[keycloak-user] Authorization at Keycloak level

Edouard Kaiser edouard.kaiser at gmail.com
Mon Aug 29 10:18:37 EDT 2016 

Hi Pedro,

Thanks for the extra-information.

>> Stian, we use Play Framework in Java

2016-08-30 0:15 GMT+10:00 Pedro Igor Silva <psilva at redhat.com>:

> +1.
>
> Like I said, right now our authz engine is not fully integrated with KC
> server. However, I think the requirement can be achieved by:
>
>     - Authentication SPI. In this case, you don't necessarily need authz
> services but just check roles in your authenticator
>     - Authentication SPI + AuthorizationProvider. I've never tested this
> (maybe is time to start looking at it), but in theory you should be able to
> obtain an AuthorizationProvider from KeycloakSession and use it to perform
> evaluations.
>
> For #2, I need to spend some time testing this scenario and documenting
> our Authorization API for those looking to use our authz engine when
> extending KC.
>
> ----- Original Message -----
> From: "Stian Thorgersen" <sthorger at redhat.com>
> To: "Edouard Kaiser" <edouard.kaiser at gmail.com>
> Cc: "Pedro Igor Silva" <psilva at redhat.com>, "keycloak-user" <
> keycloak-user at lists.jboss.org>
> Sent: Monday, August 29, 2016 10:55:36 AM
> Subject: Re: [keycloak-user] Authorization at Keycloak level
>
> Pedro knows more about this, but the code required to do the checks should
> be pretty simple. What language and app type do you have?
>
> On 27 August 2016 at 05:05, Edouard Kaiser <edouard.kaiser at gmail.com>
> wrote:
>
> > Hi Pedro,
> >
> > Thank you very much for your answer. Unfortunately that's what I was
> > afraid. The problem is, we don't have a classic Java/Servlet application,
> > so we can't use any of the Keycloak adapter available.
> >
> > We might have to turn to another solution like Auth0.com which offers an
> > integrated authorization plugin, unless we find the courage to write our
> > own adapter.
> >
> > Cheers,
> >
> > 2016-08-26 22:43 GMT+10:00 Pedro Igor Silva <psilva at redhat.com>:
> >
> >> Hello Edouard,
> >>
> >> Right now, policy enforcement is only performed on application-side. For
> >> that, you need to enable policy enforcement to your keyclok.json as
> follows:
> >>
> >> {
> >>   "policy-enforcer": {}
> >> }
> >>
> >> For more details, please take a look at [1].
> >>
> >> We don't enforce policies on server-side, at least for now. The user
> will
> >> always be able to log in and be redirect to your application with a
> >> code/token.
> >>
> >> @Stian already mentioned some ideas about a more deeper integrating
> >> between KC authentication and authorization services. But for now, what
> you
> >> want is not possible.
> >>
> >> [1] https://keycloak.gitbooks.io/authorization-services-guide/co
> >> ntent/topics/enforcer/overview.html
> >>
> >> ----- Original Message -----
> >> From: "Edouard Kaiser" <edouard.kaiser at gmail.com>
> >> To: keycloak-user at lists.jboss.org
> >> Sent: Thursday, August 25, 2016 10:02:32 PM
> >> Subject: [keycloak-user] Authorization at Keycloak level
> >>
> >> Hi everyone,
> >>
> >> We discovered Keycloak very recently (pretty impressive tool by the way,
> >> congrats to the maintainers!), and we've been trying to configure a very
> >> simple authorization at the Keycloak level without success.
> >>
> >> Let me try to sum up what we are trying to achieve in our
> web-application.
> >>
> >> For a Keycloak Client, we would like to only allow the users with a
> >> particular Role to be able to login.
> >>
> >> We thought that to achieve this, we needed to do this:
> >> - Authorization enabled on the client
> >> - Create a new Role-Based policy ton a particular role
> >> - Create a Resource Permission to use the previously created Policy
> >> - Use this Resource Permission in the Default Resource of the Client
> >>
> >> We use openid-connect, and more specifically Google as the identity
> >> provider.
> >>
> >> By doing this, we thought that users without the role, trying to connect
> >> to our application through Keycloak, would be redirected to our
> application
> >> with an error of authentication, something like this in the redirection:
> >>
> >> /login/oauthVerify?client_name=OidcClient&error=unauthorized
> >> &error_description=You%20are%20not%20allowed%20to%20access%
> >> 20this%20application.&state=CrsA9f9bEzLWyjQfT5PN43MPxl_PfMgvXZDQrEzCHi8
> >>
> >> Instead, it's like Keycloak does not check the Authorization
> >> configuration, it redirects to our webapp with a proper authorization
> code.
> >> Then the application is able to fetch the JWT successfully form the
> >> Keycloak token endpoint.
> >>
> >> Did we miss something? Are we trying to solve our issue in the wrong
> way ?
> >>
> >> Thank you all for your help,
> >>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160830/4729fa93/attachment-0001.html

More information about the keycloak-user mailing list