Re: [keycloak-dev] Keycloak Modules developed for the Cloudtrust project
On Tue, Aug 14, 2018 at 6:53 AM, Doswald Alistair <alistair.doswald(a)elca.ch>
wrote:
* keycloak-authorization (https://github.com/cloudtrust
/keycloak-authorization): this module allows the use of the client
authorization system to prevent a user which is authenticated in a Keycloak
realm to access a given client. It works no matter which protocol is used,
and without the client having to support any extra protocol. Note: this
solution is a bit hacky, but necessary for one of our use-cases.
Regarding this extension. if I understood it correctly, it works like that.
First from an admin perspective:
1) User creates a client an enable authorization services to it
2) User creates a resource "Keycloak Client Resource" and define any
permission to it
From a server perspective:
1) Check if authorization services is enabled to the client to which the
user is authenticating
2) Check whether or not permission to access the client is granted
It seems that the main logic for this is at https://github.com/
cloudtrust/keycloak-authorization/blob/master/src/main/java/io/cloudtrust/
keycloak/protocol/LocalAuthorizationService.java.
Is my understanding correct ? Would like to know if that is how it works
today so we can start discussing alternatives.
Regards.
Pedro Igor