2:41 p.m.
Hi,
I have a following use case:
One client A1 (web) makes a authentication code flow and gets a access_token.
I want use this access token as Bearer token T1[azp=A1] in backend client B1 (api) with
authorization enabled.
And validate permissions on Resources#Scopes in client B1 mapped by client B1 RolePolicy
I already gets work only if I add builtin protocol mapper "User Client Role" to
first client A1 and insert client roles of B1 on token T1.
But this largely increases size of access_token T1 and I have limit of 4k.
How make Keycloak evaluate authz permissions [RolePolicy] aganist User client role on
internal Database, instead information on first token T1?
Ronaldo Hideki Yamada
-
"Esta mensagem do SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO), empresa pública
federal regida pelo disposto na Lei Federal nº 5.615, é enviada exclusivamente a seu
destinatário e pode conter informações confidenciais, protegidas por sigilo profissional.
Sua utilização desautorizada é ilegal e sujeita o infrator às penas da lei. Se você a
recebeu indevidamente, queira, por gentileza, reenviá-la ao emitente, esclarecendo o
equívoco."
"This message from SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) -- a government
company established under Brazilian law (5.615/70) -- is directed exclusively to its
addressee and may contain confidential data, protected under professional secrecy rules.
Its unauthorized use is illegal and may subject the transgressor to the law's
penalties. If you're not the addressee, please send it back, elucidating the
failure."
2:56 p.m.
Hi Ronaldo,
That is a good point and probably something we can improve.
Currently, the roles are always obtained from the bearer token or
subject_token you are using to make the authorization request. I think we
could also fall back to checking roles by querying our identity stores
internally.
One thing you could do for now though is writing a JS policy to perform
RBAC [1].
[1]
https://www.keycloak.org/docs/latest/authorization_services/index.html#ch...
On Wed, Jun 26, 2019 at 4:44 PM Ronaldo Hideki Yamada <
ronaldo.yamada(a)serpro.gov.br> wrote:
Hi,
I have a following use case:
One client A1 (web) makes a authentication code flow and gets a
access_token.
I want use this access token as Bearer token T1[azp=A1] in backend client
B1 (api) with authorization enabled.
And validate permissions on Resources#Scopes in client B1 mapped by client
B1 RolePolicy
I already gets work only if I add builtin protocol mapper "User Client
Role" to first client A1 and insert client roles of B1 on token T1.
But this largely increases size of access_token T1 and I have limit of 4k.
How make Keycloak evaluate authz permissions [RolePolicy] aganist User
client role on internal Database, instead information on first token T1?
Ronaldo Hideki Yamada
-
"Esta mensagem do SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO),
empresa pública federal regida pelo disposto na Lei Federal nº 5.615, é
enviada exclusivamente a seu destinatário e pode conter informações
confidenciais, protegidas por sigilo profissional. Sua utilização
desautorizada é ilegal e sujeita o infrator às penas da lei. Se você a
recebeu indevidamente, queira, por gentileza, reenviá-la ao emitente,
esclarecendo o equívoco."
"This message from SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) -- a
government company established under Brazilian law (5.615/70) -- is
directed exclusively to its addressee and may contain confidential data,
protected under professional secrecy rules. Its unauthorized use is illegal
and may subject the transgressor to the law's penalties. If you're not the
addressee, please send it back, elucidating the failure."
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
10:01 a.m.
Pedro,
Using JSpolicy also not work, as shown in
https://www.keycloak.org/docs/latest/authorization_services/index.html#ch...
but: context.getIdentity() also gets data from token, not internal identity store,
How get UserModel (or any internal user) from a context?
I find a KeycloakIdentity::getUserFromSessionState but method is private.
/**
* JSPolicy: eh_gestor
*/
var context = $evaluation.getContext();
var identity = context.getIdentity();
var Logger = Java.type("org.jboss.logging.Logger");
var LOG =
Logger.getLogger(Java.type("org.keycloak.authorization.policy.provider.js.JSPolicyProvider"))
LOG.info(identity.getAttributes().toMap().toString());
if (identity.hasClientRole('suite-sc', 'gestor')) {
$evaluation.grant();
}
/* EOF */
# Log output when client roles isn't mapped to token:
2019-06-28 11:35:58,823 INFO [[JavaClass
org.keycloak.authorization.policy.provider.js.JSPolicyProvider]] (default task-102)
{sub=[d52ee480-a081-4cee-ba0c-c3fcd31cc19c], acr=[1], nbf=[0], azp=[suite-sc],
auth_time=[0], name=[Ronaldo Hideki Yamada], typ=[Bearer], exp=[1561734358],
session_state=[c73b7532-55d6-4d49-a1d1-662fe9fac369], iat=[1561732558],
jti=[0873781a-b595-4a50-a4e2-33730cede059]}
# Log output when client roles is mapped to token:
2019-06-28 11:51:42,295 INFO [[JavaClass
org.keycloak.authorization.policy.provider.js.JSPolicyProvider]] (default task-107)
{sub=[d52ee480-a081-4cee-ba0c-c3fcd31cc19c], acr=[1], nbf=[0], azp=[suite-sc],
auth_time=[0], name=[Ronaldo Hideki Yamada], kc.client.suite-sc.roles=[cadastrador,
gestor], typ=[Bearer], exp=[1561735302],
session_state=[af72aa12-3e94-4ebe-9bc7-a47bffeecef1], iat=[1561733502],
jti=[f8ef05a1-44ab-4c99-863c-1875a82cdd8f]}
Ronaldo Hideki Yamada
SUPES/ESDEA/ESCSP
----- Mensagem original -----
De: "Pedro Igor Silva" <psilva(a)redhat.com>
Para: "ronaldo.yamada serpro" <ronaldo.yamada(a)serpro.gov.br>
Cc: "keycloak-user" <keycloak-user(a)lists.jboss.org>
Enviadas: Quarta-feira, 26 de junho de 2019 16:56:53
Assunto: Re: [keycloak-user] Only bearer client and Authorization
Hi Ronaldo,
That is a good point and probably something we can improve.
Currently, the roles are always obtained from the bearer token or subject_token you are
using to make the authorization request. I think we could also fall back to checking roles
by querying our identity stores internally.
One thing you could do for now though is writing a JS policy to perform RBAC [1].
[1] [
https://www.keycloak.org/docs/latest/authorization_services/index.html#ch...
|
https://www.keycloak.org/docs/latest/authorization_services/index.html#ch...
]
On Wed, Jun 26, 2019 at 4:44 PM Ronaldo Hideki Yamada < [
mailto:ronaldo.yamada@serpro.gov.br | ronaldo.yamada(a)serpro.gov.br ] > wrote:
Hi,
I have a following use case:
One client A1 (web) makes a authentication code flow and gets a access_token.
I want use this access token as Bearer token T1[azp=A1] in backend client B1 (api) with
authorization enabled.
And validate permissions on Resources#Scopes in client B1 mapped by client B1 RolePolicy
I already gets work only if I add builtin protocol mapper "User Client Role" to
first client A1 and insert client roles of B1 on token T1.
But this largely increases size of access_token T1 and I have limit of 4k.
How make Keycloak evaluate authz permissions [RolePolicy] aganist User client role on
internal Database, instead information on first token T1?
Ronaldo Hideki Yamada
-
"Esta mensagem do SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO), empresa pública
federal regida pelo disposto na Lei Federal nº 5.615, é enviada exclusivamente a seu
destinatário e pode conter informações confidenciais, protegidas por sigilo profissional.
Sua utilização desautorizada é ilegal e sujeita o infrator às penas da lei. Se você a
recebeu indevidamente, queira, por gentileza, reenviá-la ao emitente, esclarecendo o
equívoco."
"This message from SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) -- a government
company established under Brazilian law (5.615/70) -- is directed exclusively to its
addressee and may contain confidential data, protected under professional secrecy rules.
Its unauthorized use is illegal and may subject the transgressor to the law's
penalties. If you're not the addressee, please send it back, elucidating the
failure."
_______________________________________________
keycloak-user mailing list
[ mailto:keycloak-user@lists.jboss.org | keycloak-user(a)lists.jboss.org ]
[ https://lists.jboss.org/mailman/listinfo/keycloak-user |
https://lists.jboss.org/mailman/listinfo/keycloak-user ]
-
"Esta mensagem do SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO), empresa pública
federal regida pelo disposto na Lei Federal nº 5.615, é enviada exclusivamente a seu
destinatário e pode conter informações confidenciais, protegidas por sigilo profissional.
Sua utilização desautorizada é ilegal e sujeita o infrator às penas da lei. Se você a
recebeu indevidamente, queira, por gentileza, reenviá-la ao emitente, esclarecendo o
equívoco."
"This message from SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) -- a government
company established under Brazilian law (5.615/70) -- is directed exclusively to its
addressee and may contain confidential data, protected under professional secrecy rules.
Its unauthorized use is illegal and may subject the transgressor to the law's
penalties. If you're not the addressee, please send it back, elucidating the
failure."
10:16 a.m.
For realm roles you can use:
var realm = $evaluation.getRealm();
if (realm.isUserInRealmRole('marta', 'role-a')) {
$evaluation.grant();
}
For client roles:
var realm = $evaluation.getRealm();
if (realm.isUserInClientRole('marta', 'my-client',
'some-client-role')) {
$evaluation.grant();
}
For roles granted to a group:
var realm = $evaluation.getRealm();
if (realm.isGroupInRole('/Group A/Group D', 'role-a')) {
$evaluation.grant();
}
Where you can change "marta" in those examples to "identity.getId()".
On Fri, Jun 28, 2019 at 12:02 PM Ronaldo Hideki Yamada <
ronaldo.yamada(a)serpro.gov.br> wrote:
Pedro,
Using JSpolicy also not work, as shown in
https://www.keycloak.org/docs/latest/authorization_services/index.html#ch...
but: context.getIdentity() also gets data from token, not internal
identity store,
How get UserModel (or any internal user) from a context?
I find a KeycloakIdentity::getUserFromSessionState but method is private.
/**
* JSPolicy: eh_gestor
*/
var context = $evaluation.getContext();
var identity = context.getIdentity();
var Logger = Java.type("org.jboss.logging.Logger");
var LOG =
Logger.getLogger(Java.type("org.keycloak.authorization.policy.provider.js.JSPolicyProvider"))
LOG.info(identity.getAttributes().toMap().toString());
if (identity.hasClientRole('suite-sc', 'gestor')) {
$evaluation.grant();
}
/* EOF */
# Log output when client roles isn't mapped to token:
2019-06-28 11:35:58,823 INFO [[JavaClass
org.keycloak.authorization.policy.provider.js.JSPolicyProvider]] (default
task-102) {sub=[d52ee480-a081-4cee-ba0c-c3fcd31cc19c], acr=[1], nbf=[0],
azp=[suite-sc], auth_time=[0], name=[Ronaldo Hideki Yamada], typ=[Bearer],
exp=[1561734358], session_state=[c73b7532-55d6-4d49-a1d1-662fe9fac369],
iat=[1561732558], jti=[0873781a-b595-4a50-a4e2-33730cede059]}
# Log output when client roles is mapped to token:
2019-06-28 11:51:42,295 INFO [[JavaClass
org.keycloak.authorization.policy.provider.js.JSPolicyProvider]] (default
task-107) {sub=[d52ee480-a081-4cee-ba0c-c3fcd31cc19c], acr=[1], nbf=[0],
azp=[suite-sc], auth_time=[0], name=[Ronaldo Hideki Yamada],
kc.client.suite-sc.roles=[cadastrador, gestor], typ=[Bearer],
exp=[1561735302], session_state=[af72aa12-3e94-4ebe-9bc7-a47bffeecef1],
iat=[1561733502], jti=[f8ef05a1-44ab-4c99-863c-1875a82cdd8f]}
Ronaldo Hideki Yamada
SUPES/ESDEA/ESCSP
----- Mensagem original -----
De: "Pedro Igor Silva" <psilva(a)redhat.com>
Para: "ronaldo.yamada serpro" <ronaldo.yamada(a)serpro.gov.br>
Cc: "keycloak-user" <keycloak-user(a)lists.jboss.org>
Enviadas: Quarta-feira, 26 de junho de 2019 16:56:53
Assunto: Re: [keycloak-user] Only bearer client and Authorization
Hi Ronaldo,
That is a good point and probably something we can improve.
Currently, the roles are always obtained from the bearer token or
subject_token you are using to make the authorization request. I think we
could also fall back to checking roles by querying our identity stores
internally.
One thing you could do for now though is writing a JS policy to perform
RBAC [1].
[1] [
https://www.keycloak.org/docs/latest/authorization_services/index.html#ch...
|
https://www.keycloak.org/docs/latest/authorization_services/index.html#ch...
]
On Wed, Jun 26, 2019 at 4:44 PM Ronaldo Hideki Yamada < [ mailto:
ronaldo.yamada(a)serpro.gov.br | ronaldo.yamada(a)serpro.gov.br ] > wrote:
Hi,
I have a following use case:
One client A1 (web) makes a authentication code flow and gets a
access_token.
I want use this access token as Bearer token T1[azp=A1] in backend client
B1 (api) with authorization enabled.
And validate permissions on Resources#Scopes in client B1 mapped by client
B1 RolePolicy
I already gets work only if I add builtin protocol mapper "User Client
Role" to first client A1 and insert client roles of B1 on token T1.
But this largely increases size of access_token T1 and I have limit of 4k.
How make Keycloak evaluate authz permissions [RolePolicy] aganist User
client role on internal Database, instead information on first token T1?
Ronaldo Hideki Yamada
-
"Esta mensagem do SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO),
empresa pública federal regida pelo disposto na Lei Federal nº 5.615, é
enviada exclusivamente a seu destinatário e pode conter informações
confidenciais, protegidas por sigilo profissional. Sua utilização
desautorizada é ilegal e sujeita o infrator às penas da lei. Se você a
recebeu indevidamente, queira, por gentileza, reenviá-la ao emitente,
esclarecendo o equívoco."
"This message from SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) -- a
government company established under Brazilian law (5.615/70) -- is
directed exclusively to its addressee and may contain confidential data,
protected under professional secrecy rules. Its unauthorized use is illegal
and may subject the transgressor to the law's penalties. If you're not the
addressee, please send it back, elucidating the failure."
_______________________________________________
keycloak-user mailing list
[ mailto:keycloak-user@lists.jboss.org | keycloak-user(a)lists.jboss.org ]
[ https://lists.jboss.org/mailman/listinfo/keycloak-user |
https://lists.jboss.org/mailman/listinfo/keycloak-user ]
-
"Esta mensagem do SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO),
empresa pública federal regida pelo disposto na Lei Federal nº 5.615, é
enviada exclusivamente a seu destinatário e pode conter informações
confidenciais, protegidas por sigilo profissional. Sua utilização
desautorizada é ilegal e sujeita o infrator às penas da lei. Se você a
recebeu indevidamente, queira, por gentileza, reenviá-la ao emitente,
esclarecendo o equívoco."
"This message from SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) -- a
government company established under Brazilian law (5.615/70) -- is
directed exclusively to its addressee and may contain confidential data,
protected under professional secrecy rules. Its unauthorized use is illegal
and may subject the transgressor to the law's penalties. If you're not the
addressee, please send it back, elucidating the failure."
2020
days inactive
2022
days old
3 comments
2 participants
participants (2)
-
Pedro Igor Silva -
Ronaldo Hideki Yamada