11:07 a.m.
Hi folks,
I have a project with several resources that are created and owned by users. Access to
these resources can be shared with groups or other users via Keycloak permissions. My API
needs to implement endpoints for accessing these resources in a permission-based manner,
meaning that for example GET /my-resource should return all resources that the provided
access token has permission to view (e.g. via “view” scope).
Right now, this is my implementation:
1. POST /my-resource creates an object in my DB and a corresponding Keycloak resource
via the Protection API. Resources in Keycloak are named using a schema
(<resource-prefix>.<database-id>)
2. Send POST token endpoint with response_mode=permissions. This gives me a list of all
resources the token can access, including the scopes. See [1]
3. Filter the list by name and scope using the resource prefix
4. Extract object IDs from resource names and load DB objects using the extracted IDs
While this works, I still see some issues with this approach:
* The resulting list of resources in 2) could potentially become quite big and
increase response time
* The “naming schema solution” for mapping Keycloak resources to database objects
seems more like a workaround
Are there best practices for doing this kind of thing with Keycloak? If not, I’d be
grateful for any tips on how to turn this into a more robust / efficient solution.
Thanks,
Marco
[1]
https://www.keycloak.org/docs/latest/authorization_services/index.html#_s...
4:22 p.m.
On Tue, Oct 16, 2018 at 1:15 PM Lamina, Marco <marco.lamina(a)sap.com> wrote:
Hi folks,
I have a project with several resources that are created and owned by
users. Access to these resources can be shared with groups or other users
via Keycloak permissions. My API needs to implement endpoints for accessing
these resources in a permission-based manner, meaning that for example GET
/my-resource should return all resources that the provided access token has
permission to view (e.g. via “view” scope).
Right now, this is my implementation:
1. POST /my-resource creates an object in my DB and a corresponding
Keycloak resource via the Protection API. Resources in Keycloak are named
using a schema (<resource-prefix>.<database-id>)
2. Send POST token endpoint with response_mode=permissions. This gives
me a list of all resources the token can access, including the scopes. See
[1]
3. Filter the list by name and scope using the resource prefix
4. Extract object IDs from resource names and load DB objects using the
extracted IDs
While this works, I still see some issues with this approach:
* The resulting list of resources in 2) could potentially become quite
big and increase response time
Yeah, that is one of the drawbacks when fetching permissions for every
single resource. How many resources are you expecting for each user ?
* The “naming schema solution” for mapping Keycloak resources to
database objects seems more like a workaround
That is fine, another approach is store the "reference id" in a column.
Are there best practices for doing this kind of thing with Keycloak? If
not, I’d be grateful for any tips on how to turn this into a more robust /
efficient solution.
Until now, we have focused on API security as well privacy. For the latter,
permissions are evaluated on a per resource basis so you don't have any
performance penalties when doing this.
Thanks,
Marco
[1]
https://www.keycloak.org/docs/latest/authorization_services/index.html#_s...
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
4:41 p.m.
A single user will potentially have access to a couple hundred resources in the future.
If there was a way to somehow reduce the size of the result from the token endpoint in 2),
that would already be a big improvement. Right now, the endpoint returns all resources of
all types, while I only ever need the accessible resources of one particular type.
I agree that storing the "reference id" in a column is probably a cleaner
solution than parsing the resource name.
From: Pedro Igor Silva <psilva(a)redhat.com>
Date: Tuesday, October 16, 2018 at 2:23 PM
To: "Lamina, Marco" <marco.lamina(a)sap.com>
Cc: keycloak-user <keycloak-user(a)lists.jboss.org>
Subject: Re: [keycloak-user] Best practices for permission-based resource lookup
On Tue, Oct 16, 2018 at 1:15 PM Lamina, Marco
<marco.lamina@sap.com<mailto:marco.lamina@sap.com>> wrote:
Hi folks,
I have a project with several resources that are created and owned by users. Access to
these resources can be shared with groups or other users via Keycloak permissions. My API
needs to implement endpoints for accessing these resources in a permission-based manner,
meaning that for example GET /my-resource should return all resources that the provided
access token has permission to view (e.g. via “view” scope).
Right now, this is my implementation:
1. POST /my-resource creates an object in my DB and a corresponding Keycloak resource
via the Protection API. Resources in Keycloak are named using a schema
(<resource-prefix>.<database-id>)
2. Send POST token endpoint with response_mode=permissions. This gives me a list of all
resources the token can access, including the scopes. See [1]
3. Filter the list by name and scope using the resource prefix
4. Extract object IDs from resource names and load DB objects using the extracted IDs
While this works, I still see some issues with this approach:
* The resulting list of resources in 2) could potentially become quite big and
increase response time
Yeah, that is one of the drawbacks when fetching permissions for every single resource.
How many resources are you expecting for each user ?
* The “naming schema solution” for mapping Keycloak resources to database objects
seems more like a workaround
That is fine, another approach is store the "reference id" in a column.
Are there best practices for doing this kind of thing with Keycloak? If not, I’d be
grateful for any tips on how to turn this into a more robust / efficient solution.
Until now, we have focused on API security as well privacy. For the latter, permissions
are evaluated on a per resource basis so you don't have any performance penalties when
doing this.
Thanks,
Marco
[1]
https://www.keycloak.org/docs/latest/authorization_services/index.html#_s...
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
12:38 p.m.
On Tue, Oct 16, 2018 at 6:41 PM Lamina, Marco <marco.lamina(a)sap.com> wrote:
A single user will potentially have access to a couple hundred
resources
in the future.
If there was a way to somehow reduce the size of the result from the token
endpoint in 2), that would already be a big improvement. Right now, the
endpoint returns all resources of all types, while I only ever need the
accessible resources of one particular type.
Right now we have a *response_permissions_limit* parameter to limit the
number of permissions evaluated by the server. It is quite
non-deterministic though as it is not based on any order or types of
resources. Evaluate permissions based on resource types is something we can
consider. If you don't mind, please open a RFE. Contribution is also
welcome :)
I agree that storing the "reference id" in a column is probably a cleaner
solution than parsing the resource name.
*From: *Pedro Igor Silva <psilva(a)redhat.com>
*Date: *Tuesday, October 16, 2018 at 2:23 PM
*To: *"Lamina, Marco" <marco.lamina(a)sap.com>
*Cc: *keycloak-user <keycloak-user(a)lists.jboss.org>
*Subject: *Re: [keycloak-user] Best practices for permission-based
resource lookup
On Tue, Oct 16, 2018 at 1:15 PM Lamina, Marco <marco.lamina(a)sap.com>
wrote:
Hi folks,
I have a project with several resources that are created and owned by
users. Access to these resources can be shared with groups or other users
via Keycloak permissions. My API needs to implement endpoints for accessing
these resources in a permission-based manner, meaning that for example GET
/my-resource should return all resources that the provided access token has
permission to view (e.g. via “view” scope).
Right now, this is my implementation:
1. POST /my-resource creates an object in my DB and a corresponding
Keycloak resource via the Protection API. Resources in Keycloak are named
using a schema (<resource-prefix>.<database-id>)
2. Send POST token endpoint with response_mode=permissions. This gives
me a list of all resources the token can access, including the scopes. See
[1]
3. Filter the list by name and scope using the resource prefix
4. Extract object IDs from resource names and load DB objects using the
extracted IDs
While this works, I still see some issues with this approach:
* The resulting list of resources in 2) could potentially become quite
big and increase response time
Yeah, that is one of the drawbacks when fetching permissions for every
single resource. How many resources are you expecting for each user ?
* The “naming schema solution” for mapping Keycloak resources to
database objects seems more like a workaround
That is fine, another approach is store the "reference id" in a column.
Are there best practices for doing this kind of thing with Keycloak? If
not, I’d be grateful for any tips on how to turn this into a more robust /
efficient solution.
Until now, we have focused on API security as well privacy. For the
latter, permissions are evaluated on a per resource basis so you don't have
any performance penalties when doing this.
Thanks,
Marco
[1]
https://www.keycloak.org/docs/latest/authorization_services/index.html#_s...
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2275
days inactive
2276
days old
3 comments
2 participants
participants (2)
-
Lamina, Marco -
Pedro Igor Silva