Re: [keycloak-user] authorization in a hierarchical context
by Pedro Igor Silva
On Mon, Jan 2, 2017 at 2:40 PM, Avinash Kundaliya <avinash(a)avinash.com.np>
wrote:
> Hello,
> I see, is it something in the UMA spec that says about resource hierarchy
> or we don't have on the server for other reasons?
> Regarding the API path, it partially matches the hierarchy but not always,
> that is why I don't want to enforce it with the URI. For example in the
> case of animals we have an /api/animal/{animal_id}
> Is there any other approach you'd suggest?
>
>
AFAIK, there is nothing in UMA spec about hierarchy of resources.
Regarding a different approach, use the path to enforce permissions to an
hierarchy was my best shot.
> Also, there is a role of a herder, who has nothing to do with the
> hierarchy but only related to the animal. Eg: a herder of cows or a herder
> of sheeps.
>
> I can add a role of herder in keycloak and probably add the animal_type to
> the user as a custom attribute, is it possible to register resource_sets
> with attributes, like animal type in case of the animal resource.
>
Resources do have a type, maybe you can use this property to set
animal_type. We don't have support for custom resource attributes though.
However that is something I think we should start supporting in Keycloak.
Maybe custom attributes could help you with the hierarchy problem too.
Would it work for you ?
>
> Is there a book/resource that you could suggest to read more about
> authorization patterns? I have already read along the keycloak guides.
>
Nothing specific as authorization is usually very specific to a domain.
However, I usually like to search for ABAC related material as they usually
provide additional information and patterns that helps to design more
flexible authorization systems. OWASP also provides some great material
around security in general.
>
> Regards,
> Avinash
>
> On Mon, Jan 2, 2017 at 10:12 PM Pedro Igor Silva <psilva(a)redhat.com>
> wrote:
>
>> Hi,
>>
>> We don't support resource hierarchy on the server so you won`t be able to
>> model your resources as you described. And as you mentioned, I`m not sure
>> either if this is something we want/need to enable on the server.
>>
>> In theory, if your API is using a path/uri layout that allows you to
>> identify this hierarchy, I think you should be able to achieve what you
>> want. For instance, suppose you have:
>>
>> /api/farm/{farm_id}
>> /api/farm/{farm_id}/group/{group_id}
>> /api/farm/{farm_id}/group/{group_id}/animal/{animal_id}
>>
>> And every time you create one of the resources above (farms, groups or
>> animals) you associate a path such as you replace the the patterns above
>> with the identifier of the resource. That PhotoZ example does pretty much
>> the same thing, where resources are protected by using a pattern like
>> /album/{id}. But there we only use a single pattern in a path.
>>
>> I'm just not sure if our policy enforcer is capable of dealing with
>> multiple patterns in a single path. Probably not and probably a bug :)
>>
>> Regards.
>> Pedro Igor
>>
>> On Mon, Jan 2, 2017 at 1:47 PM, Avinash Kundaliya <avinash(a)avinash.com.np
>> > wrote:
>>
>> Hello,
>>
>> I have a question more related to the architecture of an application and
>> if/how keycloak would fit to it.
>>
>> The context is I have a hierarchy of resources (There is a Farm
>> resource, and the farm has many groups and a group has many animals). I
>> want the farm user to have access to everything below it (i.e group and
>> animals) and the group user to all the animals.
>>
>> The easiest way to do this is by doing the authorization in the resource
>> server (i.e if the token contains a farm_owner resource, and if the
>> resource is and animal owned by a group that the farm owns, then the
>> owner gets access to it). But, this somehow feels wrong, as i would like
>> to model this authorization policy (if i may call it) in the auth
>> server/keycloak.
>>
>> I have been looking at UMA recently as it somehow seems closest to what
>> I want to achieve. But, in UMA, i can only model the owner relation, but
>> not the hierarchy of it. Thus, I am not so clear on how to model such
>> relations using that as well. Probably, its not a good idea to model
>> this in the auth server.
>>
>> It would be great if there is some mechanism within keycloak to model
>> such relations or authorization structures. As of now, we do plan to use
>> keycloak for authentication and possibly, pass roles if any would make
>> sense.
>>
>> Thanks for the help in advance, and I hope I have been able to explain
>> my issue clearly.
>>
>> Regards,
>> Avinash
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
8 years
authorization in a hierarchical context
by Avinash Kundaliya
Hello,
I have a question more related to the architecture of an application and
if/how keycloak would fit to it.
The context is I have a hierarchy of resources (There is a Farm
resource, and the farm has many groups and a group has many animals). I
want the farm user to have access to everything below it (i.e group and
animals) and the group user to all the animals.
The easiest way to do this is by doing the authorization in the resource
server (i.e if the token contains a farm_owner resource, and if the
resource is and animal owned by a group that the farm owns, then the
owner gets access to it). But, this somehow feels wrong, as i would like
to model this authorization policy (if i may call it) in the auth
server/keycloak.
I have been looking at UMA recently as it somehow seems closest to what
I want to achieve. But, in UMA, i can only model the owner relation, but
not the hierarchy of it. Thus, I am not so clear on how to model such
relations using that as well. Probably, its not a good idea to model
this in the auth server.
It would be great if there is some mechanism within keycloak to model
such relations or authorization structures. As of now, we do plan to use
keycloak for authentication and possibly, pass roles if any would make
sense.
Thanks for the help in advance, and I hope I have been able to explain
my issue clearly.
Regards,
Avinash
8 years
can we use authorization with bearer-only ?
by uğur kolip
can we use bearer-only with authorization ?
if it can be , how can we use ? are there any example ?
when i try to use with photoz example , i get bad request (or 403 i am not
sure , i change a lot of thing)
Because i don't want redirect or store session , it can be used by mobil
apps .
Thank you for helping
8 years
Some questions about user authentication with external IDP
by Reed Lewis
We are planning on using Keycloak to authenticate users in our environment. There will be multiple sources of user logins.
1. Local to Keycloak
2. Using a Federation provider to pull accounts from on a one time basis (The first time the user logs in they will authenticate using the p/w in the Federation server, and subsequent logins will occur entirely in Keycloak)
3. Using a third party IDP (Like Microsoft/ Google/ etc.) But the initial source of these accounts might be local in keycloak.
I of course can do #1, and know how to do #2. For #3 I have the external 3Rd party IDP working.
But what we would like to have is this:
1. A user goes to a form in which they enter the username only.
2. If the user is new, it asks them to create an account
3. If the user is new, but we know the login to be associated with a third party IDP, we go there, and link the account.
4. If the user is not new, and if they are linked to third party IDP, it automatically loads that IDP page without having to pick that login.
Here is the workflow we are thinking.
An admin adds a list of accounts (either csv, or somehow else) into keycloak, but it says that all these accounts need to be authenticated by some third part IDP. So when a user logs into Keycloak and enters their password, it automatically redirects the user to the 3rd part IDP and then associates the local keycloak login with the IDP without having to do too much.
Does this make sense?
Reed Lewis
Disclaimer
The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorized to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful.
This email has been scanned for viruses and malware, and may have been automatically archived by Mimecast Ltd, an innovator in Software as a Service (SaaS) for business. Providing a safer and more useful place for your human generated data. Specializing in; Security, archiving and compliance. To find out more visit the Mimecast website.
8 years
Can I create the bearer token by administrator on behalf of other users?
by Michael Furman
Hi,
I need to the create bearer token by admin on behalf of other users.
In means:
1. I have admin user and password.
2. I have the user name (e.g. bob).
3. I want to create the bearer token and to access the bearer client.
4. When I access the bearer client with the bearer token it authenticates user (e.g. bob).
How can I do it?
Thank you for your help,
Michael
8 years
user group management from servlet app
by smichea@gmail.com
Hi all,
Is there a way to access/manage groups of a user from the KeycloakSecurityContext obtained in a servlet ?
Thank you,
Sebastien
8 years
Best way to add custom attributes to the user session?
by Edgar Vonk - Info.nl
Hi,
We would like to a add custom attributes (using custom logic including custom database queries) to the user session in Keycloak on authentication. What is the best way to do this? We use an LDAP/AD user federation provider.
Should we write a custom user attribute mapper and add it to our user federation provider? I guess we could also write a custom token mapper and misuse it a little in that it will only add data to the user session and not to the token?
Previously we had a custom token mapper that added this custom data to the token, however it is becoming too much data and we have reached the max size limit (JWT tokens are transported as HTTP headers and those have a max size of 8kb). So now we are thinking of adding this data to the user session and Keycloak and when we need it later on get it from Keycloak using Keycloak’s REST API.
cheers
8 years
User federation from multiple LDAP servers
by Georgijs Radovs
Hello everyone!
Is it possible to set up User Federation from multiple replicating LDAP
servers?
For example:
We have 2 FreeIPA servers, which are replicating between each other.
And, we have 2 Keycloak servers in standalone-ha mode, using S3_PING
session failover.
How to add second FreeIPA server to User Federation?
We've tried to add second LDAP server in User Federation and set lower
priority for it, but when user account sync happens, Keylcoak server
shows, that user account from FreeIPA server 2 is already linked to
FreeIPA server 1.
--
<https://www.youtube.com/watch?v=bs0V2F06liw>
8 years
Passing Data to Registration Fields
by Raghu Laghuvaram
I am trying to use direct registration link and I want to pass some of the
fields from my application, is it possible to pass fields such as First
Name, Last Name and other custom fields if needed?
Thanks,
Deepu
8 years
