3:09 a.m.
Dear all,
I am in the process of implementing an authorization solution for the REST API of an
application using Keycloak/OIDC.
The application manages resources based on their association with user groups. Its
simplified path schema is similar to
/{organization}/{resourcename}. All users of an organization should be allowed to access
its resources. My current approach is to
map organizations to Keycloak user groups.
1) Is it possible to define an authorization policy in Keycloak that handles group-based
authorization for a single resource defined
for the path /{organization}/{resourcename}? My idea here was to check if the organization
path of an URL matches a scope of the
calling client that is mapped from its group memberships. I looked into JS policy examples
and the Evaluation API but I did not see
a way to check against path parameters.
2) Or: Do I have to (programmatically) create separate resource/policy pairs for each
organization to support this type of
group-based authorization?
Thanks for any pointers and input.
Best regards
Christian
9:30 a.m.
You should be able to push arbitrary claims to your policies such as the
request URI. Your policy could check if {organization} is among the groups
the user is a member of. A single policy could serve for this purpose.
I've added more information about this in docs, the PR is about to be
merged. I'm also working with a quickstart that shows how to solve a
similar problem. Something like "access to /api/{user}/salary is only
allowed if current user is {user}".
On Fri, Jun 22, 2018 at 5:09 AM, Christian Stier <stier(a)fzi.de> wrote:
Dear all,
I am in the process of implementing an authorization solution for the REST
API of an application using Keycloak/OIDC.
The application manages resources based on their association with user
groups. Its simplified path schema is similar to
/{organization}/{resourcename}. All users of an organization should be
allowed to access its resources. My current approach is to
map organizations to Keycloak user groups.
1) Is it possible to define an authorization policy in Keycloak that
handles group-based authorization for a single resource defined
for the path /{organization}/{resourcename}? My idea here was to check if
the organization path of an URL matches a scope of the
calling client that is mapped from its group memberships. I looked into JS
policy examples and the Evaluation API but I did not see
a way to check against path parameters.
2) Or: Do I have to (programmatically) create separate resource/policy
pairs for each organization to support this type of
group-based authorization?
Thanks for any pointers and input.
Best regards
Christian
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
4:35 a.m.
Hi Pedro,
thank you for the helpful example and extended documentation on GitHub. My understanding
is that this would rely on trusting the client’s claim that she is actually accessing the
resource with the actual resource. In your example, it would rely on userA pushing the
claim userB when she tries to access the resource /api/userB/salary.
For now I am implementing option 2) as this also offers the benefit of enabling a later
refinement of access rights per organization on the Keycloak platform and in connected
clients.
Best regards
Christian
From: Pedro Igor Silva <psilva(a)redhat.com>
Sent: Friday, June 22, 2018 4:31 PM
To: Christian Stier <stier(a)fzi.de>
Cc: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Group-based permissions for resources
You should be able to push arbitrary claims to your policies such as the request URI. Your
policy could check if {organization} is among the groups the user is a member of. A single
policy could serve for this purpose.
I've added more information about this in docs, the PR is about to be merged. I'm
also working with a quickstart that shows how to solve a similar problem. Something like
"access to /api/{user}/salary is only allowed if current user is {user}".
On Fri, Jun 22, 2018 at 5:09 AM, Christian Stier <stier(a)fzi.de
<mailto:stier@fzi.de> > wrote:
Dear all,
I am in the process of implementing an authorization solution for the REST API of an
application using Keycloak/OIDC.
The application manages resources based on their association with user groups. Its
simplified path schema is similar to
/{organization}/{resourcename}. All users of an organization should be allowed to access
its resources. My current approach is to
map organizations to Keycloak user groups.
1) Is it possible to define an authorization policy in Keycloak that handles group-based
authorization for a single resource defined
for the path /{organization}/{resourcename}? My idea here was to check if the organization
path of an URL matches a scope of the
calling client that is mapped from its group memberships. I looked into JS policy examples
and the Evaluation API but I did not see
a way to check against path parameters.
2) Or: Do I have to (programmatically) create separate resource/policy pairs for each
organization to support this type of
group-based authorization?
Thanks for any pointers and input.
Best regards
Christian
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
2389
days inactive
2393
days old
2 comments
2 participants
participants (2)
-
Christian Stier -
Pedro Igor Silva