[keycloak-user] How to implement this using Keycloak

Travis De Silva traviskds at gmail.com
Fri Jul 29 21:46:49 EDT 2016 

Great. Thanks Pedro. Let me give this a go. The authorization was the
missing piece in KeyCloak and if this can fill in that gap, that's great.

On Sat, 30 Jul 2016 at 11:27 Pedro Igor Silva <psilva at redhat.com> wrote:

> Hi Travis,
>
>     You are not hijacking anything. And I'm also Silva anyways :)
>
>     It is pretty much related. Although different use cases. I need to get
> more input from Rong before going further.
>
>     Regarding your use case, the answer is yes. I think you can address
> most of these requirements with our authorization services. For instance,
> projects are *resources* in Keycloak. You may define a resource that
> represents a set of one or more resources or have resource instances. In
> this case, resources instances inherit all permissions. You can also
> override permissions on a resource-basis as well. Eg.: define specific
> policies for a scope associated with a resource.
>
>     Here resources can be you projects. You application, which is acting
> as a resource server, is also allowed to manage their own resources in
> Keycloak using the Protection API. Which basically provides an API to CRUD
> resources + other things.
>
>     Scopes can be actions that PM, PMOs, etc, can perform on your
> resources. Here, you can also specify permissions for each scope
> individually.
>
>     Both resources and scopes are associated with permissions, which
> define the authorization policies that should be applied in order to GRANT
> or DENY access. For last, policies represent the conditions that you
> actually want to enforce. We have a few policy providers that allows you to
> use ABAC, RBAC, Javascript, JBoss Rules/Drools, Time constraints, Users,
> etc. The idea is have introduce more in the future. Eg.: XACML,
> Group-based, etc.
>
>     There is also an evaluation tool that you can use to simulate
> authorization requests and check how your permissions and policies are
> being evaluated. Useful when designing your policies, testing or trying to
> figure out issues.
>
>     Right now, I'm working on a few improvements. If you want to get
> latest changes (just sent a PR now), please check both upstream doc and
> code.
>
> Regards.
> Pedro Igor
>
> ----- Original Message -----
> From: "Travis De Silva" <traviskds at gmail.com>
> To: "Pedro Igor Silva" <psilva at redhat.com>, "Rong Sang (CL-ATL)" <
> rsang at carelogistics.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Friday, July 29, 2016 9:37:02 PM
> Subject: Re: [keycloak-user] How to implement this using Keycloak
>
> Hi Pedro,
>
> I have just started looking at the Keycloak Authorization Services that was
> introduced in 2.0.0.Final.
>
> I too have a similar use case. For example, we have a project management
> system where projects belong to a project manager. A project manager can
> have more than one project. Each project manager has access to only their
> own projects.
>
> Project Managers in turn report to Portfolio Managers. So a Portfolio
> Manager should be able to access all his/her project manager's projects.
>
> At the moment, how we handle this is by having a seperate mapping within
> the application and since we build/own the applicaiton, we filter out the
> JPA query results based on the above rules.BTW, our services are REST based
> (i.e. JAX-RS) KeyCloak is essentially used for Authentication via a
> federated LDAP/AD provider and we use Keycloak roles to protect the
> services/front end screen options.
>
> Are you saying that we can filter the data outside the application via
> Keycloak
> Authorization Services? Maybe I need to start looking at the demo examples
> a bit more.
>
> I believe Rong's use case is also the same so hope I have not hijacked this
> thread.
>
> Cheers
> Travis
>
>
>
>
>
> On Sat, 30 Jul 2016 at 09:51 Pedro Igor Silva <psilva at redhat.com> wrote:
>
> > Hi Rong,
> >
> >      Can you provide more details about your use case ? For instance:
> >
> >          * Are you the service owner ?
> >          * Is your service using a REST-style ? How the API looks like ?
> >          * Is your service already protected using a bearer token ?
> >          * How are you representing the user's unit ? Realm, Group, role
> > or just a user claim/attribute ?
> >          * What is behind: "Users should not have the access to patients
> > in a unit that they are not authorized". What "not authorized" really
> means
> > ? What kinds of policies you want to apply ?
> >
> >      From what you described, it seems that you can achieve what you want
> > with different approaches. It all depends on what you really need and how
> > fine-grained you want to be. For instance, units can be represented as
> > groups in Keycloak. You can enforce group membership in your application
> by
> > introspecting the bearer token (issued by a Keycloak server to some
> > client). The same logic applies if you are using roles or attributes to
> > represent units.
> >
> >      In 2.0.0.Final, we have introduced Keycloak Authorization Services.
> > This one is related with externalized and fine-grained authorization,
> which
> > gives you great flexibility to define, manage, deploy and enforce
> > authorization polices to your application and organization. Indeed, one
> of
> > the protocols we are supporting (not fully, yet), UMA, is pretty much
> based
> > on several healthcare use cases. For instance, you can manage the
> policies
> > that apply to patient records in Keycloak and also let Keycloak enforce
> > these policies to requests sent to your application. In this case, you
> can
> > define not only a "from unit have access" policy, but also apply even
> more
> > fine-grained policies to your service using the different policy
> providers
> > (ABAC and Context-based, RBAC, Time-based, Rules-based, User-based, more
> to
> > come...) we provide. We are still missing some very nice parts of UMA
> > though, as currently we are focusing on API security use cases. But I
> hope
> > to get those missing parts implemented soon.
> >
> > Regards.
> > Pedro Igor
> >
> >
> > ----- Original Message -----
> > From: "Rong Sang (CL-ATL)" <rsang at carelogistics.com>
> > To: keycloak-user at lists.jboss.org
> > Sent: Friday, July 29, 2016 5:23:20 PM
> > Subject: [keycloak-user] How to implement this using Keycloak
> >
> >
> >
> > Hi all,
> >
> >
> >
> > I’m doing a POC using Keycloak. The normal authentication/authorization
> > features work well, but I have the following requirement that cannot
> find a
> > straightforward solution for. I hope some security experts in the mailing
> > list can point me to the right direction.
> >
> >
> >
> > Here is the requirement. A hospital has multiple units. Users should not
> > have the access to patients in a unit that they are not authorized. I
> have
> > one service that returns a list of patients across units. What’s the best
> > way to set up authorization for this service?
> >
> >
> >
> > As I said earlier, I cannot find a feature for me to implement this. Any
> > idea is greatly appreciated.
> >
> >
> >
> > Thanks,
> >
> >
> >
> > Rong
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160730/bb5e1510/attachment.html

More information about the keycloak-user mailing list