[keycloak-user] Multi attribute authorization check

Nathan Hoult nhoult51 at gmail.com
Thu Sep 14 13:50:41 EDT 2017


I have a use case where I need to check if a (user)+(company) is authorized
for a client resource.

Example:
user + companyA = resourceA granted
user + companyB = resourceA denied

The user may have multiple browser sessions logged into the same client so
I can't just set a KC user attribute "company=companyA". The service will
know, based on cookie or something, what the company ID is and can pass
that information to KC which can then return if that resource is authorized.

I tried:
1) Scope per company: I got close but it seemed to be the wrong use of
scope. I ran into some issues but if this was the way to do it I can look
at it again.
2) Realm per company: then the user would have multiple accounts, clients
would have to trust multiple Realms, added/removing companies would require
a Realm setup, and any clients resources changes would require an update in
each Realm. There is also the problem of a resource being controlled by
multiple authorization servers seems wrong (
https://github.com/pingidentity/mod_auth_openidc/issues/199).

I have thought about a hybrid approach but didn't think it was the right
way to do it even if it worked: 1 client realm with all users and clients,
that realm trusts multiple per company reals, then a user logs into a
company realm that the client converts to the client realm but puts in the
token which realm the user came from.

I could write my own service, let the applications deal with their own
resource permissions, or make KC plugin that does what I want, but if KC
can't do it by default does anyone know of another AuthZ implementation
that could?

I could be thinking about the problem all wrong to begin with so any input
is appreciated.

Thanks,
- Nathan


More information about the keycloak-user mailing list