Hi Ronaldo,
That is a good point and probably something we can improve.
Currently, the roles are always obtained from the bearer token or
subject_token you are using to make the authorization request. I think we
could also fall back to checking roles by querying our identity stores
internally.
One thing you could do for now though is writing a JS policy to perform
RBAC [1].
[1]
https://www.keycloak.org/docs/latest/authorization_services/index.html#ch...
On Wed, Jun 26, 2019 at 4:44 PM Ronaldo Hideki Yamada <
ronaldo.yamada(a)serpro.gov.br> wrote:
Hi,
I have a following use case:
One client A1 (web) makes a authentication code flow and gets a
access_token.
I want use this access token as Bearer token T1[azp=A1] in backend client
B1 (api) with authorization enabled.
And validate permissions on Resources#Scopes in client B1 mapped by client
B1 RolePolicy
I already gets work only if I add builtin protocol mapper "User Client
Role" to first client A1 and insert client roles of B1 on token T1.
But this largely increases size of access_token T1 and I have limit of 4k.
How make Keycloak evaluate authz permissions [RolePolicy] aganist User
client role on internal Database, instead information on first token T1?
Ronaldo Hideki Yamada
-
"Esta mensagem do SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO),
empresa pública federal regida pelo disposto na Lei Federal nº 5.615, é
enviada exclusivamente a seu destinatário e pode conter informações
confidenciais, protegidas por sigilo profissional. Sua utilização
desautorizada é ilegal e sujeita o infrator às penas da lei. Se você a
recebeu indevidamente, queira, por gentileza, reenviá-la ao emitente,
esclarecendo o equívoco."
"This message from SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) -- a
government company established under Brazilian law (5.615/70) -- is
directed exclusively to its addressee and may contain confidential data,
protected under professional secrecy rules. Its unauthorized use is illegal
and may subject the transgressor to the law's penalties. If you're not the
addressee, please send it back, elucidating the failure."
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user