I work for a publishing company that also provides content distribution to their users. In order to access a piece of content the user must be entitled to do so. Traditionally this authorization check has been done with several different ways (most of them legacy, unsecure and, tbh, very ugly). We do support username and password authentication but this is by far the less common way used for gaining access to content. For the sake of this post let’s assume that the only alternative is for a user to reach our product from a company’s internal portal – we call this “Referral access”.
We are now trying to leverage existing Identity and Access Management (IAM) solutions (trying Keycloak, at the moment) which works fine for the cases where a User authenticates themselves (possibly using username/password). The problem is that, for legacy reasons, we also need to support that:
- an Anonymous user can use “Referral access” to gain access to a piece of content.
- a Logged in user can expand their entitlements by using “Referral access” to access that their company paid for.
So my question is: Is it a good idea to have Keycloak issue web sessions for an “anonymous” user?
My idea was to have a known (and anonymous) user in Keycloak that would be used to hold all anonymous user’s web sessions. We could then include in each session (anonymous or not) a list with extra company ids that would be populated regardless of the user being logged in or not.
I think that all this is technically possible but it doesn’t feel very correct so I was looking for guidance in the right direction…
Anyone has some tips and/or know where I can find more information about this?
6
i have dealt with this by creating a ‘Public User’ and auto logging in any non authenticating requests as this user.
2