About this site
This portfolio is itself an IAM demo. Here's how it works.
Stack
Built on Keycloak (OIDC/OAuth2), a Next.js frontend using NextAuth.js, and Nginx as a TLS-terminating reverse proxy — all running in Docker Compose on a VPS.
Access tiers
Content is gated by Keycloak realm roles and enforced server-side in Next.js App Router. There are three tiers:
Anonymous — public content (this page)
user — self-service sign-up; unlocks resume and LinkedIn
recruiter — manually granted; reveals contact info
Least-privilege role model
New accounts get the user role by default via a Keycloak default role mapping. The recruiter role is granted manually after establishing contact, keeping personal information off the public internet while still making it easy to share once trust is established.
OIDC flow
The flow uses Authorization Code + PKCE. Keycloak issues a signed JWT containing the user's realm roles, which NextAuth maps into the session. Next.js server components read the session on every request — no client-side role checks, no token storage in localStorage.