[keycloak-user] Using Keycloak for per field authorisation

Courtney Robinson courtney.robinson at hypi.io
Wed Aug 8 16:20:24 EDT 2018


Hello,
I'm trying to work out what approach may be advisable for achieving per
field authorisation with Keycloak.

Until now we've used it for authentication only and are now expanding our
integration to take advantage of its authorisation capabilities as well
with a view to replace our existing solution entirely. This being due to a
need in the near future for SAML and some other enterprise integration this
has become a necessity.

The situation is like this:
Prior to adapting Keycloak we used our own solution based on Apache Shiro.
We have a GraphQL API that services multiple organisations each with
multiple apps.

Each organisation has its own users and thus maps directly into separate
realms in Keycloak.
Each user in an organisation can have different permissions. Within an
organisation you can have one or more groups (usually an office/site) and
they some times have different access rights. I could elaborate more but I
think this should give a good picture of the setup.

So far so good, I can see how to map some of these things directly to
Keycloak high level constructs. It falls apart for me with the API. We're
using Spring Boot but I struggle to see how I'd achieve this setup using
one of the adapters.

Take this scenario:
App 1 defines two types A{f1:Int, f2: String} and B{f3:Int, f4: String}
Org 1, User 1 can read,write A.f1 and B.f3, they can only read B.f4 and
cannot see or perform any other operation on A.f2 *normally* but in one
case they have had a specific instance of A shared with them and given
complete read/write/share/manage permission for that one instance and thus
A.f2 is available to them in this one instance.

All other users get some default permission set to manage their own
resources, read/write/share (within the site) shared resources, read only
on resources shared with the organisation.
The same app can be used by multiple organisations, each with their own
access rules.

One thing worth noting is that when a user doesn't have permission to a
field, the entire request does not fail necessarily, we return null if the
field is optional and only if it's required does the whole request fail
(optional/required in the GraphQL sense where required fields must be
non-null).

I've been playing around with the clients auth and admin clients but
frankly I'm a little lost trying to figure out how to get this setup
working.

It's worth noting that none of the apps so far are secure clients, they're
angular/react based web apps. Our service needs to verify the user making
the request and do authorisation checks on the data being queried/mutated

Can anyone provide some guidance as to how I go about achieving this with
Keycloak, which components I might use to achieve what and just a high
level description of how I might hang the pieces together. I think one
thing that is very unclear to me right now is what work the adapters do
exactly, it's unclear how they perform checks, unclear what exactly it uses
tokens for locally vs what and when it queries Keycloak again for. I'm
still going through the sources but it's still unclear for me.

Thanks in advance.


More information about the keycloak-user mailing list