[keycloak-user] Using Keycloak for per field authorisation

Pedro Igor Silva psilva at redhat.com
Thu Aug 9 09:11:13 EDT 2018 

On Wed, Aug 8, 2018 at 5:20 PM, Courtney Robinson <courtney.robinson at hypi.io
> wrote:

> Hello,
> I'm trying to work out what approach may be advisable for achieving per
> field authorisation with Keycloak.
>
> Until now we've used it for authentication only and are now expanding our
> integration to take advantage of its authorisation capabilities as well
> with a view to replace our existing solution entirely. This being due to a
> need in the near future for SAML and some other enterprise integration this
> has become a necessity.
>
> The situation is like this:
> Prior to adapting Keycloak we used our own solution based on Apache Shiro.
> We have a GraphQL API that services multiple organisations each with
> multiple apps.
>
> Each organisation has its own users and thus maps directly into separate
> realms in Keycloak.
> Each user in an organisation can have different permissions. Within an
> organisation you can have one or more groups (usually an office/site) and
> they some times have different access rights. I could elaborate more but I
> think this should give a good picture of the setup.
>
> So far so good, I can see how to map some of these things directly to
> Keycloak high level constructs. It falls apart for me with the API. We're
> using Spring Boot but I struggle to see how I'd achieve this setup using
> one of the adapters.
>

Did you have a chance to look our app-authz-spring* quickstarts ?


>
> Take this scenario:
> App 1 defines two types A{f1:Int, f2: String} and B{f3:Int, f4: String}
> Org 1, User 1 can read,write A.f1 and B.f3, they can only read B.f4 and
> cannot see or perform any other operation on A.f2 *normally* but in one
> case they have had a specific instance of A shared with them and given
> complete read/write/share/manage permission for that one instance and thus
> A.f2 is available to them in this one instance.
>

I'm a little confused about what type A and B are. You also mentioned you
may have an "instance of A".  Does that mean that types A and B represent
generic resources which policies should be enforced on instances of A and B
? Are these instances user-managed resources ?


>
> All other users get some default permission set to manage their own
> resources, read/write/share (within the site) shared resources, read only
> on resources shared with the organisation.
> The same app can be used by multiple organisations, each with their own
> access rules.


> One thing worth noting is that when a user doesn't have permission to a
> field, the entire request does not fail necessarily, we return null if the
> field is optional and only if it's required does the whole request fail
> (optional/required in the GraphQL sense where required fields must be
> non-null).
>
> I've been playing around with the clients auth and admin clients but
> frankly I'm a little lost trying to figure out how to get this setup
> working.
>
> It's worth noting that none of the apps so far are secure clients, they're
> angular/react based web apps. Our service needs to verify the user making
> the request and do authorisation checks on the data being queried/mutated
>
> Can anyone provide some guidance as to how I go about achieving this with
> Keycloak, which components I might use to achieve what and just a high
> level description of how I might hang the pieces together. I think one
> thing that is very unclear to me right now is what work the adapters do
> exactly, it's unclear how they perform checks, unclear what exactly it uses
> tokens for locally vs what and when it queries Keycloak again for. I'm
> still going through the sources but it's still unclear for me.
>

Regarding how the adapter (policy enforcer in particular) work. It verifies
permissions locally in case the client is sending a bearer token with
permissions, otherwise the adapter will query the server for permissions
associated with resource the client is trying to access (mapping is based
on URIs).


>
> Thanks in advance.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list