Pedro,
Using JSpolicy also not work, as shown in
https://www.keycloak.org/docs/latest/authorization_services/index.html#ch...
but: context.getIdentity() also gets data from token, not internal identity store,
How get UserModel (or any internal user) from a context?
I find a KeycloakIdentity::getUserFromSessionState but method is private.
/**
* JSPolicy: eh_gestor
*/
var context = $evaluation.getContext();
var identity = context.getIdentity();
var Logger = Java.type("org.jboss.logging.Logger");
var LOG =
Logger.getLogger(Java.type("org.keycloak.authorization.policy.provider.js.JSPolicyProvider"))
LOG.info(identity.getAttributes().toMap().toString());
if (identity.hasClientRole('suite-sc', 'gestor')) {
$evaluation.grant();
}
/* EOF */
# Log output when client roles isn't mapped to token:
2019-06-28 11:35:58,823 INFO [[JavaClass
org.keycloak.authorization.policy.provider.js.JSPolicyProvider]] (default task-102)
{sub=[d52ee480-a081-4cee-ba0c-c3fcd31cc19c], acr=[1], nbf=[0], azp=[suite-sc],
auth_time=[0], name=[Ronaldo Hideki Yamada], typ=[Bearer], exp=[1561734358],
session_state=[c73b7532-55d6-4d49-a1d1-662fe9fac369], iat=[1561732558],
jti=[0873781a-b595-4a50-a4e2-33730cede059]}
# Log output when client roles is mapped to token:
2019-06-28 11:51:42,295 INFO [[JavaClass
org.keycloak.authorization.policy.provider.js.JSPolicyProvider]] (default task-107)
{sub=[d52ee480-a081-4cee-ba0c-c3fcd31cc19c], acr=[1], nbf=[0], azp=[suite-sc],
auth_time=[0], name=[Ronaldo Hideki Yamada], kc.client.suite-sc.roles=[cadastrador,
gestor], typ=[Bearer], exp=[1561735302],
session_state=[af72aa12-3e94-4ebe-9bc7-a47bffeecef1], iat=[1561733502],
jti=[f8ef05a1-44ab-4c99-863c-1875a82cdd8f]}
Ronaldo Hideki Yamada
SUPES/ESDEA/ESCSP
----- Mensagem original -----
De: "Pedro Igor Silva" <psilva(a)redhat.com>
Para: "ronaldo.yamada serpro" <ronaldo.yamada(a)serpro.gov.br>
Cc: "keycloak-user" <keycloak-user(a)lists.jboss.org>
Enviadas: Quarta-feira, 26 de junho de 2019 16:56:53
Assunto: Re: [keycloak-user] Only bearer client and Authorization
Hi Ronaldo,
That is a good point and probably something we can improve.
Currently, the roles are always obtained from the bearer token or subject_token you are
using to make the authorization request. I think we could also fall back to checking roles
by querying our identity stores internally.
One thing you could do for now though is writing a JS policy to perform RBAC [1].
[1] [
https://www.keycloak.org/docs/latest/authorization_services/index.html#ch...
|
https://www.keycloak.org/docs/latest/authorization_services/index.html#ch...
]
On Wed, Jun 26, 2019 at 4:44 PM Ronaldo Hideki Yamada < [
mailto:ronaldo.yamada@serpro.gov.br | ronaldo.yamada(a)serpro.gov.br ] > wrote:
Hi,
I have a following use case:
One client A1 (web) makes a authentication code flow and gets a access_token.
I want use this access token as Bearer token T1[azp=A1] in backend client B1 (api) with
authorization enabled.
And validate permissions on Resources#Scopes in client B1 mapped by client B1 RolePolicy
I already gets work only if I add builtin protocol mapper "User Client Role" to
first client A1 and insert client roles of B1 on token T1.
But this largely increases size of access_token T1 and I have limit of 4k.
How make Keycloak evaluate authz permissions [RolePolicy] aganist User client role on
internal Database, instead information on first token T1?
Ronaldo Hideki Yamada
-
"Esta mensagem do SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO), empresa pública
federal regida pelo disposto na Lei Federal nº 5.615, é enviada exclusivamente a seu
destinatário e pode conter informações confidenciais, protegidas por sigilo profissional.
Sua utilização desautorizada é ilegal e sujeita o infrator às penas da lei. Se você a
recebeu indevidamente, queira, por gentileza, reenviá-la ao emitente, esclarecendo o
equívoco."
"This message from SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) -- a government
company established under Brazilian law (5.615/70) -- is directed exclusively to its
addressee and may contain confidential data, protected under professional secrecy rules.
Its unauthorized use is illegal and may subject the transgressor to the law's
penalties. If you're not the addressee, please send it back, elucidating the
failure."
_______________________________________________
keycloak-user mailing list
[ mailto:keycloak-user@lists.jboss.org | keycloak-user(a)lists.jboss.org ]
[
https://lists.jboss.org/mailman/listinfo/keycloak-user |
https://lists.jboss.org/mailman/listinfo/keycloak-user ]
-
"Esta mensagem do SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO), empresa pública
federal regida pelo disposto na Lei Federal nº 5.615, é enviada exclusivamente a seu
destinatário e pode conter informações confidenciais, protegidas por sigilo profissional.
Sua utilização desautorizada é ilegal e sujeita o infrator às penas da lei. Se você a
recebeu indevidamente, queira, por gentileza, reenviá-la ao emitente, esclarecendo o
equívoco."
"This message from SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) -- a government
company established under Brazilian law (5.615/70) -- is directed exclusively to its
addressee and may contain confidential data, protected under professional secrecy rules.
Its unauthorized use is illegal and may subject the transgressor to the law's
penalties. If you're not the addressee, please send it back, elucidating the
failure."