[keycloak-user] Course and Fine Grained Entitlements
Guy Davis
guydavis.ca at gmail.com
Wed Feb 3 13:47:21 EST 2016
Hi Lars,
Good question. My organization is also asking similar questions about
adopting Keycloak. Let me give my understanding as a user, then Keycloak
team can correct my misunderstandings.
Basically, Keycloak offers coarse-grained authorizations (realm-roles
<http://keycloak.github.io/docs/userguide/keycloak-server/html/per-realm-admin-permissions.html>
and client-app roles
<http://keycloak.github.io/docs/userguide/keycloak-server/html/roles.html>)
assigned to users (or groups
<http://keycloak.github.io/docs/userguide/keycloak-server/html/groups.html>).
So I understand Keycloak will let you grant user Bob the 'myapp-admin'
role. However, it falls to the backend service or application to then map
that role to application-specific permissions. For example, role
'myapp-admins' can access /myapp/project1/admin page. This resource
security can be done (for Java apps) in declarative fashion using web.xml
security constraints. Alternatively, your application code could
dynamically obtain the Keycloak user principal, check their roles, and map
into your app's permission scheme.
This understanding implies that your application is responsible for an
admin UI to map fine-grained permissions on your app's resources to
Keycloak roles. If your app only has 'coarse-grained" resources, then you
can probably just use Keycloak roles, with no need for a permission layer
or the UI it entails.
Also, see this pre-amble about Permission Scopes
<http://keycloak.github.io/docs/userguide/keycloak-server/html/Overview.html#d4e65>.
In
future, it sounds like Keycloak team is considering support for the UMA
portion of the OAuth standard
<https://docs.kantarainitiative.org/uma/draft-uma-core.html>. This may
help with fine-grained permission management within Keycloak itself?
Hope this helps,
Guy
<sorry, original response was only to Lars, now to list as well>
On Tue, Feb 2, 2016 at 8:29 PM, Lars Noldan <lars.noldan at drillinginfo.com>
wrote:
> We're in the investigation stage on moving from a $BigExpensiveVendor
> solution toward keycloak, and we're looking for a solution to help manage
> both Course and Fine grained entitlements. Keycloak appears to be a
> fantastic authentication solution, but I'm wondering what are you, the
> keycloak community using to handle Authorization?
>
> Thanks!
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160203/885bba2f/attachment.html
More information about the keycloak-user
mailing list