[keycloak-dev] Update on authz for admin console

[Bill Burke]

On 2/24/2014 9:36 AM, Stian Thorgersen wrote:
> I've got fine-grained authz permissions working for the admin console now. There's 4 roles associated with each realm (represented as an app in keycloak-admin realm). These allows users to manage the realm, clients, applications and/or users. The admin console has also been updated to only show the sections a user has permissions to (for example if a user can only manage-users the settings, applications and clients links are not shown). Obviously rest endpoints check for permissions as well.
>
> There's a few issues left that I'm working on:
>
> * Need to fix refresh in admin - I'm hoping to use refresh tokens for this
> * Admin needs to log out/log back in after creating realm - An admin (super) has access to all 4 roles for all realms. When a realm is created these roles are created as well, so the current token doesn't contain these roles.
>

This should be changed to only use an identity token/cookie specific to 
the admin console.  Role mappings can be checked directly by admin REST 
service.  We can still do the regular login flow, but the access token 
we get back should only be used to create an identity cookie, not to 
authorize.


> AuthenticationManager was starting to become quite messy, so I extracted methods specific to admin console and account into a separate AppAuthManager. The token in the cookies created for these didn't use to include roles, which I've added to make it simpler to check for permissions.
>

These tokens don't need to have roles in them!  The admin service can 
check role mappings directly as it has access to database.

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com