auth.role-source set to application. But I'm not sure this is something that can work when Kafka is used as the storage.

[carlesarnal]

Hi @udinnet, I recommend going through the documentation page about configuring authorization in Apicurio Registry. The short answer is no, you'll still need Keycloak for authentication. What setting role source to the application does is to allow you to manage the authorization roles within the application instead of Keycloak, but Keycloak is still required for authentication.

[EricWittmann]

Keycloak or some alternative IDP, right @carlesarnal ?

[carlesarnal]

Yes, I got the sense that this question was more about not using an IDP at all, validating both authn/authz in the application itself. @udinnet is that the right sense about your question?