6:39 p.m.
Hi,
I am very new to Keycloak. I have a RESTful API implemented with json:api
<https://jsonapi.org/> spec which I want to secure using Keycloak.
I just want to ask the Keycloak community for best practices when it comes
to securing RESTful APIs.
My endpoints will be something like:
GET /api/books --> return all books the user has access for
GET /api/books/123 --> return book with id = 123
My challenge now is to figure out how to define resources in Keycloak.
Should I add all my books as resources to Keycloak? And then define the
permission between each user and resource?
What would be the best practice to implement "GET /api/books" to return
only the books the logged in user has access to? Should I query the
Keycloak API to get all the resources the logged in user has access to, in
the backend?
Thanks
Farzad
7:06 p.m.
Hi Farzad, have you tried one of our quickstarts[1]? I believe they may be
helpful.
[1] - https://github.com/keycloak/keycloak-quickstarts
On Thu, May 16, 2019, 8:40 PM Farzad Panahi <farzad.panahi(a)gmail.com> wrote:
Hi,
I am very new to Keycloak. I have a RESTful API implemented with json:api
<https://jsonapi.org/> spec which I want to secure using Keycloak.
I just want to ask the Keycloak community for best practices when it comes
to securing RESTful APIs.
My endpoints will be something like:
GET /api/books --> return all books the user has access for
GET /api/books/123 --> return book with id = 123
My challenge now is to figure out how to define resources in Keycloak.
Should I add all my books as resources to Keycloak? And then define the
permission between each user and resource?
What would be the best practice to implement "GET /api/books" to return
only the books the logged in user has access to? Should I query the
Keycloak API to get all the resources the logged in user has access to, in
the backend?
Thanks
Farzad
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
7:32 p.m.
Tnx Bruno.
I looked into the REST examples. They are good examples but they are
simple.
I am looking for best practices for a bit more sophisticated scenario where
each user has a dynamic set of resources associate with it.
What would be the best practices to do this sort of mapping in Keycloak? To
add every individual resource into Keycloak and define individual
permissions?
On Thu, May 16, 2019 at 5:06 PM Bruno Oliveira <bruno(a)abstractj.org> wrote:
Hi Farzad, have you tried one of our quickstarts[1]? I believe they
may be
helpful.
[1] - https://github.com/keycloak/keycloak-quickstarts
On Thu, May 16, 2019, 8:40 PM Farzad Panahi <farzad.panahi(a)gmail.com>
wrote:
> Hi,
>
> I am very new to Keycloak. I have a RESTful API implemented with json:api
> <https://jsonapi.org/> spec which I want to secure using Keycloak.
>
> I just want to ask the Keycloak community for best practices when it comes
> to securing RESTful APIs.
>
> My endpoints will be something like:
> GET /api/books --> return all books the user has access for
> GET /api/books/123 --> return book with id = 123
>
> My challenge now is to figure out how to define resources in Keycloak.
> Should I add all my books as resources to Keycloak? And then define the
> permission between each user and resource?
>
> What would be the best practice to implement "GET /api/books" to return
> only the books the logged in user has access to? Should I query the
> Keycloak API to get all the resources the logged in user has access to, in
> the backend?
>
> Thanks
>
> Farzad
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
8:50 a.m.
Hi Farzad,
How do you check if a user has access to a book ? Is the user the book
owner or you have more conditions that should be taken into account to
grant access to books ?
[1]
https://www.keycloak.org/docs/latest/authorization_services/index.html#ex...
On Thu, May 16, 2019 at 8:42 PM Farzad Panahi <farzad.panahi(a)gmail.com>
wrote:
Hi,
I am very new to Keycloak. I have a RESTful API implemented with json:api
<https://jsonapi.org/> spec which I want to secure using Keycloak.
I just want to ask the Keycloak community for best practices when it comes
to securing RESTful APIs.
My endpoints will be something like:
GET /api/books --> return all books the user has access for
GET /api/books/123 --> return book with id = 123
My challenge now is to figure out how to define resources in Keycloak.
Should I add all my books as resources to Keycloak? And then define the
permission between each user and resource?
What would be the best practice to implement "GET /api/books" to return
only the books the logged in user has access to? Should I query the
Keycloak API to get all the resources the logged in user has access to, in
the backend?
Thanks
Farzad
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
11:41 a.m.
Hi Pedro,
The user is not the book owner. You can think about it this way that if B
is the set of all books then each user has access to a subset of B such
that these subsets are not mutually exclusive and do overlap.
On Fri., May 17, 2019, 6:51 a.m. Pedro Igor Silva, <psilva(a)redhat.com>
wrote:
Hi Farzad,
How do you check if a user has access to a book ? Is the user the book
owner or you have more conditions that should be taken into account to
grant access to books ?
[1]
https://www.keycloak.org/docs/latest/authorization_services/index.html#ex...
On Thu, May 16, 2019 at 8:42 PM Farzad Panahi <farzad.panahi(a)gmail.com>
wrote:
> Hi,
>
> I am very new to Keycloak. I have a RESTful API implemented with json:api
> <https://jsonapi.org/> spec which I want to secure using Keycloak.
>
> I just want to ask the Keycloak community for best practices when it comes
> to securing RESTful APIs.
>
> My endpoints will be something like:
> GET /api/books --> return all books the user has access for
> GET /api/books/123 --> return book with id = 123
>
> My challenge now is to figure out how to define resources in Keycloak.
> Should I add all my books as resources to Keycloak? And then define the
> permission between each user and resource?
>
> What would be the best practice to implement "GET /api/books" to return
> only the books the logged in user has access to? Should I query the
> Keycloak API to get all the resources the logged in user has access to, in
> the backend?
>
> Thanks
>
> Farzad
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
1:45 p.m.
Sorry, but is still not clear to me how a "user has access to a subset of
B" is this access based on roles, groups or any other information that you
gather from the context ? I'm wondering if this is not a business rule
instead ....
On Fri, May 17, 2019 at 1:42 PM Farzad Panahi <farzad.panahi(a)gmail.com>
wrote:
Hi Pedro,
The user is not the book owner. You can think about it this way that if B
is the set of all books then each user has access to a subset of B such
that these subsets are not mutually exclusive and do overlap.
On Fri., May 17, 2019, 6:51 a.m. Pedro Igor Silva, <psilva(a)redhat.com>
wrote:
> Hi Farzad,
>
> How do you check if a user has access to a book ? Is the user the book
> owner or you have more conditions that should be taken into account to
> grant access to books ?
>
> [1]
> https://www.keycloak.org/docs/latest/authorization_services/index.html#ex...
>
>
> On Thu, May 16, 2019 at 8:42 PM Farzad Panahi <farzad.panahi(a)gmail.com>
> wrote:
>
>> Hi,
>>
>> I am very new to Keycloak. I have a RESTful API implemented with json:api
>> <https://jsonapi.org/> spec which I want to secure using Keycloak.
>>
>> I just want to ask the Keycloak community for best practices when it
>> comes
>> to securing RESTful APIs.
>>
>> My endpoints will be something like:
>> GET /api/books --> return all books the user has access for
>> GET /api/books/123 --> return book with id = 123
>>
>> My challenge now is to figure out how to define resources in Keycloak.
>> Should I add all my books as resources to Keycloak? And then define the
>> permission between each user and resource?
>>
>> What would be the best practice to implement "GET /api/books" to
return
>> only the books the logged in user has access to? Should I query the
>> Keycloak API to get all the resources the logged in user has access to,
>> in
>> the backend?
>>
>> Thanks
>>
>> Farzad
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
3:21 p.m.
This is exactly where I want to use Keycloak to set this business
rule/mapping. Basically I need to associate each user with a subset of B
(books) to which the user has access to. This association is not based on
roles or groups. It is based on individual users.
That's why I was thinking that the only way I can think of doing this to
add every individual book as a resource in Keycloak and then I have to
create a permission for each of them to grant access to any individual user.
It would help if Keycloak had a concept like a resource group I guess. Then
I could put all those resources in a resource group and grant access to
that resource group for an individual user.
Then in order to see which resources each user has access to, I need to
query Keycloak somehow (I need to figure out how exactly) and get the
resources that user has access to, and return only those resources for that
user.
That's what I can think of right now. I am just wondering if there is a
better way to do this sort of resource oriented access control where each
user has access to specific set of resources only.
On Fri, May 17, 2019 at 11:45 AM Pedro Igor Silva <psilva(a)redhat.com> wrote:
Sorry, but is still not clear to me how a "user has access to a
subset of
B" is this access based on roles, groups or any other information that you
gather from the context ? I'm wondering if this is not a business rule
instead ....
On Fri, May 17, 2019 at 1:42 PM Farzad Panahi <farzad.panahi(a)gmail.com>
wrote:
> Hi Pedro,
>
> The user is not the book owner. You can think about it this way that if B
> is the set of all books then each user has access to a subset of B such
> that these subsets are not mutually exclusive and do overlap.
>
> On Fri., May 17, 2019, 6:51 a.m. Pedro Igor Silva, <psilva(a)redhat.com>
> wrote:
>
>> Hi Farzad,
>>
>> How do you check if a user has access to a book ? Is the user the book
>> owner or you have more conditions that should be taken into account to
>> grant access to books ?
>>
>> [1]
>> https://www.keycloak.org/docs/latest/authorization_services/index.html#ex...
>>
>>
>> On Thu, May 16, 2019 at 8:42 PM Farzad Panahi <farzad.panahi(a)gmail.com>
>> wrote:
>>
>>> Hi,
>>>
>>> I am very new to Keycloak. I have a RESTful API implemented with
>>> json:api
>>> <https://jsonapi.org/> spec which I want to secure using Keycloak.
>>>
>>> I just want to ask the Keycloak community for best practices when it
>>> comes
>>> to securing RESTful APIs.
>>>
>>> My endpoints will be something like:
>>> GET /api/books --> return all books the user has access for
>>> GET /api/books/123 --> return book with id = 123
>>>
>>> My challenge now is to figure out how to define resources in Keycloak.
>>> Should I add all my books as resources to Keycloak? And then define the
>>> permission between each user and resource?
>>>
>>> What would be the best practice to implement "GET /api/books" to
return
>>> only the books the logged in user has access to? Should I query the
>>> Keycloak API to get all the resources the logged in user has access to,
>>> in
>>> the backend?
>>>
>>> Thanks
>>>
>>> Farzad
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
12:59 p.m.
Any hint or example project to look at would really help to put me in the
right direction.
Should I post this question with a better and more specific title with more
elaborate body to present the question better?
On Fri., May 17, 2019, 1:21 p.m. Farzad Panahi, <farzad.panahi(a)gmail.com>
wrote:
This is exactly where I want to use Keycloak to set this business
rule/mapping. Basically I need to associate each user with a subset of B
(books) to which the user has access to. This association is not based on
roles or groups. It is based on individual users.
That's why I was thinking that the only way I can think of doing this to
add every individual book as a resource in Keycloak and then I have to
create a permission for each of them to grant access to any individual user.
It would help if Keycloak had a concept like a resource group I guess.
Then I could put all those resources in a resource group and grant access
to that resource group for an individual user.
Then in order to see which resources each user has access to, I need to
query Keycloak somehow (I need to figure out how exactly) and get the
resources that user has access to, and return only those resources for that
user.
That's what I can think of right now. I am just wondering if there is a
better way to do this sort of resource oriented access control where each
user has access to specific set of resources only.
On Fri, May 17, 2019 at 11:45 AM Pedro Igor Silva <psilva(a)redhat.com>
wrote:
> Sorry, but is still not clear to me how a "user has access to a subset of
> B" is this access based on roles, groups or any other information that you
> gather from the context ? I'm wondering if this is not a business rule
> instead ....
>
> On Fri, May 17, 2019 at 1:42 PM Farzad Panahi <farzad.panahi(a)gmail.com>
> wrote:
>
>> Hi Pedro,
>>
>> The user is not the book owner. You can think about it this way that if
>> B is the set of all books then each user has access to a subset of B such
>> that these subsets are not mutually exclusive and do overlap.
>>
>> On Fri., May 17, 2019, 6:51 a.m. Pedro Igor Silva, <psilva(a)redhat.com>
>> wrote:
>>
>>> Hi Farzad,
>>>
>>> How do you check if a user has access to a book ? Is the user the book
>>> owner or you have more conditions that should be taken into account to
>>> grant access to books ?
>>>
>>> [1]
>>>
https://www.keycloak.org/docs/latest/authorization_services/index.html#ex...
>>>
>>>
>>> On Thu, May 16, 2019 at 8:42 PM Farzad Panahi
<farzad.panahi(a)gmail.com>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> I am very new to Keycloak. I have a RESTful API implemented with
>>>> json:api
>>>> <https://jsonapi.org/> spec which I want to secure using Keycloak.
>>>>
>>>> I just want to ask the Keycloak community for best practices when it
>>>> comes
>>>> to securing RESTful APIs.
>>>>
>>>> My endpoints will be something like:
>>>> GET /api/books --> return all books the user has access for
>>>> GET /api/books/123 --> return book with id = 123
>>>>
>>>> My challenge now is to figure out how to define resources in Keycloak.
>>>> Should I add all my books as resources to Keycloak? And then define the
>>>> permission between each user and resource?
>>>>
>>>> What would be the best practice to implement "GET /api/books"
to return
>>>> only the books the logged in user has access to? Should I query the
>>>> Keycloak API to get all the resources the logged in user has access
>>>> to, in
>>>> the backend?
>>>>
>>>> Thanks
>>>>
>>>> Farzad
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user(a)lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
1:34 p.m.
Hi Farzad,
Sorry for the late reply.
Our authorization model is targeted for enforcing security-related
constraints, not business rules. Maybe you could consider Drools/BRMS.
Some time ago we had a discussion about data filtering and how to fetch
resources based on policy decisions. If you look at our documentation [1]
you'll see that policies can push arbitrary claims back to your application
when granting access to a permission. This capability allows you to send a
specific claim along with the permission that represents some filter that
you can use to query your database.
As a result, you'll have within your token something like:
"permissions": [
{
"resource_id": "90ccc6fc-b296-4cd1-881e-089e1ee15957",
"resource_name": "Book Resource",
"claims": ["data.filter": ["book.type = 'foo' or
book.type = 'bar'"]]
}
]
We do have a "resource group" concept. Resources can have a type and you
can also have a single resource representing a set of one or more "real"
resources.
[1]
https://www.keycloak.org/docs/latest/authorization_services/index.html#pu...
On Tue, May 21, 2019 at 3:14 PM Farzad Panahi <farzad.panahi(a)gmail.com>
wrote:
Any hint or example project to look at would really help to put me in
the
right direction.
Should I post this question with a better and more specific title with more
elaborate body to present the question better?
On Fri., May 17, 2019, 1:21 p.m. Farzad Panahi, <farzad.panahi(a)gmail.com>
wrote:
> This is exactly where I want to use Keycloak to set this business
> rule/mapping. Basically I need to associate each user with a subset of B
> (books) to which the user has access to. This association is not based on
> roles or groups. It is based on individual users.
> That's why I was thinking that the only way I can think of doing this to
> add every individual book as a resource in Keycloak and then I have to
> create a permission for each of them to grant access to any individual
user.
> It would help if Keycloak had a concept like a resource group I guess.
> Then I could put all those resources in a resource group and grant access
> to that resource group for an individual user.
> Then in order to see which resources each user has access to, I need to
> query Keycloak somehow (I need to figure out how exactly) and get the
> resources that user has access to, and return only those resources for
that
> user.
>
> That's what I can think of right now. I am just wondering if there is a
> better way to do this sort of resource oriented access control where each
> user has access to specific set of resources only.
>
>
>
> On Fri, May 17, 2019 at 11:45 AM Pedro Igor Silva <psilva(a)redhat.com>
> wrote:
>
>> Sorry, but is still not clear to me how a "user has access to a subset
of
>> B" is this access based on roles, groups or any other information that
you
>> gather from the context ? I'm wondering if this is not a business rule
>> instead ....
>>
>> On Fri, May 17, 2019 at 1:42 PM Farzad Panahi <farzad.panahi(a)gmail.com>
>> wrote:
>>
>>> Hi Pedro,
>>>
>>> The user is not the book owner. You can think about it this way that if
>>> B is the set of all books then each user has access to a subset of B
such
>>> that these subsets are not mutually exclusive and do overlap.
>>>
>>> On Fri., May 17, 2019, 6:51 a.m. Pedro Igor Silva,
<psilva(a)redhat.com>
>>> wrote:
>>>
>>>> Hi Farzad,
>>>>
>>>> How do you check if a user has access to a book ? Is the user the book
>>>> owner or you have more conditions that should be taken into account to
>>>> grant access to books ?
>>>>
>>>> [1]
>>>>
https://www.keycloak.org/docs/latest/authorization_services/index.html#ex...
>>>>
>>>>
>>>> On Thu, May 16, 2019 at 8:42 PM Farzad Panahi <
farzad.panahi(a)gmail.com>
>>>> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I am very new to Keycloak. I have a RESTful API implemented with
>>>>> json:api
>>>>> <https://jsonapi.org/> spec which I want to secure using
Keycloak.
>>>>>
>>>>> I just want to ask the Keycloak community for best practices when
it
>>>>> comes
>>>>> to securing RESTful APIs.
>>>>>
>>>>> My endpoints will be something like:
>>>>> GET /api/books --> return all books the user has access for
>>>>> GET /api/books/123 --> return book with id = 123
>>>>>
>>>>> My challenge now is to figure out how to define resources in
Keycloak.
>>>>> Should I add all my books as resources to Keycloak? And then define
the
>>>>> permission between each user and resource?
>>>>>
>>>>> What would be the best practice to implement "GET
/api/books" to
return
>>>>> only the books the logged in user has access to? Should I query the
>>>>> Keycloak API to get all the resources the logged in user has access
>>>>> to, in
>>>>> the backend?
>>>>>
>>>>> Thanks
>>>>>
>>>>> Farzad
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user(a)lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
4:41 p.m.
Thanks Pedro. I really appreciate your reply.
I think arbitrary claims are what I need to pass the filtering required to
the backend (if I can generate those claims). Also resource types look
interesting. I think as you said I can use that to group my resources.
These two should solve my problems at hand.
That would be also great if you could elaborate on what you meant by
"security constraints" vs "business rules". I just want to have a
better
understanding of Keycloak.
My understanding is that Keycloak is an identity and "access management"
system. And when it comes to "access management" my understanding is that
it means "who" has "what" access to "which" resource under
"what
conditions".
If this definition is true, wouldn't "who has access to which resources" be
a security constraint under Keycloak's authorization model?
As you said I might need to look into other solutions but I before I do
that I want to make sure I really cannot do what I want to do with Keycloak
and I really cannot implement my requirements under Keycloal's
authorization model, since I have already happily invested lots of time on
Keycloak :)
On Tue, May 21, 2019 at 11:35 AM Pedro Igor Silva <psilva(a)redhat.com> wrote:
Hi Farzad,
Sorry for the late reply.
Our authorization model is targeted for enforcing security-related
constraints, not business rules. Maybe you could consider Drools/BRMS.
Some time ago we had a discussion about data filtering and how to fetch
resources based on policy decisions. If you look at our documentation [1]
you'll see that policies can push arbitrary claims back to your application
when granting access to a permission. This capability allows you to send a
specific claim along with the permission that represents some filter that
you can use to query your database.
As a result, you'll have within your token something like:
"permissions": [
{
"resource_id": "90ccc6fc-b296-4cd1-881e-089e1ee15957",
"resource_name": "Book Resource",
"claims": ["data.filter": ["book.type = 'foo' or
book.type = 'bar'"]]
}
]
We do have a "resource group" concept. Resources can have a type and you
can also have a single resource representing a set of one or more "real"
resources.
[1]
https://www.keycloak.org/docs/latest/authorization_services/index.html#pu...
On Tue, May 21, 2019 at 3:14 PM Farzad Panahi <farzad.panahi(a)gmail.com>
wrote:
> Any hint or example project to look at would really help to put me in the
> right direction.
>
> Should I post this question with a better and more specific title with
> more
> elaborate body to present the question better?
>
> On Fri., May 17, 2019, 1:21 p.m. Farzad Panahi, <farzad.panahi(a)gmail.com>
> wrote:
>
> > This is exactly where I want to use Keycloak to set this business
> > rule/mapping. Basically I need to associate each user with a subset of B
> > (books) to which the user has access to. This association is not based
> on
> > roles or groups. It is based on individual users.
> > That's why I was thinking that the only way I can think of doing this to
> > add every individual book as a resource in Keycloak and then I have to
> > create a permission for each of them to grant access to any individual
> user.
> > It would help if Keycloak had a concept like a resource group I guess.
> > Then I could put all those resources in a resource group and grant
> access
> > to that resource group for an individual user.
> > Then in order to see which resources each user has access to, I need to
> > query Keycloak somehow (I need to figure out how exactly) and get the
> > resources that user has access to, and return only those resources for
> that
> > user.
> >
> > That's what I can think of right now. I am just wondering if there is a
> > better way to do this sort of resource oriented access control where
> each
> > user has access to specific set of resources only.
> >
> >
> >
> > On Fri, May 17, 2019 at 11:45 AM Pedro Igor Silva <psilva(a)redhat.com>
> > wrote:
> >
> >> Sorry, but is still not clear to me how a "user has access to a subset
> of
> >> B" is this access based on roles, groups or any other information that
> you
> >> gather from the context ? I'm wondering if this is not a business rule
> >> instead ....
> >>
> >> On Fri, May 17, 2019 at 1:42 PM Farzad Panahi <farzad.panahi(a)gmail.com
> >
> >> wrote:
> >>
> >>> Hi Pedro,
> >>>
> >>> The user is not the book owner. You can think about it this way that
> if
> >>> B is the set of all books then each user has access to a subset of B
> such
> >>> that these subsets are not mutually exclusive and do overlap.
> >>>
> >>> On Fri., May 17, 2019, 6:51 a.m. Pedro Igor Silva,
<psilva(a)redhat.com
> >
> >>> wrote:
> >>>
> >>>> Hi Farzad,
> >>>>
> >>>> How do you check if a user has access to a book ? Is the user the
> book
> >>>> owner or you have more conditions that should be taken into account
> to
> >>>> grant access to books ?
> >>>>
> >>>> [1]
> >>>>
> https://www.keycloak.org/docs/latest/authorization_services/index.html#ex...
> >>>>
> >>>>
> >>>> On Thu, May 16, 2019 at 8:42 PM Farzad Panahi <
> farzad.panahi(a)gmail.com>
> >>>> wrote:
> >>>>
> >>>>> Hi,
> >>>>>
> >>>>> I am very new to Keycloak. I have a RESTful API implemented
with
> >>>>> json:api
> >>>>> <https://jsonapi.org/> spec which I want to secure using
Keycloak.
> >>>>>
> >>>>> I just want to ask the Keycloak community for best practices
when it
> >>>>> comes
> >>>>> to securing RESTful APIs.
> >>>>>
> >>>>> My endpoints will be something like:
> >>>>> GET /api/books --> return all books the user has access for
> >>>>> GET /api/books/123 --> return book with id = 123
> >>>>>
> >>>>> My challenge now is to figure out how to define resources in
> Keycloak.
> >>>>> Should I add all my books as resources to Keycloak? And then
define
> the
> >>>>> permission between each user and resource?
> >>>>>
> >>>>> What would be the best practice to implement "GET
/api/books" to
> return
> >>>>> only the books the logged in user has access to? Should I query
the
> >>>>> Keycloak API to get all the resources the logged in user has
access
> >>>>> to, in
> >>>>> the backend?
> >>>>>
> >>>>> Thanks
> >>>>>
> >>>>> Farzad
> >>>>> _______________________________________________
> >>>>> keycloak-user mailing list
> >>>>> keycloak-user(a)lists.jboss.org
> >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>>>
> >>>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
7:12 a.m.
Sure. I'm not telling you that you should not use us to address your
requirements, but that you should take into account whether or not you are
using our authorization capabilities to process business rules, which is
not our focus. I wanted to let you know about other projects that are
targeted for this type of work. Sometimes, the borderline between security
constraints and business rules are very clear when you are externalizing
authorization from your application.
But yeah, I think both approaches can work for you. The data filter
approach is could be very handy in order to filter resources that users can
access. So if you are able to group your users into groups and then write
policies that push back a claim based on the user membership, then you
should be able to keep your policies simple. This is probably the optimal
solution because it avoids additional requests from the server for checking
whether or not the user has access to a resource.
On the other hand, you can use resource types. Or even have resources in
Keycloak that represent your different resource sets. Based on the
permissions within the token you should also be able to build the query
accordingly in your application.
On Tue, May 21, 2019 at 6:41 PM Farzad Panahi <farzad.panahi(a)gmail.com>
wrote:
Thanks Pedro. I really appreciate your reply.
I think arbitrary claims are what I need to pass the filtering required to
the backend (if I can generate those claims). Also resource types look
interesting. I think as you said I can use that to group my resources.
These two should solve my problems at hand.
That would be also great if you could elaborate on what you meant by
"security constraints" vs "business rules". I just want to have a
better
understanding of Keycloak.
My understanding is that Keycloak is an identity and "access management"
system. And when it comes to "access management" my understanding is that
it means "who" has "what" access to "which" resource under
"what
conditions".
If this definition is true, wouldn't "who has access to which resources"
be a security constraint under Keycloak's authorization model?
As you said I might need to look into other solutions but I before I do
that I want to make sure I really cannot do what I want to do with Keycloak
and I really cannot implement my requirements under Keycloal's
authorization model, since I have already happily invested lots of time on
Keycloak :)
On Tue, May 21, 2019 at 11:35 AM Pedro Igor Silva <psilva(a)redhat.com>
wrote:
> Hi Farzad,
>
> Sorry for the late reply.
>
> Our authorization model is targeted for enforcing security-related
> constraints, not business rules. Maybe you could consider Drools/BRMS.
>
> Some time ago we had a discussion about data filtering and how to fetch
> resources based on policy decisions. If you look at our documentation [1]
> you'll see that policies can push arbitrary claims back to your application
> when granting access to a permission. This capability allows you to send a
> specific claim along with the permission that represents some filter that
> you can use to query your database.
>
> As a result, you'll have within your token something like:
>
> "permissions": [
> {
> "resource_id": "90ccc6fc-b296-4cd1-881e-089e1ee15957",
> "resource_name": "Book Resource",
> "claims": ["data.filter": ["book.type = 'foo'
or book.type =
> 'bar'"]]
> }
> ]
>
> We do have a "resource group" concept. Resources can have a type and you
> can also have a single resource representing a set of one or more "real"
> resources.
>
> [1]
>
https://www.keycloak.org/docs/latest/authorization_services/index.html#pu...
>
> On Tue, May 21, 2019 at 3:14 PM Farzad Panahi <farzad.panahi(a)gmail.com>
> wrote:
>
>> Any hint or example project to look at would really help to put me in the
>> right direction.
>>
>> Should I post this question with a better and more specific title with
>> more
>> elaborate body to present the question better?
>>
>> On Fri., May 17, 2019, 1:21 p.m. Farzad Panahi, <farzad.panahi(a)gmail.com
>> >
>> wrote:
>>
>> > This is exactly where I want to use Keycloak to set this business
>> > rule/mapping. Basically I need to associate each user with a subset of
>> B
>> > (books) to which the user has access to. This association is not based
>> on
>> > roles or groups. It is based on individual users.
>> > That's why I was thinking that the only way I can think of doing this
>> to
>> > add every individual book as a resource in Keycloak and then I have to
>> > create a permission for each of them to grant access to any individual
>> user.
>> > It would help if Keycloak had a concept like a resource group I guess.
>> > Then I could put all those resources in a resource group and grant
>> access
>> > to that resource group for an individual user.
>> > Then in order to see which resources each user has access to, I need to
>> > query Keycloak somehow (I need to figure out how exactly) and get the
>> > resources that user has access to, and return only those resources for
>> that
>> > user.
>> >
>> > That's what I can think of right now. I am just wondering if there is a
>> > better way to do this sort of resource oriented access control where
>> each
>> > user has access to specific set of resources only.
>> >
>> >
>> >
>> > On Fri, May 17, 2019 at 11:45 AM Pedro Igor Silva <psilva(a)redhat.com>
>> > wrote:
>> >
>> >> Sorry, but is still not clear to me how a "user has access to a
>> subset of
>> >> B" is this access based on roles, groups or any other information
>> that you
>> >> gather from the context ? I'm wondering if this is not a business
rule
>> >> instead ....
>> >>
>> >> On Fri, May 17, 2019 at 1:42 PM Farzad Panahi <
>> farzad.panahi(a)gmail.com>
>> >> wrote:
>> >>
>> >>> Hi Pedro,
>> >>>
>> >>> The user is not the book owner. You can think about it this way
that
>> if
>> >>> B is the set of all books then each user has access to a subset of
B
>> such
>> >>> that these subsets are not mutually exclusive and do overlap.
>> >>>
>> >>> On Fri., May 17, 2019, 6:51 a.m. Pedro Igor Silva, <
>> psilva(a)redhat.com>
>> >>> wrote:
>> >>>
>> >>>> Hi Farzad,
>> >>>>
>> >>>> How do you check if a user has access to a book ? Is the user
the
>> book
>> >>>> owner or you have more conditions that should be taken into
account
>> to
>> >>>> grant access to books ?
>> >>>>
>> >>>> [1]
>> >>>>
>> https://www.keycloak.org/docs/latest/authorization_services/index.html#ex...
>> >>>>
>> >>>>
>> >>>> On Thu, May 16, 2019 at 8:42 PM Farzad Panahi <
>> farzad.panahi(a)gmail.com>
>> >>>> wrote:
>> >>>>
>> >>>>> Hi,
>> >>>>>
>> >>>>> I am very new to Keycloak. I have a RESTful API implemented
with
>> >>>>> json:api
>> >>>>> <https://jsonapi.org/> spec which I want to secure
using Keycloak.
>> >>>>>
>> >>>>> I just want to ask the Keycloak community for best practices
when
>> it
>> >>>>> comes
>> >>>>> to securing RESTful APIs.
>> >>>>>
>> >>>>> My endpoints will be something like:
>> >>>>> GET /api/books --> return all books the user has access
for
>> >>>>> GET /api/books/123 --> return book with id = 123
>> >>>>>
>> >>>>> My challenge now is to figure out how to define resources
in
>> Keycloak.
>> >>>>> Should I add all my books as resources to Keycloak? And
then
>> define the
>> >>>>> permission between each user and resource?
>> >>>>>
>> >>>>> What would be the best practice to implement "GET
/api/books" to
>> return
>> >>>>> only the books the logged in user has access to? Should I
query the
>> >>>>> Keycloak API to get all the resources the logged in user has
access
>> >>>>> to, in
>> >>>>> the backend?
>> >>>>>
>> >>>>> Thanks
>> >>>>>
>> >>>>> Farzad
>> >>>>> _______________________________________________
>> >>>>> keycloak-user mailing list
>> >>>>> keycloak-user(a)lists.jboss.org
>> >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >>>>>
>> >>>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
1:27 a.m.
Thanks Pedro.
I am thinking to fetch all the permissions granted for the user and from
there I can get all the resource names (books) and scopes user has access
for.
I have done this by getting the RPT from the Protection API in the backend
and iteration over the "permissions". But I am thinking to cut a round-trip
request and do this in the policy and push the resource names (with granted
permission) as an arbitrary claim. But as far as I understand I only have
access to Evaluation instance in the policy. Is there a way to get all the
"permissions granted" for a user, in the policy?
Cheers
Farzad
On Wed, May 22, 2019 at 5:12 AM Pedro Igor Silva <psilva(a)redhat.com> wrote:
Sure. I'm not telling you that you should not use us to address
your
requirements, but that you should take into account whether or not you are
using our authorization capabilities to process business rules, which is
not our focus. I wanted to let you know about other projects that are
targeted for this type of work. Sometimes, the borderline between security
constraints and business rules are very clear when you are externalizing
authorization from your application.
But yeah, I think both approaches can work for you. The data filter
approach is could be very handy in order to filter resources that users can
access. So if you are able to group your users into groups and then write
policies that push back a claim based on the user membership, then you
should be able to keep your policies simple. This is probably the optimal
solution because it avoids additional requests from the server for checking
whether or not the user has access to a resource.
On the other hand, you can use resource types. Or even have resources in
Keycloak that represent your different resource sets. Based on the
permissions within the token you should also be able to build the query
accordingly in your application.
On Tue, May 21, 2019 at 6:41 PM Farzad Panahi <farzad.panahi(a)gmail.com>
wrote:
> Thanks Pedro. I really appreciate your reply.
>
> I think arbitrary claims are what I need to pass the filtering required
> to the backend (if I can generate those claims). Also resource types look
> interesting. I think as you said I can use that to group my resources.
> These two should solve my problems at hand.
>
> That would be also great if you could elaborate on what you meant by
> "security constraints" vs "business rules". I just want to have a
better
> understanding of Keycloak.
> My understanding is that Keycloak is an identity and "access management"
> system. And when it comes to "access management" my understanding is that
> it means "who" has "what" access to "which" resource
under "what
> conditions".
> If this definition is true, wouldn't "who has access to which
resources"
> be a security constraint under Keycloak's authorization model?
>
> As you said I might need to look into other solutions but I before I do
> that I want to make sure I really cannot do what I want to do with Keycloak
> and I really cannot implement my requirements under Keycloal's
> authorization model, since I have already happily invested lots of time on
> Keycloak :)
>
>
>
> On Tue, May 21, 2019 at 11:35 AM Pedro Igor Silva <psilva(a)redhat.com>
> wrote:
>
>> Hi Farzad,
>>
>> Sorry for the late reply.
>>
>> Our authorization model is targeted for enforcing security-related
>> constraints, not business rules. Maybe you could consider Drools/BRMS.
>>
>> Some time ago we had a discussion about data filtering and how to fetch
>> resources based on policy decisions. If you look at our documentation [1]
>> you'll see that policies can push arbitrary claims back to your application
>> when granting access to a permission. This capability allows you to send a
>> specific claim along with the permission that represents some filter that
>> you can use to query your database.
>>
>> As a result, you'll have within your token something like:
>>
>> "permissions": [
>> {
>> "resource_id": "90ccc6fc-b296-4cd1-881e-089e1ee15957",
>> "resource_name": "Book Resource",
>> "claims": ["data.filter": ["book.type =
'foo' or book.type =
>> 'bar'"]]
>> }
>> ]
>>
>> We do have a "resource group" concept. Resources can have a type and
you
>> can also have a single resource representing a set of one or more
"real"
>> resources.
>>
>> [1]
>>
https://www.keycloak.org/docs/latest/authorization_services/index.html#pu...
>>
>> On Tue, May 21, 2019 at 3:14 PM Farzad Panahi <farzad.panahi(a)gmail.com>
>> wrote:
>>
>>> Any hint or example project to look at would really help to put me in
>>> the
>>> right direction.
>>>
>>> Should I post this question with a better and more specific title with
>>> more
>>> elaborate body to present the question better?
>>>
>>> On Fri., May 17, 2019, 1:21 p.m. Farzad Panahi, <
>>> farzad.panahi(a)gmail.com>
>>> wrote:
>>>
>>> > This is exactly where I want to use Keycloak to set this business
>>> > rule/mapping. Basically I need to associate each user with a subset
>>> of B
>>> > (books) to which the user has access to. This association is not
>>> based on
>>> > roles or groups. It is based on individual users.
>>> > That's why I was thinking that the only way I can think of doing
this
>>> to
>>> > add every individual book as a resource in Keycloak and then I have to
>>> > create a permission for each of them to grant access to any
>>> individual user.
>>> > It would help if Keycloak had a concept like a resource group I guess.
>>> > Then I could put all those resources in a resource group and grant
>>> access
>>> > to that resource group for an individual user.
>>> > Then in order to see which resources each user has access to, I need
>>> to
>>> > query Keycloak somehow (I need to figure out how exactly) and get the
>>> > resources that user has access to, and return only those resources
>>> for that
>>> > user.
>>> >
>>> > That's what I can think of right now. I am just wondering if there
is
>>> a
>>> > better way to do this sort of resource oriented access control where
>>> each
>>> > user has access to specific set of resources only.
>>> >
>>> >
>>> >
>>> > On Fri, May 17, 2019 at 11:45 AM Pedro Igor Silva
<psilva(a)redhat.com>
>>> > wrote:
>>> >
>>> >> Sorry, but is still not clear to me how a "user has access to
a
>>> subset of
>>> >> B" is this access based on roles, groups or any other
information
>>> that you
>>> >> gather from the context ? I'm wondering if this is not a
business
>>> rule
>>> >> instead ....
>>> >>
>>> >> On Fri, May 17, 2019 at 1:42 PM Farzad Panahi <
>>> farzad.panahi(a)gmail.com>
>>> >> wrote:
>>> >>
>>> >>> Hi Pedro,
>>> >>>
>>> >>> The user is not the book owner. You can think about it this way
>>> that if
>>> >>> B is the set of all books then each user has access to a subset
of
>>> B such
>>> >>> that these subsets are not mutually exclusive and do overlap.
>>> >>>
>>> >>> On Fri., May 17, 2019, 6:51 a.m. Pedro Igor Silva, <
>>> psilva(a)redhat.com>
>>> >>> wrote:
>>> >>>
>>> >>>> Hi Farzad,
>>> >>>>
>>> >>>> How do you check if a user has access to a book ? Is the
user the
>>> book
>>> >>>> owner or you have more conditions that should be taken into
>>> account to
>>> >>>> grant access to books ?
>>> >>>>
>>> >>>> [1]
>>> >>>>
>>>
https://www.keycloak.org/docs/latest/authorization_services/index.html#ex...
>>> >>>>
>>> >>>>
>>> >>>> On Thu, May 16, 2019 at 8:42 PM Farzad Panahi <
>>> farzad.panahi(a)gmail.com>
>>> >>>> wrote:
>>> >>>>
>>> >>>>> Hi,
>>> >>>>>
>>> >>>>> I am very new to Keycloak. I have a RESTful API
implemented with
>>> >>>>> json:api
>>> >>>>> <https://jsonapi.org/> spec which I want to secure
using
>>> Keycloak.
>>> >>>>>
>>> >>>>> I just want to ask the Keycloak community for best
practices when
>>> it
>>> >>>>> comes
>>> >>>>> to securing RESTful APIs.
>>> >>>>>
>>> >>>>> My endpoints will be something like:
>>> >>>>> GET /api/books --> return all books the user has
access for
>>> >>>>> GET /api/books/123 --> return book with id = 123
>>> >>>>>
>>> >>>>> My challenge now is to figure out how to define
resources in
>>> Keycloak.
>>> >>>>> Should I add all my books as resources to Keycloak? And
then
>>> define the
>>> >>>>> permission between each user and resource?
>>> >>>>>
>>> >>>>> What would be the best practice to implement "GET
/api/books" to
>>> return
>>> >>>>> only the books the logged in user has access to? Should
I query
>>> the
>>> >>>>> Keycloak API to get all the resources the logged in user
has
>>> access
>>> >>>>> to, in
>>> >>>>> the backend?
>>> >>>>>
>>> >>>>> Thanks
>>> >>>>>
>>> >>>>> Farzad
>>> >>>>> _______________________________________________
>>> >>>>> keycloak-user mailing list
>>> >>>>> keycloak-user(a)lists.jboss.org
>>> >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> >>>>>
>>> >>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
7:15 a.m.
Not right now because policies are basically processing permissions
(requested resource + scope) on a per-resource basis. In the future, we are
looking forward to making the policy engine more flexible so that you could
perform resource-less evaluation based on any data you include in an
authorization request.
On Tue, May 28, 2019 at 3:28 AM Farzad Panahi <farzad.panahi(a)gmail.com>
wrote:
Thanks Pedro.
I am thinking to fetch all the permissions granted for the user and from
there I can get all the resource names (books) and scopes user has access
for.
I have done this by getting the RPT from the Protection API in the backend
and iteration over the "permissions". But I am thinking to cut a round-trip
request and do this in the policy and push the resource names (with granted
permission) as an arbitrary claim. But as far as I understand I only have
access to Evaluation instance in the policy. Is there a way to get all the
"permissions granted" for a user, in the policy?
Cheers
Farzad
On Wed, May 22, 2019 at 5:12 AM Pedro Igor Silva <psilva(a)redhat.com>
wrote:
> Sure. I'm not telling you that you should not use us to address your
> requirements, but that you should take into account whether or not you are
> using our authorization capabilities to process business rules, which is
> not our focus. I wanted to let you know about other projects that are
> targeted for this type of work. Sometimes, the borderline between security
> constraints and business rules are very clear when you are externalizing
> authorization from your application.
>
> But yeah, I think both approaches can work for you. The data filter
> approach is could be very handy in order to filter resources that users can
> access. So if you are able to group your users into groups and then write
> policies that push back a claim based on the user membership, then you
> should be able to keep your policies simple. This is probably the optimal
> solution because it avoids additional requests from the server for checking
> whether or not the user has access to a resource.
>
> On the other hand, you can use resource types. Or even have resources in
> Keycloak that represent your different resource sets. Based on the
> permissions within the token you should also be able to build the query
> accordingly in your application.
>
> On Tue, May 21, 2019 at 6:41 PM Farzad Panahi <farzad.panahi(a)gmail.com>
> wrote:
>
>> Thanks Pedro. I really appreciate your reply.
>>
>> I think arbitrary claims are what I need to pass the filtering required
>> to the backend (if I can generate those claims). Also resource types look
>> interesting. I think as you said I can use that to group my resources.
>> These two should solve my problems at hand.
>>
>> That would be also great if you could elaborate on what you meant by
>> "security constraints" vs "business rules". I just want to
have a better
>> understanding of Keycloak.
>> My understanding is that Keycloak is an identity and "access
management"
>> system. And when it comes to "access management" my understanding is
that
>> it means "who" has "what" access to "which"
resource under "what
>> conditions".
>> If this definition is true, wouldn't "who has access to which
resources"
>> be a security constraint under Keycloak's authorization model?
>>
>> As you said I might need to look into other solutions but I before I do
>> that I want to make sure I really cannot do what I want to do with Keycloak
>> and I really cannot implement my requirements under Keycloal's
>> authorization model, since I have already happily invested lots of time on
>> Keycloak :)
>>
>>
>>
>> On Tue, May 21, 2019 at 11:35 AM Pedro Igor Silva <psilva(a)redhat.com>
>> wrote:
>>
>>> Hi Farzad,
>>>
>>> Sorry for the late reply.
>>>
>>> Our authorization model is targeted for enforcing security-related
>>> constraints, not business rules. Maybe you could consider Drools/BRMS.
>>>
>>> Some time ago we had a discussion about data filtering and how to fetch
>>> resources based on policy decisions. If you look at our documentation [1]
>>> you'll see that policies can push arbitrary claims back to your
application
>>> when granting access to a permission. This capability allows you to send a
>>> specific claim along with the permission that represents some filter that
>>> you can use to query your database.
>>>
>>> As a result, you'll have within your token something like:
>>>
>>> "permissions": [
>>> {
>>> "resource_id":
"90ccc6fc-b296-4cd1-881e-089e1ee15957",
>>> "resource_name": "Book Resource",
>>> "claims": ["data.filter": ["book.type =
'foo' or book.type =
>>> 'bar'"]]
>>> }
>>> ]
>>>
>>> We do have a "resource group" concept. Resources can have a type
and
>>> you can also have a single resource representing a set of one or more
>>> "real" resources.
>>>
>>> [1]
>>>
https://www.keycloak.org/docs/latest/authorization_services/index.html#pu...
>>>
>>> On Tue, May 21, 2019 at 3:14 PM Farzad Panahi
<farzad.panahi(a)gmail.com>
>>> wrote:
>>>
>>>> Any hint or example project to look at would really help to put me in
>>>> the
>>>> right direction.
>>>>
>>>> Should I post this question with a better and more specific title with
>>>> more
>>>> elaborate body to present the question better?
>>>>
>>>> On Fri., May 17, 2019, 1:21 p.m. Farzad Panahi, <
>>>> farzad.panahi(a)gmail.com>
>>>> wrote:
>>>>
>>>> > This is exactly where I want to use Keycloak to set this business
>>>> > rule/mapping. Basically I need to associate each user with a subset
>>>> of B
>>>> > (books) to which the user has access to. This association is not
>>>> based on
>>>> > roles or groups. It is based on individual users.
>>>> > That's why I was thinking that the only way I can think of
doing
>>>> this to
>>>> > add every individual book as a resource in Keycloak and then I have
>>>> to
>>>> > create a permission for each of them to grant access to any
>>>> individual user.
>>>> > It would help if Keycloak had a concept like a resource group I
>>>> guess.
>>>> > Then I could put all those resources in a resource group and grant
>>>> access
>>>> > to that resource group for an individual user.
>>>> > Then in order to see which resources each user has access to, I
need
>>>> to
>>>> > query Keycloak somehow (I need to figure out how exactly) and get
the
>>>> > resources that user has access to, and return only those resources
>>>> for that
>>>> > user.
>>>> >
>>>> > That's what I can think of right now. I am just wondering if
there
>>>> is a
>>>> > better way to do this sort of resource oriented access control
where
>>>> each
>>>> > user has access to specific set of resources only.
>>>> >
>>>> >
>>>> >
>>>> > On Fri, May 17, 2019 at 11:45 AM Pedro Igor Silva
<psilva(a)redhat.com
>>>> >
>>>> > wrote:
>>>> >
>>>> >> Sorry, but is still not clear to me how a "user has access
to a
>>>> subset of
>>>> >> B" is this access based on roles, groups or any other
information
>>>> that you
>>>> >> gather from the context ? I'm wondering if this is not a
business
>>>> rule
>>>> >> instead ....
>>>> >>
>>>> >> On Fri, May 17, 2019 at 1:42 PM Farzad Panahi <
>>>> farzad.panahi(a)gmail.com>
>>>> >> wrote:
>>>> >>
>>>> >>> Hi Pedro,
>>>> >>>
>>>> >>> The user is not the book owner. You can think about it this
way
>>>> that if
>>>> >>> B is the set of all books then each user has access to a
subset of
>>>> B such
>>>> >>> that these subsets are not mutually exclusive and do
overlap.
>>>> >>>
>>>> >>> On Fri., May 17, 2019, 6:51 a.m. Pedro Igor Silva, <
>>>> psilva(a)redhat.com>
>>>> >>> wrote:
>>>> >>>
>>>> >>>> Hi Farzad,
>>>> >>>>
>>>> >>>> How do you check if a user has access to a book ? Is the
user the
>>>> book
>>>> >>>> owner or you have more conditions that should be taken
into
>>>> account to
>>>> >>>> grant access to books ?
>>>> >>>>
>>>> >>>> [1]
>>>> >>>>
>>>>
https://www.keycloak.org/docs/latest/authorization_services/index.html#ex...
>>>> >>>>
>>>> >>>>
>>>> >>>> On Thu, May 16, 2019 at 8:42 PM Farzad Panahi <
>>>> farzad.panahi(a)gmail.com>
>>>> >>>> wrote:
>>>> >>>>
>>>> >>>>> Hi,
>>>> >>>>>
>>>> >>>>> I am very new to Keycloak. I have a RESTful API
implemented with
>>>> >>>>> json:api
>>>> >>>>> <https://jsonapi.org/> spec which I want to
secure using
>>>> Keycloak.
>>>> >>>>>
>>>> >>>>> I just want to ask the Keycloak community for best
practices
>>>> when it
>>>> >>>>> comes
>>>> >>>>> to securing RESTful APIs.
>>>> >>>>>
>>>> >>>>> My endpoints will be something like:
>>>> >>>>> GET /api/books --> return all books the user has
access for
>>>> >>>>> GET /api/books/123 --> return book with id = 123
>>>> >>>>>
>>>> >>>>> My challenge now is to figure out how to define
resources in
>>>> Keycloak.
>>>> >>>>> Should I add all my books as resources to Keycloak?
And then
>>>> define the
>>>> >>>>> permission between each user and resource?
>>>> >>>>>
>>>> >>>>> What would be the best practice to implement
"GET /api/books" to
>>>> return
>>>> >>>>> only the books the logged in user has access to?
Should I query
>>>> the
>>>> >>>>> Keycloak API to get all the resources the logged in
user has
>>>> access
>>>> >>>>> to, in
>>>> >>>>> the backend?
>>>> >>>>>
>>>> >>>>> Thanks
>>>> >>>>>
>>>> >>>>> Farzad
>>>> >>>>> _______________________________________________
>>>> >>>>> keycloak-user mailing list
>>>> >>>>> keycloak-user(a)lists.jboss.org
>>>> >>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>> >>>>>
>>>> >>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user(a)lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
12:49 p.m.
That would be really helpful. Is there an open ticket for it that I can
watch?
So if I can't granted permissions on the policy engine then I don't have
any other option but doing this on the backend bycalling the Protection
API, right?
On Tue., May 28, 2019, 5:16 a.m. Pedro Igor Silva, <psilva(a)redhat.com>
wrote:
Not right now because policies are basically processing permissions
(requested resource + scope) on a per-resource basis. In the future, we are
looking forward to making the policy engine more flexible so that you could
perform resource-less evaluation based on any data you include in an
authorization request.
On Tue, May 28, 2019 at 3:28 AM Farzad Panahi <farzad.panahi(a)gmail.com>
wrote:
> Thanks Pedro.
>
> I am thinking to fetch all the permissions granted for the user and from
> there I can get all the resource names (books) and scopes user has access
> for.
>
> I have done this by getting the RPT from the Protection API in the
> backend and iteration over the "permissions". But I am thinking to cut a
> round-trip request and do this in the policy and push the resource names
> (with granted permission) as an arbitrary claim. But as far as I understand
> I only have access to Evaluation instance in the policy. Is there a way to
> get all the "permissions granted" for a user, in the policy?
>
>
> Cheers
>
> Farzad
>
>
>
> On Wed, May 22, 2019 at 5:12 AM Pedro Igor Silva <psilva(a)redhat.com>
> wrote:
>
>> Sure. I'm not telling you that you should not use us to address your
>> requirements, but that you should take into account whether or not you are
>> using our authorization capabilities to process business rules, which is
>> not our focus. I wanted to let you know about other projects that are
>> targeted for this type of work. Sometimes, the borderline between security
>> constraints and business rules are very clear when you are externalizing
>> authorization from your application.
>>
>> But yeah, I think both approaches can work for you. The data filter
>> approach is could be very handy in order to filter resources that users can
>> access. So if you are able to group your users into groups and then write
>> policies that push back a claim based on the user membership, then you
>> should be able to keep your policies simple. This is probably the optimal
>> solution because it avoids additional requests from the server for checking
>> whether or not the user has access to a resource.
>>
>> On the other hand, you can use resource types. Or even have resources in
>> Keycloak that represent your different resource sets. Based on the
>> permissions within the token you should also be able to build the query
>> accordingly in your application.
>>
>> On Tue, May 21, 2019 at 6:41 PM Farzad Panahi <farzad.panahi(a)gmail.com>
>> wrote:
>>
>>> Thanks Pedro. I really appreciate your reply.
>>>
>>> I think arbitrary claims are what I need to pass the filtering required
>>> to the backend (if I can generate those claims). Also resource types look
>>> interesting. I think as you said I can use that to group my resources.
>>> These two should solve my problems at hand.
>>>
>>> That would be also great if you could elaborate on what you meant by
>>> "security constraints" vs "business rules". I just want
to have a better
>>> understanding of Keycloak.
>>> My understanding is that Keycloak is an identity and "access
>>> management" system. And when it comes to "access management"
my
>>> understanding is that it means "who" has "what" access to
"which" resource
>>> under "what conditions".
>>> If this definition is true, wouldn't "who has access to which
>>> resources" be a security constraint under Keycloak's authorization
model?
>>>
>>> As you said I might need to look into other solutions but I before I do
>>> that I want to make sure I really cannot do what I want to do with Keycloak
>>> and I really cannot implement my requirements under Keycloal's
>>> authorization model, since I have already happily invested lots of time on
>>> Keycloak :)
>>>
>>>
>>>
>>> On Tue, May 21, 2019 at 11:35 AM Pedro Igor Silva <psilva(a)redhat.com>
>>> wrote:
>>>
>>>> Hi Farzad,
>>>>
>>>> Sorry for the late reply.
>>>>
>>>> Our authorization model is targeted for enforcing security-related
>>>> constraints, not business rules. Maybe you could consider Drools/BRMS.
>>>>
>>>> Some time ago we had a discussion about data filtering and how to
>>>> fetch resources based on policy decisions. If you look at our
documentation
>>>> [1] you'll see that policies can push arbitrary claims back to your
>>>> application when granting access to a permission. This capability allows
>>>> you to send a specific claim along with the permission that represents
some
>>>> filter that you can use to query your database.
>>>>
>>>> As a result, you'll have within your token something like:
>>>>
>>>> "permissions": [
>>>> {
>>>> "resource_id":
"90ccc6fc-b296-4cd1-881e-089e1ee15957",
>>>> "resource_name": "Book Resource",
>>>> "claims": ["data.filter": ["book.type =
'foo' or book.type =
>>>> 'bar'"]]
>>>> }
>>>> ]
>>>>
>>>> We do have a "resource group" concept. Resources can have a
type and
>>>> you can also have a single resource representing a set of one or more
>>>> "real" resources.
>>>>
>>>> [1]
>>>>
https://www.keycloak.org/docs/latest/authorization_services/index.html#pu...
>>>>
>>>> On Tue, May 21, 2019 at 3:14 PM Farzad Panahi
<farzad.panahi(a)gmail.com>
>>>> wrote:
>>>>
>>>>> Any hint or example project to look at would really help to put me
in
>>>>> the
>>>>> right direction.
>>>>>
>>>>> Should I post this question with a better and more specific title
>>>>> with more
>>>>> elaborate body to present the question better?
>>>>>
>>>>> On Fri., May 17, 2019, 1:21 p.m. Farzad Panahi, <
>>>>> farzad.panahi(a)gmail.com>
>>>>> wrote:
>>>>>
>>>>> > This is exactly where I want to use Keycloak to set this
business
>>>>> > rule/mapping. Basically I need to associate each user with a
subset
>>>>> of B
>>>>> > (books) to which the user has access to. This association is
not
>>>>> based on
>>>>> > roles or groups. It is based on individual users.
>>>>> > That's why I was thinking that the only way I can think of
doing
>>>>> this to
>>>>> > add every individual book as a resource in Keycloak and then I
have
>>>>> to
>>>>> > create a permission for each of them to grant access to any
>>>>> individual user.
>>>>> > It would help if Keycloak had a concept like a resource group I
>>>>> guess.
>>>>> > Then I could put all those resources in a resource group and
grant
>>>>> access
>>>>> > to that resource group for an individual user.
>>>>> > Then in order to see which resources each user has access to, I
>>>>> need to
>>>>> > query Keycloak somehow (I need to figure out how exactly) and
get
>>>>> the
>>>>> > resources that user has access to, and return only those
resources
>>>>> for that
>>>>> > user.
>>>>> >
>>>>> > That's what I can think of right now. I am just wondering if
there
>>>>> is a
>>>>> > better way to do this sort of resource oriented access control
>>>>> where each
>>>>> > user has access to specific set of resources only.
>>>>> >
>>>>> >
>>>>> >
>>>>> > On Fri, May 17, 2019 at 11:45 AM Pedro Igor Silva <
>>>>> psilva(a)redhat.com>
>>>>> > wrote:
>>>>> >
>>>>> >> Sorry, but is still not clear to me how a "user has
access to a
>>>>> subset of
>>>>> >> B" is this access based on roles, groups or any other
information
>>>>> that you
>>>>> >> gather from the context ? I'm wondering if this is not a
business
>>>>> rule
>>>>> >> instead ....
>>>>> >>
>>>>> >> On Fri, May 17, 2019 at 1:42 PM Farzad Panahi <
>>>>> farzad.panahi(a)gmail.com>
>>>>> >> wrote:
>>>>> >>
>>>>> >>> Hi Pedro,
>>>>> >>>
>>>>> >>> The user is not the book owner. You can think about it
this way
>>>>> that if
>>>>> >>> B is the set of all books then each user has access to a
subset
>>>>> of B such
>>>>> >>> that these subsets are not mutually exclusive and do
overlap.
>>>>> >>>
>>>>> >>> On Fri., May 17, 2019, 6:51 a.m. Pedro Igor Silva, <
>>>>> psilva(a)redhat.com>
>>>>> >>> wrote:
>>>>> >>>
>>>>> >>>> Hi Farzad,
>>>>> >>>>
>>>>> >>>> How do you check if a user has access to a book ? Is
the user
>>>>> the book
>>>>> >>>> owner or you have more conditions that should be
taken into
>>>>> account to
>>>>> >>>> grant access to books ?
>>>>> >>>>
>>>>> >>>> [1]
>>>>> >>>>
>>>>>
https://www.keycloak.org/docs/latest/authorization_services/index.html#ex...
>>>>> >>>>
>>>>> >>>>
>>>>> >>>> On Thu, May 16, 2019 at 8:42 PM Farzad Panahi <
>>>>> farzad.panahi(a)gmail.com>
>>>>> >>>> wrote:
>>>>> >>>>
>>>>> >>>>> Hi,
>>>>> >>>>>
>>>>> >>>>> I am very new to Keycloak. I have a RESTful API
implemented with
>>>>> >>>>> json:api
>>>>> >>>>> <https://jsonapi.org/> spec which I want
to secure using
>>>>> Keycloak.
>>>>> >>>>>
>>>>> >>>>> I just want to ask the Keycloak community for
best practices
>>>>> when it
>>>>> >>>>> comes
>>>>> >>>>> to securing RESTful APIs.
>>>>> >>>>>
>>>>> >>>>> My endpoints will be something like:
>>>>> >>>>> GET /api/books --> return all books the user
has access for
>>>>> >>>>> GET /api/books/123 --> return book with id =
123
>>>>> >>>>>
>>>>> >>>>> My challenge now is to figure out how to define
resources in
>>>>> Keycloak.
>>>>> >>>>> Should I add all my books as resources to
Keycloak? And then
>>>>> define the
>>>>> >>>>> permission between each user and resource?
>>>>> >>>>>
>>>>> >>>>> What would be the best practice to implement
"GET /api/books"
>>>>> to return
>>>>> >>>>> only the books the logged in user has access to?
Should I query
>>>>> the
>>>>> >>>>> Keycloak API to get all the resources the logged
in user has
>>>>> access
>>>>> >>>>> to, in
>>>>> >>>>> the backend?
>>>>> >>>>>
>>>>> >>>>> Thanks
>>>>> >>>>>
>>>>> >>>>> Farzad
>>>>> >>>>> _______________________________________________
>>>>> >>>>> keycloak-user mailing list
>>>>> >>>>> keycloak-user(a)lists.jboss.org
>>>>> >>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>> >>>>>
>>>>> >>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user(a)lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
1:31 p.m.
Yeah, you mean calling the token endpoint ....
On Tue, May 28, 2019 at 2:50 PM Farzad Panahi <farzad.panahi(a)gmail.com>
wrote:
That would be really helpful. Is there an open ticket for it that I
can
watch?
So if I can't granted permissions on the policy engine then I don't have
any other option but doing this on the backend bycalling the Protection
API, right?
On Tue., May 28, 2019, 5:16 a.m. Pedro Igor Silva, <psilva(a)redhat.com>
wrote:
> Not right now because policies are basically processing permissions
> (requested resource + scope) on a per-resource basis. In the future, we are
> looking forward to making the policy engine more flexible so that you could
> perform resource-less evaluation based on any data you include in an
> authorization request.
>
> On Tue, May 28, 2019 at 3:28 AM Farzad Panahi <farzad.panahi(a)gmail.com>
> wrote:
>
>> Thanks Pedro.
>>
>> I am thinking to fetch all the permissions granted for the user and from
>> there I can get all the resource names (books) and scopes user has access
>> for.
>>
>> I have done this by getting the RPT from the Protection API in the
>> backend and iteration over the "permissions". But I am thinking to cut
a
>> round-trip request and do this in the policy and push the resource names
>> (with granted permission) as an arbitrary claim. But as far as I understand
>> I only have access to Evaluation instance in the policy. Is there a way to
>> get all the "permissions granted" for a user, in the policy?
>>
>>
>> Cheers
>>
>> Farzad
>>
>>
>>
>> On Wed, May 22, 2019 at 5:12 AM Pedro Igor Silva <psilva(a)redhat.com>
>> wrote:
>>
>>> Sure. I'm not telling you that you should not use us to address your
>>> requirements, but that you should take into account whether or not you are
>>> using our authorization capabilities to process business rules, which is
>>> not our focus. I wanted to let you know about other projects that are
>>> targeted for this type of work. Sometimes, the borderline between security
>>> constraints and business rules are very clear when you are externalizing
>>> authorization from your application.
>>>
>>> But yeah, I think both approaches can work for you. The data filter
>>> approach is could be very handy in order to filter resources that users can
>>> access. So if you are able to group your users into groups and then write
>>> policies that push back a claim based on the user membership, then you
>>> should be able to keep your policies simple. This is probably the optimal
>>> solution because it avoids additional requests from the server for checking
>>> whether or not the user has access to a resource.
>>>
>>> On the other hand, you can use resource types. Or even have resources
>>> in Keycloak that represent your different resource sets. Based on the
>>> permissions within the token you should also be able to build the query
>>> accordingly in your application.
>>>
>>> On Tue, May 21, 2019 at 6:41 PM Farzad Panahi
<farzad.panahi(a)gmail.com>
>>> wrote:
>>>
>>>> Thanks Pedro. I really appreciate your reply.
>>>>
>>>> I think arbitrary claims are what I need to pass the filtering
>>>> required to the backend (if I can generate those claims). Also resource
>>>> types look interesting. I think as you said I can use that to group my
>>>> resources. These two should solve my problems at hand.
>>>>
>>>> That would be also great if you could elaborate on what you meant by
>>>> "security constraints" vs "business rules". I just
want to have a better
>>>> understanding of Keycloak.
>>>> My understanding is that Keycloak is an identity and "access
>>>> management" system. And when it comes to "access
management" my
>>>> understanding is that it means "who" has "what"
access to "which" resource
>>>> under "what conditions".
>>>> If this definition is true, wouldn't "who has access to which
>>>> resources" be a security constraint under Keycloak's
authorization model?
>>>>
>>>> As you said I might need to look into other solutions but I before I
>>>> do that I want to make sure I really cannot do what I want to do with
>>>> Keycloak and I really cannot implement my requirements under
Keycloal's
>>>> authorization model, since I have already happily invested lots of time
on
>>>> Keycloak :)
>>>>
>>>>
>>>>
>>>> On Tue, May 21, 2019 at 11:35 AM Pedro Igor Silva
<psilva(a)redhat.com>
>>>> wrote:
>>>>
>>>>> Hi Farzad,
>>>>>
>>>>> Sorry for the late reply.
>>>>>
>>>>> Our authorization model is targeted for enforcing security-related
>>>>> constraints, not business rules. Maybe you could consider
Drools/BRMS.
>>>>>
>>>>> Some time ago we had a discussion about data filtering and how to
>>>>> fetch resources based on policy decisions. If you look at our
documentation
>>>>> [1] you'll see that policies can push arbitrary claims back to
your
>>>>> application when granting access to a permission. This capability
allows
>>>>> you to send a specific claim along with the permission that
represents some
>>>>> filter that you can use to query your database.
>>>>>
>>>>> As a result, you'll have within your token something like:
>>>>>
>>>>> "permissions": [
>>>>> {
>>>>> "resource_id":
"90ccc6fc-b296-4cd1-881e-089e1ee15957",
>>>>> "resource_name": "Book Resource",
>>>>> "claims": ["data.filter": ["book.type
= 'foo' or book.type =
>>>>> 'bar'"]]
>>>>> }
>>>>> ]
>>>>>
>>>>> We do have a "resource group" concept. Resources can have a
type and
>>>>> you can also have a single resource representing a set of one or
more
>>>>> "real" resources.
>>>>>
>>>>> [1]
>>>>>
https://www.keycloak.org/docs/latest/authorization_services/index.html#pu...
>>>>>
>>>>> On Tue, May 21, 2019 at 3:14 PM Farzad Panahi <
>>>>> farzad.panahi(a)gmail.com> wrote:
>>>>>
>>>>>> Any hint or example project to look at would really help to put
me
>>>>>> in the
>>>>>> right direction.
>>>>>>
>>>>>> Should I post this question with a better and more specific
title
>>>>>> with more
>>>>>> elaborate body to present the question better?
>>>>>>
>>>>>> On Fri., May 17, 2019, 1:21 p.m. Farzad Panahi, <
>>>>>> farzad.panahi(a)gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>> > This is exactly where I want to use Keycloak to set this
business
>>>>>> > rule/mapping. Basically I need to associate each user with
a
>>>>>> subset of B
>>>>>> > (books) to which the user has access to. This association is
not
>>>>>> based on
>>>>>> > roles or groups. It is based on individual users.
>>>>>> > That's why I was thinking that the only way I can think
of doing
>>>>>> this to
>>>>>> > add every individual book as a resource in Keycloak and then
I
>>>>>> have to
>>>>>> > create a permission for each of them to grant access to any
>>>>>> individual user.
>>>>>> > It would help if Keycloak had a concept like a resource
group I
>>>>>> guess.
>>>>>> > Then I could put all those resources in a resource group and
grant
>>>>>> access
>>>>>> > to that resource group for an individual user.
>>>>>> > Then in order to see which resources each user has access
to, I
>>>>>> need to
>>>>>> > query Keycloak somehow (I need to figure out how exactly)
and get
>>>>>> the
>>>>>> > resources that user has access to, and return only those
resources
>>>>>> for that
>>>>>> > user.
>>>>>> >
>>>>>> > That's what I can think of right now. I am just
wondering if there
>>>>>> is a
>>>>>> > better way to do this sort of resource oriented access
control
>>>>>> where each
>>>>>> > user has access to specific set of resources only.
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> > On Fri, May 17, 2019 at 11:45 AM Pedro Igor Silva <
>>>>>> psilva(a)redhat.com>
>>>>>> > wrote:
>>>>>> >
>>>>>> >> Sorry, but is still not clear to me how a "user has
access to a
>>>>>> subset of
>>>>>> >> B" is this access based on roles, groups or any
other information
>>>>>> that you
>>>>>> >> gather from the context ? I'm wondering if this is
not a business
>>>>>> rule
>>>>>> >> instead ....
>>>>>> >>
>>>>>> >> On Fri, May 17, 2019 at 1:42 PM Farzad Panahi <
>>>>>> farzad.panahi(a)gmail.com>
>>>>>> >> wrote:
>>>>>> >>
>>>>>> >>> Hi Pedro,
>>>>>> >>>
>>>>>> >>> The user is not the book owner. You can think about
it this way
>>>>>> that if
>>>>>> >>> B is the set of all books then each user has access
to a subset
>>>>>> of B such
>>>>>> >>> that these subsets are not mutually exclusive and do
overlap.
>>>>>> >>>
>>>>>> >>> On Fri., May 17, 2019, 6:51 a.m. Pedro Igor Silva,
<
>>>>>> psilva(a)redhat.com>
>>>>>> >>> wrote:
>>>>>> >>>
>>>>>> >>>> Hi Farzad,
>>>>>> >>>>
>>>>>> >>>> How do you check if a user has access to a book
? Is the user
>>>>>> the book
>>>>>> >>>> owner or you have more conditions that should be
taken into
>>>>>> account to
>>>>>> >>>> grant access to books ?
>>>>>> >>>>
>>>>>> >>>> [1]
>>>>>> >>>>
>>>>>>
https://www.keycloak.org/docs/latest/authorization_services/index.html#ex...
>>>>>> >>>>
>>>>>> >>>>
>>>>>> >>>> On Thu, May 16, 2019 at 8:42 PM Farzad Panahi
<
>>>>>> farzad.panahi(a)gmail.com>
>>>>>> >>>> wrote:
>>>>>> >>>>
>>>>>> >>>>> Hi,
>>>>>> >>>>>
>>>>>> >>>>> I am very new to Keycloak. I have a RESTful
API implemented
>>>>>> with
>>>>>> >>>>> json:api
>>>>>> >>>>> <https://jsonapi.org/> spec which I
want to secure using
>>>>>> Keycloak.
>>>>>> >>>>>
>>>>>> >>>>> I just want to ask the Keycloak community
for best practices
>>>>>> when it
>>>>>> >>>>> comes
>>>>>> >>>>> to securing RESTful APIs.
>>>>>> >>>>>
>>>>>> >>>>> My endpoints will be something like:
>>>>>> >>>>> GET /api/books --> return all books the
user has access for
>>>>>> >>>>> GET /api/books/123 --> return book with
id = 123
>>>>>> >>>>>
>>>>>> >>>>> My challenge now is to figure out how to
define resources in
>>>>>> Keycloak.
>>>>>> >>>>> Should I add all my books as resources to
Keycloak? And then
>>>>>> define the
>>>>>> >>>>> permission between each user and resource?
>>>>>> >>>>>
>>>>>> >>>>> What would be the best practice to implement
"GET /api/books"
>>>>>> to return
>>>>>> >>>>> only the books the logged in user has access
to? Should I
>>>>>> query the
>>>>>> >>>>> Keycloak API to get all the resources the
logged in user has
>>>>>> access
>>>>>> >>>>> to, in
>>>>>> >>>>> the backend?
>>>>>> >>>>>
>>>>>> >>>>> Thanks
>>>>>> >>>>>
>>>>>> >>>>> Farzad
>>>>>> >>>>>
_______________________________________________
>>>>>> >>>>> keycloak-user mailing list
>>>>>> >>>>> keycloak-user(a)lists.jboss.org
>>>>>> >>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>> >>>>>
>>>>>> >>>>
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user(a)lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>
2:05 p.m.
Yes. I basically use the Authorization Client Java API.
On Tue, May 28, 2019 at 11:32 AM Pedro Igor Silva <psilva(a)redhat.com> wrote:
Yeah, you mean calling the token endpoint ....
On Tue, May 28, 2019 at 2:50 PM Farzad Panahi <farzad.panahi(a)gmail.com>
wrote:
> That would be really helpful. Is there an open ticket for it that I can
> watch?
>
> So if I can't granted permissions on the policy engine then I don't have
> any other option but doing this on the backend bycalling the Protection
> API, right?
>
> On Tue., May 28, 2019, 5:16 a.m. Pedro Igor Silva, <psilva(a)redhat.com>
> wrote:
>
>> Not right now because policies are basically processing permissions
>> (requested resource + scope) on a per-resource basis. In the future, we are
>> looking forward to making the policy engine more flexible so that you could
>> perform resource-less evaluation based on any data you include in an
>> authorization request.
>>
>> On Tue, May 28, 2019 at 3:28 AM Farzad Panahi <farzad.panahi(a)gmail.com>
>> wrote:
>>
>>> Thanks Pedro.
>>>
>>> I am thinking to fetch all the permissions granted for the user and
>>> from there I can get all the resource names (books) and scopes user has
>>> access for.
>>>
>>> I have done this by getting the RPT from the Protection API in the
>>> backend and iteration over the "permissions". But I am thinking to
cut a
>>> round-trip request and do this in the policy and push the resource names
>>> (with granted permission) as an arbitrary claim. But as far as I understand
>>> I only have access to Evaluation instance in the policy. Is there a way to
>>> get all the "permissions granted" for a user, in the policy?
>>>
>>>
>>> Cheers
>>>
>>> Farzad
>>>
>>>
>>>
>>> On Wed, May 22, 2019 at 5:12 AM Pedro Igor Silva <psilva(a)redhat.com>
>>> wrote:
>>>
>>>> Sure. I'm not telling you that you should not use us to address your
>>>> requirements, but that you should take into account whether or not you
are
>>>> using our authorization capabilities to process business rules, which is
>>>> not our focus. I wanted to let you know about other projects that are
>>>> targeted for this type of work. Sometimes, the borderline between
security
>>>> constraints and business rules are very clear when you are externalizing
>>>> authorization from your application.
>>>>
>>>> But yeah, I think both approaches can work for you. The data filter
>>>> approach is could be very handy in order to filter resources that users
can
>>>> access. So if you are able to group your users into groups and then
write
>>>> policies that push back a claim based on the user membership, then you
>>>> should be able to keep your policies simple. This is probably the
optimal
>>>> solution because it avoids additional requests from the server for
checking
>>>> whether or not the user has access to a resource.
>>>>
>>>> On the other hand, you can use resource types. Or even have resources
>>>> in Keycloak that represent your different resource sets. Based on the
>>>> permissions within the token you should also be able to build the query
>>>> accordingly in your application.
>>>>
>>>> On Tue, May 21, 2019 at 6:41 PM Farzad Panahi
<farzad.panahi(a)gmail.com>
>>>> wrote:
>>>>
>>>>> Thanks Pedro. I really appreciate your reply.
>>>>>
>>>>> I think arbitrary claims are what I need to pass the filtering
>>>>> required to the backend (if I can generate those claims). Also
resource
>>>>> types look interesting. I think as you said I can use that to group
my
>>>>> resources. These two should solve my problems at hand.
>>>>>
>>>>> That would be also great if you could elaborate on what you meant by
>>>>> "security constraints" vs "business rules". I
just want to have a better
>>>>> understanding of Keycloak.
>>>>> My understanding is that Keycloak is an identity and "access
>>>>> management" system. And when it comes to "access
management" my
>>>>> understanding is that it means "who" has "what"
access to "which" resource
>>>>> under "what conditions".
>>>>> If this definition is true, wouldn't "who has access to
which
>>>>> resources" be a security constraint under Keycloak's
authorization model?
>>>>>
>>>>> As you said I might need to look into other solutions but I before I
>>>>> do that I want to make sure I really cannot do what I want to do
with
>>>>> Keycloak and I really cannot implement my requirements under
Keycloal's
>>>>> authorization model, since I have already happily invested lots of
time on
>>>>> Keycloak :)
>>>>>
>>>>>
>>>>>
>>>>> On Tue, May 21, 2019 at 11:35 AM Pedro Igor Silva
<psilva(a)redhat.com>
>>>>> wrote:
>>>>>
>>>>>> Hi Farzad,
>>>>>>
>>>>>> Sorry for the late reply.
>>>>>>
>>>>>> Our authorization model is targeted for enforcing
security-related
>>>>>> constraints, not business rules. Maybe you could consider
Drools/BRMS.
>>>>>>
>>>>>> Some time ago we had a discussion about data filtering and how
to
>>>>>> fetch resources based on policy decisions. If you look at our
documentation
>>>>>> [1] you'll see that policies can push arbitrary claims back
to your
>>>>>> application when granting access to a permission. This capability
allows
>>>>>> you to send a specific claim along with the permission that
represents some
>>>>>> filter that you can use to query your database.
>>>>>>
>>>>>> As a result, you'll have within your token something like:
>>>>>>
>>>>>> "permissions": [
>>>>>> {
>>>>>> "resource_id":
"90ccc6fc-b296-4cd1-881e-089e1ee15957",
>>>>>> "resource_name": "Book Resource",
>>>>>> "claims": ["data.filter":
["book.type = 'foo' or book.type =
>>>>>> 'bar'"]]
>>>>>> }
>>>>>> ]
>>>>>>
>>>>>> We do have a "resource group" concept. Resources can
have a type and
>>>>>> you can also have a single resource representing a set of one or
more
>>>>>> "real" resources.
>>>>>>
>>>>>> [1]
>>>>>>
https://www.keycloak.org/docs/latest/authorization_services/index.html#pu...
>>>>>>
>>>>>> On Tue, May 21, 2019 at 3:14 PM Farzad Panahi <
>>>>>> farzad.panahi(a)gmail.com> wrote:
>>>>>>
>>>>>>> Any hint or example project to look at would really help to
put me
>>>>>>> in the
>>>>>>> right direction.
>>>>>>>
>>>>>>> Should I post this question with a better and more specific
title
>>>>>>> with more
>>>>>>> elaborate body to present the question better?
>>>>>>>
>>>>>>> On Fri., May 17, 2019, 1:21 p.m. Farzad Panahi, <
>>>>>>> farzad.panahi(a)gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>> > This is exactly where I want to use Keycloak to set this
business
>>>>>>> > rule/mapping. Basically I need to associate each user
with a
>>>>>>> subset of B
>>>>>>> > (books) to which the user has access to. This
association is not
>>>>>>> based on
>>>>>>> > roles or groups. It is based on individual users.
>>>>>>> > That's why I was thinking that the only way I can
think of doing
>>>>>>> this to
>>>>>>> > add every individual book as a resource in Keycloak and
then I
>>>>>>> have to
>>>>>>> > create a permission for each of them to grant access to
any
>>>>>>> individual user.
>>>>>>> > It would help if Keycloak had a concept like a resource
group I
>>>>>>> guess.
>>>>>>> > Then I could put all those resources in a resource group
and
>>>>>>> grant access
>>>>>>> > to that resource group for an individual user.
>>>>>>> > Then in order to see which resources each user has
access to, I
>>>>>>> need to
>>>>>>> > query Keycloak somehow (I need to figure out how
exactly) and get
>>>>>>> the
>>>>>>> > resources that user has access to, and return only
those
>>>>>>> resources for that
>>>>>>> > user.
>>>>>>> >
>>>>>>> > That's what I can think of right now. I am just
wondering if
>>>>>>> there is a
>>>>>>> > better way to do this sort of resource oriented access
control
>>>>>>> where each
>>>>>>> > user has access to specific set of resources only.
>>>>>>> >
>>>>>>> >
>>>>>>> >
>>>>>>> > On Fri, May 17, 2019 at 11:45 AM Pedro Igor Silva <
>>>>>>> psilva(a)redhat.com>
>>>>>>> > wrote:
>>>>>>> >
>>>>>>> >> Sorry, but is still not clear to me how a "user
has access to a
>>>>>>> subset of
>>>>>>> >> B" is this access based on roles, groups or any
other
>>>>>>> information that you
>>>>>>> >> gather from the context ? I'm wondering if this
is not a
>>>>>>> business rule
>>>>>>> >> instead ....
>>>>>>> >>
>>>>>>> >> On Fri, May 17, 2019 at 1:42 PM Farzad Panahi <
>>>>>>> farzad.panahi(a)gmail.com>
>>>>>>> >> wrote:
>>>>>>> >>
>>>>>>> >>> Hi Pedro,
>>>>>>> >>>
>>>>>>> >>> The user is not the book owner. You can think
about it this way
>>>>>>> that if
>>>>>>> >>> B is the set of all books then each user has
access to a subset
>>>>>>> of B such
>>>>>>> >>> that these subsets are not mutually exclusive
and do overlap.
>>>>>>> >>>
>>>>>>> >>> On Fri., May 17, 2019, 6:51 a.m. Pedro Igor
Silva, <
>>>>>>> psilva(a)redhat.com>
>>>>>>> >>> wrote:
>>>>>>> >>>
>>>>>>> >>>> Hi Farzad,
>>>>>>> >>>>
>>>>>>> >>>> How do you check if a user has access to a
book ? Is the user
>>>>>>> the book
>>>>>>> >>>> owner or you have more conditions that
should be taken into
>>>>>>> account to
>>>>>>> >>>> grant access to books ?
>>>>>>> >>>>
>>>>>>> >>>> [1]
>>>>>>> >>>>
>>>>>>>
https://www.keycloak.org/docs/latest/authorization_services/index.html#ex...
>>>>>>> >>>>
>>>>>>> >>>>
>>>>>>> >>>> On Thu, May 16, 2019 at 8:42 PM Farzad
Panahi <
>>>>>>> farzad.panahi(a)gmail.com>
>>>>>>> >>>> wrote:
>>>>>>> >>>>
>>>>>>> >>>>> Hi,
>>>>>>> >>>>>
>>>>>>> >>>>> I am very new to Keycloak. I have a
RESTful API implemented
>>>>>>> with
>>>>>>> >>>>> json:api
>>>>>>> >>>>> <https://jsonapi.org/> spec which
I want to secure using
>>>>>>> Keycloak.
>>>>>>> >>>>>
>>>>>>> >>>>> I just want to ask the Keycloak
community for best practices
>>>>>>> when it
>>>>>>> >>>>> comes
>>>>>>> >>>>> to securing RESTful APIs.
>>>>>>> >>>>>
>>>>>>> >>>>> My endpoints will be something like:
>>>>>>> >>>>> GET /api/books --> return all books
the user has access for
>>>>>>> >>>>> GET /api/books/123 --> return book
with id = 123
>>>>>>> >>>>>
>>>>>>> >>>>> My challenge now is to figure out how to
define resources in
>>>>>>> Keycloak.
>>>>>>> >>>>> Should I add all my books as resources
to Keycloak? And then
>>>>>>> define the
>>>>>>> >>>>> permission between each user and
resource?
>>>>>>> >>>>>
>>>>>>> >>>>> What would be the best practice to
implement "GET /api/books"
>>>>>>> to return
>>>>>>> >>>>> only the books the logged in user has
access to? Should I
>>>>>>> query the
>>>>>>> >>>>> Keycloak API to get all the resources
the logged in user has
>>>>>>> access
>>>>>>> >>>>> to, in
>>>>>>> >>>>> the backend?
>>>>>>> >>>>>
>>>>>>> >>>>> Thanks
>>>>>>> >>>>>
>>>>>>> >>>>> Farzad
>>>>>>> >>>>>
_______________________________________________
>>>>>>> >>>>> keycloak-user mailing list
>>>>>>> >>>>> keycloak-user(a)lists.jboss.org
>>>>>>> >>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>> >>>>>
>>>>>>> >>>>
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user(a)lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>>>>
2058
days inactive
2070
days old
15 comments
3 participants
participants (3)
-
Bruno Oliveira -
Farzad Panahi -
Pedro Igor Silva