6:52 a.m.
Hi all,
I am using Keycloak filters to secure a spring REST API and I need to
provide an anonymous access to a subset of resources having a given scope
(like 'urn:scope:read:public'). To me, anonymous means a unauthenticated
user without access token.
I defined a dedicted security chain to bybass the authentication filter but
the authorization filter is expecting an access token to grant requests, so
I can't use it.
Do I need to implement my own filter only based on the protection API to
retrieve and check scopes of requested resources or is there a better way to
grant access to resources for anonymous users ?
Thanks.
--
View this message in context:
http://keycloak-user.88327.x6.nabble.com/Anonymous-access-to-scoped-resou...
Sent from the keycloak-user mailing list archive at Nabble.com.
9:06 a.m.
Hi,
Isn't a option to change your security-constraint settings in web.xml and
avoid the adapter to intercept requests to public resources ?
On Mon, Feb 27, 2017 at 9:52 AM, ebondu <dev.ebondu(a)gmail.com> wrote:
Hi all,
I am using Keycloak filters to secure a spring REST API and I need to
provide an anonymous access to a subset of resources having a given scope
(like 'urn:scope:read:public'). To me, anonymous means a unauthenticated
user without access token.
I defined a dedicted security chain to bybass the authentication filter but
the authorization filter is expecting an access token to grant requests, so
I can't use it.
Do I need to implement my own filter only based on the protection API to
retrieve and check scopes of requested resources or is there a better way
to
grant access to resources for anonymous users ?
Thanks.
--
View this message in context: http://keycloak-user.88327.x6.
nabble.com/Anonymous-access-to-scoped-resources-tp2929.html
Sent from the keycloak-user mailing list archive at Nabble.com.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
12:34 p.m.
Hi and thanks for your reply,
Serving public resources is not a problem here, I can either change the
web.xml or change the Spring security chain to serve public resources. But
what I need is to provide a public access to a set of KC protected resources
(the decision to authorize the public access to resources have to be done by
the KC server with the "anonymous policy").
To illustrate, here is the corresponding use case :
- An admin can create some images with an set of scopes for restricted CRUD
operations and optionnally a "public" scope to allow a public access (read
only) to some images
- An user can create some private images with an set of scopes for
restricted the CRUD operation and without public access.
- A service is in charge of CRUD operations on all images (the service is
protected by KC Spring filters to manage auth/authz).
- A public web pages have to show the public images created by the admin. As
it is a public page, images must to be accessible without an access token,
so I can use the CRUD service. Consequently, I need another dedicated
service that can serve images with the "public" scope only.
My first idea was to secure this service with the same authz Spring filter
only but as it depends on the auth filter, I can't do it (the auth filter
create the security context from the passed access token).
=> A new spring filter asking directly permissions to access to the "public"
scope + an "anonymous" policy on the KC side seems to be the only solution
here ?
--
View this message in context:
http://keycloak-user.88327.x6.nabble.com/Anonymous-access-to-scoped-resou...
Sent from the keycloak-user mailing list archive at Nabble.com.
4:22 p.m.
I see. Recently, we added a DISABLED enforcement mode to adapter config
[1]. But I think your use case requires something different ...
If I understood your use case correctly, you don't want to change
deployment descriptors (web.xml or spring security chain) to mark those
resources as public because the decision if a resource is public or not is
dynamic, determined by a permission associated with the anonymous policy.
Am I correct ? So users can decide whether a resource + scope can be
accessed without forcing authentication ?
I think you are right about your proposal. A new filter before KC filter
kicks in should do the trick, specially if you have a specific endpoint
from where those public resources are served.
Regards.
Pedro Igor
[1] https://issues.jboss.org/browse/KEYCLOAK-3830
On Mon, Mar 6, 2017 at 3:34 PM, ebondu <dev.ebondu(a)gmail.com> wrote:
Hi and thanks for your reply,
Serving public resources is not a problem here, I can either change the
web.xml or change the Spring security chain to serve public resources. But
what I need is to provide a public access to a set of KC protected
resources
(the decision to authorize the public access to resources have to be done
by
the KC server with the "anonymous policy").
To illustrate, here is the corresponding use case :
- An admin can create some images with an set of scopes for restricted CRUD
operations and optionnally a "public" scope to allow a public access (read
only) to some images
- An user can create some private images with an set of scopes for
restricted the CRUD operation and without public access.
- A service is in charge of CRUD operations on all images (the service is
protected by KC Spring filters to manage auth/authz).
- A public web pages have to show the public images created by the admin.
As
it is a public page, images must to be accessible without an access token,
so I can use the CRUD service. Consequently, I need another dedicated
service that can serve images with the "public" scope only.
My first idea was to secure this service with the same authz Spring filter
only but as it depends on the auth filter, I can't do it (the auth filter
create the security context from the passed access token).
=> A new spring filter asking directly permissions to access to the
"public"
scope + an "anonymous" policy on the KC side seems to be the only solution
here ?
--
View this message in context: http://keycloak-user.88327.x6.
nabble.com/Anonymous-access-to-scoped-resources-tp2929p3042.html
Sent from the keycloak-user mailing list archive at Nabble.com.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
3:24 a.m.
Hi,
Pedro Igor Silva wrote
If I understood your use case correctly, you don't want to
change
deployment descriptors (web.xml or spring security chain) to mark those
resources as public because the decision if a resource is public or not is
dynamic, determined by a permission associated with the anonymous policy.
Am I correct ? So users can decide whether a resource + scope can be
accessed without forcing authentication ?
Yes, exactly.
As you said, I have a specific endpoint to serve these "public" resources,
so I will create the filter.
The code will be inspired from the existing filter but I can't reuse it out
of the box. I can share it if you think it is valuable for the community.
Regards,
Emilien
--
View this message in context:
http://keycloak-user.88327.x6.nabble.com/Anonymous-access-to-scoped-resou...
Sent from the keycloak-user mailing list archive at Nabble.com.
2836
days inactive
2844
days old
4 comments
2 participants
participants (2)
-
ebondu -
Pedro Igor Silva