[keycloak-user] Question about RPT requests for all permissions on multiple clients

Pedro Igor Silva psilva at redhat.com
Wed Aug 29 12:32:35 EDT 2018 

On Wed, Aug 29, 2018 at 12:47 PM, David Erie (US) <David.Erie at datapath.com>
wrote:

> Hello,
> We're excited to be integrating Keycloak into our application suite, and I
> have some authorization questions I haven't been able to answer myself.
>
> We have an unusual Single Page Application (SPA) architecture where our
> web server and our "data" server are separate processes. Further, we don't
> own the web server source code. Consequently, the SPA code running in the
> browser will need to perform fine-grained permission enforcement on its own.
>
> I believe we can do this by sending the following type of request to get
> an RPT with all allowed permissions on the given resource server (I tested
> this and it works as expected):
>
>         curl -X POST \
>           http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token
> \
>           -H "Authorization: Bearer ${access_token}" \
>           --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket"
> \
>           --data "client_id={web_client_id}" \
>           --data "audience={resource_server_client_id}"
>
> We would actually need to send two of these requests, one with the "web"
> resource server client ID, and the other with the "data" resource server
> client ID, because they would each own a set of resources that are accessed
> and whose permissions are enforced in the SPA.
>
> Is this the recommended way to approach this problem?
>

This approach is fine depending on how many resources you have managed by
Keycloak. As you know, you are basically checking permissions for all
resources ...

Another way to achieve this is asking for specific permissions and
obtaining others on demand. For instance, if SPA right after login requires
A, B and C, you can send a request asking permissions for only these
resources. Later, you can send the previous token with permissions for A,B
and C and ask for additional permissions for D, E and F. This is what we
call incremental authorization.

Would be nice if we could have a simple flag in resource page to define the
resources we want to return by default (instead of all of them).


>
> Will this approach be supported in the long term (versus being deprecated
> for some reason related to the UMA 2.0 spec)?
>

Yes.


>
> Finally, what is the limit on the length of or number of permissions in an
> RPT?
>

No limit. But your clients can send a response_permissions_limit [1]
parameter to define how many permissions you expected in the token.

[1]
https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions


>
> Thank you,
> Dave
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list