[keycloak-user] Keycloak authorization protected resource with user attributes
Pedro Igor
psilva at redhat.com
Mon Dec 19 13:31:51 EST 2016
Hi, answers inline.
On 12/18/2016 5:30:03 PM, uğur kolip <ugur.kolip at gmail.com> wrote:
Hi,
I am using keycloak 2.4.0 Final. I try to copy photoz example to spring
boot app (with spring boot adapter) and add same features.
Features that i try to add :
Make a page which admin user can create users ,create protected resources ,
and adding access ability to users for these protected resource.(to add
these i use keycloak-admin-client)
For example , with admin page i create protected resource which uri is
campaign/*capm1*/* and campaign/*camp2*/* . spring end points are
campaign/{campaignName}/create ,campaign/{campaignName}/update
,campaign/{campaignName}/delete
For authorization , i add user attribute to user like (key : camp1 value :
create,update) or (key:camp2 , value: read) and i try to using these
attributes in policy at the protected resource.
Pedro Igor: Aren't create and update scopes ? If they are actions you can perform in a resource, you probably need to map them as such. Resources can have scopes and you can apply permissions to a resource or for specific scopes. Or combination of resource + scopes.
my questions:
1.is it right way using attributes to authroization ? can these attributes
change at the client side to hack ?
Pedro Igor: You can use attributes for authorization, we are ABAC friendly and whatever you have in your token as a claim, it can be used to create policies. However, the only way you can do ABAC right now is using either JS or Rule policies. We do have plans to support OOTB a specific ABAC policy provider with its own UI.
2.My other idea is creating role for each protected resource like
(camp1_create,camp1_update) and add to users. is these way suitable ? if i
use these way , there are too many roles)
Pedro Igor: It seems you are trying to build something that we are planing to support. Allow users to manage their own resources. Things like resource sharing, etc. Is that what you are looking for ?
3.when i try to use attributes , add maping to rest api
(photoz-restful-api) but when i add mapping to client
app(photoz-html5-client) , it works. i don't understand , should we add
mapping to client which i call ? what should i do if i call these
api(photoz-restful-api) some other app ?
Pedro Igor: When you authenticate you do that through the photoz-html5-client, which is acting on your behalf in order to obtain authentication and authorization data from Keycloak. That is why you need to map things to photoz-html5-client. What our authorization endpoints do is introspect this token and extract all information from in it in order to pass to your policies during evaluation.
4.In the js policy , can i use groups and how ?
Pedro Igor: We don't support a Group-based policy right, it is something we have a JIRA for. However, groups are just another claim within a token thus can be obtained from your JS policy. It is not the better way, but it should work. Better would be once we get the GBAC JIRA done.
5. In the js policy , can i get data from my db or endpoint ? (like these :
if(someMethod(identity.getId()) == true) $evaluation.grant(); Because i
need extra data to authz .
Pedro Igor: No, you can't. But that is probably something we can improve in order to push objects to your JS code when using the JS policy.
However, you can write your own policy providers if you need to.
6. can we debug js policy ? i want to know idenity , content attributes .
console.log not work :)
Pedro Igor: You can use print("something") instead. But no online debugger or anything like that.
One thing you can do is use our evaluation tool when developing your policies.
7. can we use request body to authorization , in js policy or somewhere ?
Pedro Igor: Not right now. But we do have some built-in attributes that we push during evaluation of policies, for instance, the user agent, client address, etc.
My main misson is creating protected resource and find a way to authz these
endpoints. What should i add to user ? and how use them ?
Thank you for your helping and sorry my english :)
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list