On Wed, Aug 29, 2018 at 12:47 PM, David Erie (US) <David.Erie(a)datapath.com>
wrote:
Hello,
We're excited to be integrating Keycloak into our application suite, and I
have some authorization questions I haven't been able to answer myself.
We have an unusual Single Page Application (SPA) architecture where our
web server and our "data" server are separate processes. Further, we don't
own the web server source code. Consequently, the SPA code running in the
browser will need to perform fine-grained permission enforcement on its own.
I believe we can do this by sending the following type of request to get
an RPT with all allowed permissions on the given resource server (I tested
this and it works as expected):
curl -X POST \
http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token
\
-H "Authorization: Bearer ${access_token}" \
--data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket"
\
--data "client_id={web_client_id}" \
--data "audience={resource_server_client_id}"
We would actually need to send two of these requests, one with the "web"
resource server client ID, and the other with the "data" resource server
client ID, because they would each own a set of resources that are accessed
and whose permissions are enforced in the SPA.
Is this the recommended way to approach this problem?
This approach is fine depending on how many resources you have managed by
Keycloak. As you know, you are basically checking permissions for all
resources ...
Another way to achieve this is asking for specific permissions and
obtaining others on demand. For instance, if SPA right after login requires
A, B and C, you can send a request asking permissions for only these
resources. Later, you can send the previous token with permissions for A,B
and C and ask for additional permissions for D, E and F. This is what we
call incremental authorization.
Would be nice if we could have a simple flag in resource page to define the
resources we want to return by default (instead of all of them).
Will this approach be supported in the long term (versus being deprecated
for some reason related to the UMA 2.0 spec)?
Yes.
Finally, what is the limit on the length of or number of permissions in an
RPT?
No limit. But your clients can send a response_permissions_limit [1]
parameter to define how many permissions you expected in the token.
[1]
https://www.keycloak.org/docs/latest/authorization_services/index.html#_s...
Thank you,
Dave
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user