[keycloak-user] Group-based permissions for resources

[Christian Stier]

Hi Pedro,

 

thank you for the helpful example and extended documentation on GitHub. My understanding is that this would rely on trusting the client’s claim that she is actually accessing the resource with the actual resource. In your example, it would rely on userA pushing the claim userB when she tries to access the resource /api/userB/salary.

 

For now I am implementing option 2) as this also offers the benefit of enabling a later refinement of access rights per organization on the Keycloak platform and in connected clients.

 

Best regards

Christian

 

From: Pedro Igor Silva <psilva at redhat.com> 
Sent: Friday, June 22, 2018 4:31 PM
To: Christian Stier <stier at fzi.de>
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Group-based permissions for resources

 

You should be able to push arbitrary claims to your policies such as the request URI. Your policy could check if {organization} is among the groups the user is a member of. A single policy could serve for this purpose.

 

I've added more information about this in docs, the PR is about to be merged. I'm also working with a quickstart that shows how to solve a similar problem. Something like "access to /api/{user}/salary is only allowed if current user is {user}".

 

 

On Fri, Jun 22, 2018 at 5:09 AM, Christian Stier <stier at fzi.de <mailto:stier at fzi.de> > wrote:

Dear all,

I am in the process of implementing an authorization solution for the REST API of an application using Keycloak/OIDC.

The application manages resources based on their association with user groups. Its simplified path schema is similar to
/{organization}/{resourcename}. All users of an organization should be allowed to access its resources. My current approach is to
map organizations to Keycloak user groups.

1) Is it possible to define an authorization policy in Keycloak that handles group-based authorization for a single resource defined
for the path /{organization}/{resourcename}? My idea here was to check if the organization path of an URL matches a scope of the
calling client that is mapped from its group memberships. I looked into JS policy examples and the Evaluation API but I did not see
a way to check against path parameters.

2) Or: Do I have to (programmatically) create separate resource/policy pairs for each organization to support this type of
group-based authorization?

Thanks for any pointers and input.

Best regards
Christian

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org> 
https://lists.jboss.org/mailman/listinfo/keycloak-user

 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 7656 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180626/338c467e/attachment.bin