[keycloak-user] Custom Authorization in Keycloak

Pedro Igor Silva psilva at redhat.com
Mon Aug 28 16:54:52 EDT 2017 

On Mon, Aug 28, 2017 at 12:25 PM, Muehlburger, Herbert <
herbert.muehlburger at bearingpoint.com> wrote:

> Hi,
>
>
> thank's for the response.
>
>
> So the only solution that I could think of is to wait for RFE to be
> implemented? It would indeed solve our use case.


>
> Our authorization model is based on a role based access model (RBAC). But
> we have some customaziations which give you additional permissions or
> restrict your permissions to access certain entities. (Kind of a mix
> between RBAC with row level security. We need to write our custom logic to
> grant or deny access to the given resource.
>

It has been a while I'm thinking about this functionality. Your use case
seems to have some of the requirements behind it.

But now that you mentioned "certain entities" and "row level security", I
assume you already have a bunch of these entities in your database, so you
would need to create them in Keycloak in order to be able to associate them
with policies. They would need to be resources in Keycloak.

The idea behind that RFE is to allow people to delegate authorization
decisions to an external service (KC acting as an authorization broker)
when evaluating permissions for specific resources. I think it would not
address  all your requirements though, but maybe complicate things as you
would need to re-create your entities as resources in Keycloak.


>
>
> We don't want to use internal SPIs that will be changed in future releases
> and we are not able to migrate our authorization model to Keycloak because
> of our customizations.
>
>
> Do you think RFE (https://issues.jboss.org/browse/KEYCLOAK-5346) will be
> addressed in near future?


>
> Best,
>
> Herbert
>
>
> ________________________________
> Von: Pedro Igor Silva <psilva at redhat.com>
> Gesendet: Montag, 28. August 2017 14:24
> An: Muehlburger, Herbert
> Cc: keycloak-user at lists.jboss.org
> Betreff: Re: [keycloak-user] Custom Authorization in Keycloak
>
> The only SPI we have in AuthZ Services is for writing custom policy
> providers. But this SPI is not yet public and should change in next
> releases.
>
> What do you think about this RFE [1] ?
>
> How your permissions look like in your legacy database ? E.g.: A string
> like resource:role|group|user:action ?
>
> [1] https://issues.jboss.org/browse/KEYCLOAK-5346
>
>
> On Fri, Aug 25, 2017 at 6:45 PM, Muehlburger, Herbert <
> herbert.muehlburger at bearingpoint.com<mailto:herber
> t.muehlburger at bearingpoint.com>> wrote:
> Dear Keycloak Community,
>
>
> we are evaluating Keycloak and have the use that that we cannot migrate
> authorization information (roles, permissions, ...) to Keycloak. We have
> this information stored in a legacy database. Is it possible to write an
> extension to Keycloak which handles with authorization decisions there? It
> would load our roles and permissions, etc. and decide if it grants access
> to the user or client being present. I know about the extension mechanism
> on writing custom User Store providers but I'm not sure if this is the
> right place to do that for authorization information as well?
>
>
> Thank you for any help,
>
> Best regard,
>
> Herbert?
>
>
>
> Herbert Mühlburger
> Senior System Engineer
>
> [http://signature.bearingpoint.com/BrP_Logo.png]
>
> T  +43 316 8003<tel:%2B43%20316%208003>
> F  +43 316 8003 1080<tel:%2B43%20316%208003%201080>
>
> BearingPoint
> Seering 6, Block B
> 8141 Premstätten
> Austria
>
> herbert.muehlburger at bearingpoint.com<mailto:herber
> t.muehlburger at bearingpoint.com> <mailto:herbert.muehlburger@
> bearingpoint.com<mailto:herbert.muehlburger at bearingpoint.com>>
> www.bearingpoint.com<http://www.bearingpoint.com><http://
> www.bearingpoint.com/>
> ________________________________
> BearingPoint Technology GmbH
> Sitz: Premstätten bei Graz
> Firmenbuchgericht: Landesgericht für ZRS Graz
> Firmenbuchnummer: FN 44354b
>
> The information in this email is confidential and may be legally
> privileged. If you are not the intended recipient of this message, any
> review, disclosure, copying, distribution, retention, or any action taken
> or omitted to be taken in reliance on it is prohibited and may be unlawful.
> If you are not the intended recipient, please reply to or forward a copy of
> this message to the sender and delete the message, any attachments, and any
> copies thereof from your system.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> ________________________________
> BearingPoint Technology GmbH
> Sitz: Premstätten bei Graz
> Firmenbuchgericht: Landesgericht für ZRS Graz
> Firmenbuchnummer: FN 44354b
>
> The information in this email is confidential and may be legally
> privileged. If you are not the intended recipient of this message, any
> review, disclosure, copying, distribution, retention, or any action taken
> or omitted to be taken in reliance on it is prohibited and may be unlawful.
> If you are not the intended recipient, please reply to or forward a copy of
> this message to the sender and delete the message, any attachments, and any
> copies thereof from your system.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list