11:45 p.m.
Dear Keycloak Community,
we are evaluating Keycloak and have the use that that we cannot migrate authorization
information (roles, permissions, ...) to Keycloak. We have this information stored in a
legacy database. Is it possible to write an extension to Keycloak which handles with
authorization decisions there? It would load our roles and permissions, etc. and decide if
it grants access to the user or client being present. I know about the extension mechanism
on writing custom User Store providers but I'm not sure if this is the right place to
do that for authorization information as well?
Thank you for any help,
Best regard,
Herbert?
Herbert Mühlburger
Senior System Engineer
[http://signature.bearingpoint.com/BrP_Logo.png]
T +43 316 8003
F +43 316 8003 1080
BearingPoint
Seering 6, Block B
8141 Premstätten
Austria
herbert.muehlburger(a)bearingpoint.com <mailto:herbert.muehlburger@bearingpoint.com>
www.bearingpoint.com<http://www.bearingpoint.com/>
________________________________
BearingPoint Technology GmbH
Sitz: Premstätten bei Graz
Firmenbuchgericht: Landesgericht für ZRS Graz
Firmenbuchnummer: FN 44354b
The information in this email is confidential and may be legally privileged. If you are
not the intended recipient of this message, any review, disclosure, copying, distribution,
retention, or any action taken or omitted to be taken in reliance on it is prohibited and
may be unlawful. If you are not the intended recipient, please reply to or forward a copy
of this message to the sender and delete the message, any attachments, and any copies
thereof from your system.
2:24 p.m.
The only SPI we have in AuthZ Services is for writing custom policy
providers. But this SPI is not yet public and should change in next
releases.
What do you think about this RFE [1] ?
How your permissions look like in your legacy database ? E.g.: A string
like resource:role|group|user:action ?
[1] https://issues.jboss.org/browse/KEYCLOAK-5346
On Fri, Aug 25, 2017 at 6:45 PM, Muehlburger, Herbert <
herbert.muehlburger(a)bearingpoint.com> wrote:
Dear Keycloak Community,
we are evaluating Keycloak and have the use that that we cannot migrate
authorization information (roles, permissions, ...) to Keycloak. We have
this information stored in a legacy database. Is it possible to write an
extension to Keycloak which handles with authorization decisions there? It
would load our roles and permissions, etc. and decide if it grants access
to the user or client being present. I know about the extension mechanism
on writing custom User Store providers but I'm not sure if this is the
right place to do that for authorization information as well?
Thank you for any help,
Best regard,
Herbert?
Herbert Mühlburger
Senior System Engineer
[http://signature.bearingpoint.com/BrP_Logo.png]
T +43 316 8003
F +43 316 8003 1080
BearingPoint
Seering 6, Block B
8141 Premstätten
Austria
herbert.muehlburger(a)bearingpoint.com <mailto:herbert.muehlburger@
bearingpoint.com>
www.bearingpoint.com<http://www.bearingpoint.com/>
________________________________
BearingPoint Technology GmbH
Sitz: Premstätten bei Graz
Firmenbuchgericht: Landesgericht für ZRS Graz
Firmenbuchnummer: FN 44354b
The information in this email is confidential and may be legally
privileged. If you are not the intended recipient of this message, any
review, disclosure, copying, distribution, retention, or any action taken
or omitted to be taken in reliance on it is prohibited and may be unlawful.
If you are not the intended recipient, please reply to or forward a copy of
this message to the sender and delete the message, any attachments, and any
copies thereof from your system.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
5:25 p.m.
Hi,
thank's for the response.
So the only solution that I could think of is to wait for RFE to be implemented? It would
indeed solve our use case.
Our authorization model is based on a role based access model (RBAC). But we have some
customaziations which give you additional permissions or restrict your permissions to
access certain entities. (Kind of a mix between RBAC with row level security. We need to
write our custom logic to grant or deny access to the given resource.
We don't want to use internal SPIs that will be changed in future releases and we are
not able to migrate our authorization model to Keycloak because of our customizations.
Do you think RFE (https://issues.jboss.org/browse/KEYCLOAK-5346) will be addressed in near
future?
Best,
Herbert
________________________________
Von: Pedro Igor Silva <psilva(a)redhat.com>
Gesendet: Montag, 28. August 2017 14:24
An: Muehlburger, Herbert
Cc: keycloak-user(a)lists.jboss.org
Betreff: Re: [keycloak-user] Custom Authorization in Keycloak
The only SPI we have in AuthZ Services is for writing custom policy providers. But this
SPI is not yet public and should change in next releases.
What do you think about this RFE [1] ?
How your permissions look like in your legacy database ? E.g.: A string like
resource:role|group|user:action ?
[1] https://issues.jboss.org/browse/KEYCLOAK-5346
On Fri, Aug 25, 2017 at 6:45 PM, Muehlburger, Herbert
<herbert.muehlburger@bearingpoint.com<mailto:herbert.muehlburger@bearingpoint.com>>
wrote:
Dear Keycloak Community,
we are evaluating Keycloak and have the use that that we cannot migrate authorization
information (roles, permissions, ...) to Keycloak. We have this information stored in a
legacy database. Is it possible to write an extension to Keycloak which handles with
authorization decisions there? It would load our roles and permissions, etc. and decide if
it grants access to the user or client being present. I know about the extension mechanism
on writing custom User Store providers but I'm not sure if this is the right place to
do that for authorization information as well?
Thank you for any help,
Best regard,
Herbert?
Herbert Mühlburger
Senior System Engineer
[http://signature.bearingpoint.com/BrP_Logo.png]
T +43 316 8003<tel:%2B43%20316%208003>
F +43 316 8003 1080<tel:%2B43%20316%208003%201080>
BearingPoint
Seering 6, Block B
8141 Premstätten
Austria
herbert.muehlburger@bearingpoint.com<mailto:herbert.muehlburger@bearingpoint.com>
<mailto:herbert.muehlburger@bearingpoint.com<mailto:herbert.muehlburger@bearingpoint.com>>
www.bearingpoint.com<http://www.bearingpoint.com><http://www.bea...
________________________________
BearingPoint Technology GmbH
Sitz: Premstätten bei Graz
Firmenbuchgericht: Landesgericht für ZRS Graz
Firmenbuchnummer: FN 44354b
The information in this email is confidential and may be legally privileged. If you are
not the intended recipient of this message, any review, disclosure, copying, distribution,
retention, or any action taken or omitted to be taken in reliance on it is prohibited and
may be unlawful. If you are not the intended recipient, please reply to or forward a copy
of this message to the sender and delete the message, any attachments, and any copies
thereof from your system.
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
________________________________
BearingPoint Technology GmbH
Sitz: Premstätten bei Graz
Firmenbuchgericht: Landesgericht für ZRS Graz
Firmenbuchnummer: FN 44354b
The information in this email is confidential and may be legally privileged. If you are
not the intended recipient of this message, any review, disclosure, copying, distribution,
retention, or any action taken or omitted to be taken in reliance on it is prohibited and
may be unlawful. If you are not the intended recipient, please reply to or forward a copy
of this message to the sender and delete the message, any attachments, and any copies
thereof from your system.
10:54 p.m.
On Mon, Aug 28, 2017 at 12:25 PM, Muehlburger, Herbert <
herbert.muehlburger(a)bearingpoint.com> wrote:
Hi,
thank's for the response.
So the only solution that I could think of is to wait for RFE to be
implemented? It would indeed solve our use case.
Our authorization model is based on a role based access model (RBAC). But
we have some customaziations which give you additional permissions or
restrict your permissions to access certain entities. (Kind of a mix
between RBAC with row level security. We need to write our custom logic to
grant or deny access to the given resource.
It has been a while I'm thinking about this functionality. Your use case
seems to have some of the requirements behind it.
But now that you mentioned "certain entities" and "row level
security", I
assume you already have a bunch of these entities in your database, so you
would need to create them in Keycloak in order to be able to associate them
with policies. They would need to be resources in Keycloak.
The idea behind that RFE is to allow people to delegate authorization
decisions to an external service (KC acting as an authorization broker)
when evaluating permissions for specific resources. I think it would not
address all your requirements though, but maybe complicate things as you
would need to re-create your entities as resources in Keycloak.
We don't want to use internal SPIs that will be changed in future releases
and we are not able to migrate our authorization model to Keycloak because
of our customizations.
Do you think RFE (https://issues.jboss.org/browse/KEYCLOAK-5346) will be
addressed in near future?
Best,
Herbert
________________________________
Von: Pedro Igor Silva <psilva(a)redhat.com>
Gesendet: Montag, 28. August 2017 14:24
An: Muehlburger, Herbert
Cc: keycloak-user(a)lists.jboss.org
Betreff: Re: [keycloak-user] Custom Authorization in Keycloak
The only SPI we have in AuthZ Services is for writing custom policy
providers. But this SPI is not yet public and should change in next
releases.
What do you think about this RFE [1] ?
How your permissions look like in your legacy database ? E.g.: A string
like resource:role|group|user:action ?
[1] https://issues.jboss.org/browse/KEYCLOAK-5346
On Fri, Aug 25, 2017 at 6:45 PM, Muehlburger, Herbert <
herbert.muehlburger@bearingpoint.com<mailto:herber
t.muehlburger(a)bearingpoint.com>> wrote:
Dear Keycloak Community,
we are evaluating Keycloak and have the use that that we cannot migrate
authorization information (roles, permissions, ...) to Keycloak. We have
this information stored in a legacy database. Is it possible to write an
extension to Keycloak which handles with authorization decisions there? It
would load our roles and permissions, etc. and decide if it grants access
to the user or client being present. I know about the extension mechanism
on writing custom User Store providers but I'm not sure if this is the
right place to do that for authorization information as well?
Thank you for any help,
Best regard,
Herbert?
Herbert Mühlburger
Senior System Engineer
[http://signature.bearingpoint.com/BrP_Logo.png]
T +43 316 8003<tel:%2B43%20316%208003>
F +43 316 8003 1080<tel:%2B43%20316%208003%201080>
BearingPoint
Seering 6, Block B
8141 Premstätten
Austria
herbert.muehlburger@bearingpoint.com<mailto:herber
t.muehlburger(a)bearingpoint.com> <mailto:herbert.muehlburger@
bearingpoint.com<mailto:herbert.muehlburger@bearingpoint.com>>
www.bearingpoint.com<http://www.bearingpoint.com><http://
www.bearingpoint.com/>
________________________________
BearingPoint Technology GmbH
Sitz: Premstätten bei Graz
Firmenbuchgericht: Landesgericht für ZRS Graz
Firmenbuchnummer: FN 44354b
The information in this email is confidential and may be legally
privileged. If you are not the intended recipient of this message, any
review, disclosure, copying, distribution, retention, or any action taken
or omitted to be taken in reliance on it is prohibited and may be unlawful.
If you are not the intended recipient, please reply to or forward a copy of
this message to the sender and delete the message, any attachments, and any
copies thereof from your system.
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
________________________________
BearingPoint Technology GmbH
Sitz: Premstätten bei Graz
Firmenbuchgericht: Landesgericht für ZRS Graz
Firmenbuchnummer: FN 44354b
The information in this email is confidential and may be legally
privileged. If you are not the intended recipient of this message, any
review, disclosure, copying, distribution, retention, or any action taken
or omitted to be taken in reliance on it is prohibited and may be unlawful.
If you are not the intended recipient, please reply to or forward a copy of
this message to the sender and delete the message, any attachments, and any
copies thereof from your system.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2684
days inactive
2687
days old
3 comments
2 participants
participants (2)
-
Muehlburger, Herbert -
Pedro Igor Silva