[keycloak-user] Question for role-based authorization scenario with keycloak

Thursday, 7 December 2017

Hi Keycloak-Community,

I need some help setting up a role based authorization with keycloak. Suppose you have
authorization data model like this:

{
  "roles": {
    "publisher": [
      {
        "resource": "/telemetry",
        "activities": [ "WRITE" ]
      }
    ],
    "consumer": [
      {
        "resource": "/telemetry",
        "activities": [ "READ" ]
      }
    ]
  },
  "users": {
    "client-sender": {
      "password": "secret",
      "authorities": [ "publisher" ]
    },
    "client-receiver": {
      "password": "secret",
      "authorities": [ "consumer" ]
    }
  }
}

Users (service account clients) and roles (defined for client called my-application) can
be easily integrated into keycloak. An example access token should look like this:

{
  "jti": "9290a241-45ad-4c14-b6e3-fdf906c7c102",
  "exp": 1511887924,
  "clientId": "client-sender",
  ...
  "resource_access": {
    "my-application": {
      "roles": [
        "publisher"
      ]
    }
  }
}

In keycloak, when enabling "Fine-grained authorization support" for the
application (client called my-application), resources (like "/telemetry") and
permissions (like "WRITE") can be defined.

The question is:
How do I get the connection between resources/permissions and the roles?
Or to be more precise, how to get those resources/permissions into the access token?

Thanks a lot in advance,
Oliver Fischer

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

[keycloak-user] Question for role-based authorization scenario with keycloak