[keycloak-user] Authorization at Keycloak level

Pedro Igor Silva psilva at redhat.com
Mon Aug 29 10:15:47 EDT 2016 

+1.

Like I said, right now our authz engine is not fully integrated with KC server. However, I think the requirement can be achieved by:

    - Authentication SPI. In this case, you don't necessarily need authz services but just check roles in your authenticator
    - Authentication SPI + AuthorizationProvider. I've never tested this (maybe is time to start looking at it), but in theory you should be able to obtain an AuthorizationProvider from KeycloakSession and use it to perform evaluations.

For #2, I need to spend some time testing this scenario and documenting our Authorization API for those looking to use our authz engine when extending KC.

----- Original Message -----
From: "Stian Thorgersen" <sthorger at redhat.com>
To: "Edouard Kaiser" <edouard.kaiser at gmail.com>
Cc: "Pedro Igor Silva" <psilva at redhat.com>, "keycloak-user" <keycloak-user at lists.jboss.org>
Sent: Monday, August 29, 2016 10:55:36 AM
Subject: Re: [keycloak-user] Authorization at Keycloak level

Pedro knows more about this, but the code required to do the checks should
be pretty simple. What language and app type do you have?

On 27 August 2016 at 05:05, Edouard Kaiser <edouard.kaiser at gmail.com> wrote:

> Hi Pedro,
>
> Thank you very much for your answer. Unfortunately that's what I was
> afraid. The problem is, we don't have a classic Java/Servlet application,
> so we can't use any of the Keycloak adapter available.
>
> We might have to turn to another solution like Auth0.com which offers an
> integrated authorization plugin, unless we find the courage to write our
> own adapter.
>
> Cheers,
>
> 2016-08-26 22:43 GMT+10:00 Pedro Igor Silva <psilva at redhat.com>:
>
>> Hello Edouard,
>>
>> Right now, policy enforcement is only performed on application-side. For
>> that, you need to enable policy enforcement to your keyclok.json as follows:
>>
>> {
>>   "policy-enforcer": {}
>> }
>>
>> For more details, please take a look at [1].
>>
>> We don't enforce policies on server-side, at least for now. The user will
>> always be able to log in and be redirect to your application with a
>> code/token.
>>
>> @Stian already mentioned some ideas about a more deeper integrating
>> between KC authentication and authorization services. But for now, what you
>> want is not possible.
>>
>> [1] https://keycloak.gitbooks.io/authorization-services-guide/co
>> ntent/topics/enforcer/overview.html
>>
>> ----- Original Message -----
>> From: "Edouard Kaiser" <edouard.kaiser at gmail.com>
>> To: keycloak-user at lists.jboss.org
>> Sent: Thursday, August 25, 2016 10:02:32 PM
>> Subject: [keycloak-user] Authorization at Keycloak level
>>
>> Hi everyone,
>>
>> We discovered Keycloak very recently (pretty impressive tool by the way,
>> congrats to the maintainers!), and we've been trying to configure a very
>> simple authorization at the Keycloak level without success.
>>
>> Let me try to sum up what we are trying to achieve in our web-application.
>>
>> For a Keycloak Client, we would like to only allow the users with a
>> particular Role to be able to login.
>>
>> We thought that to achieve this, we needed to do this:
>> - Authorization enabled on the client
>> - Create a new Role-Based policy ton a particular role
>> - Create a Resource Permission to use the previously created Policy
>> - Use this Resource Permission in the Default Resource of the Client
>>
>> We use openid-connect, and more specifically Google as the identity
>> provider.
>>
>> By doing this, we thought that users without the role, trying to connect
>> to our application through Keycloak, would be redirected to our application
>> with an error of authentication, something like this in the redirection:
>>
>> /login/oauthVerify?client_name=OidcClient&error=unauthorized
>> &error_description=You%20are%20not%20allowed%20to%20access%
>> 20this%20application.&state=CrsA9f9bEzLWyjQfT5PN43MPxl_PfMgvXZDQrEzCHi8
>>
>> Instead, it's like Keycloak does not check the Authorization
>> configuration, it redirects to our webapp with a proper authorization code.
>> Then the application is able to fetch the JWT successfully form the
>> Keycloak token endpoint.
>>
>> Did we miss something? Are we trying to solve our issue in the wrong way ?
>>
>> Thank you all for your help,
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list