ryan higdon
← Back
About this site

This portfolio is itself an IAM demo. Here's how it works.


Stack

Built on Keycloak (OIDC/OAuth2), a Next.js frontend using NextAuth.js, and Nginx as a TLS-terminating reverse proxy — all running in Docker Compose on a VPS.

Access tiers

Content is gated by Keycloak realm roles and enforced server-side in Next.js App Router. There are three tiers:

  • Anonymous — public content (this page)

  • user — self-service sign-up; unlocks resume and LinkedIn

  • recruiter — manually granted; reveals contact info

Least-privilege role model

New accounts get the user role by default via a Keycloak default role mapping. The recruiter role is granted manually after establishing contact, keeping personal information off the public internet while still making it easy to share once trust is established.

OIDC flow

The flow uses Authorization Code + PKCE. Keycloak issues a signed JWT containing the user's realm roles, which NextAuth maps into the session. Next.js server components read the session on every request — no client-side role checks, no token storage in localStorage.

Create an account or sign in →