[keycloak-user] Course and Fine Grained Entitlements

Bill Burke bburke at redhat.com
Wed Feb 3 14:03:22 EST 2016 

Pedro is working on that...He has some stuff.  Hope he responds. Not 
going to be part of Keycloak until 2.0 though.  And yes, its around UMA.

On 2/3/2016 1:47 PM, Guy Davis wrote:
> Hi Lars,
>
> Good question.  My organization is also asking similar questions about 
> adopting Keycloak.  Let me give my understanding as a user, then 
> Keycloak team can correct my misunderstandings.
>
> Basically, Keycloak offers coarse-grained authorizations (realm-roles 
> <http://keycloak.github.io/docs/userguide/keycloak-server/html/per-realm-admin-permissions.html> and client-app 
> roles 
> <http://keycloak.github.io/docs/userguide/keycloak-server/html/roles.html>) 
> assigned to users (or groups 
> <http://keycloak.github.io/docs/userguide/keycloak-server/html/groups.html>). 
>   So I understand Keycloak will let you grant user Bob the 
> 'myapp-admin' role.  However, it falls to the backend service or 
> application to then map that role to application-specific 
> permissions.  For example, role 'myapp-admins' can access 
> /myapp/project1/admin page.  This resource security can be done (for 
> Java apps) in declarative fashion using web.xml security constraints.  
> Alternatively, your application code could dynamically obtain the 
> Keycloak user principal, check their roles, and map into your app's 
> permission scheme.
>
> This understanding implies that your application is responsible for an 
> admin UI to map fine-grained permissions on your app's resources to 
> Keycloak roles.   If your app only has 'coarse-grained" resources, 
> then you can probably just use Keycloak roles, with no need for a 
> permission layer or the UI it entails.
>
> Also, see this pre-amble about Permission Scopes 
> <http://keycloak.github.io/docs/userguide/keycloak-server/html/Overview.html#d4e65>. In 
> future, it sounds like Keycloak team is considering support for the 
> UMA portion of the OAuth standard 
> <https://docs.kantarainitiative.org/uma/draft-uma-core.html>.  This 
> may help with fine-grained permission management within Keycloak itself?
>
> Hope this helps,
> Guy
>
> <sorry, original response was only to Lars, now to list as well>
>
> On Tue, Feb 2, 2016 at 8:29 PM, Lars Noldan 
> <lars.noldan at drillinginfo.com <mailto:lars.noldan at drillinginfo.com>> 
> wrote:
>
>     We're in the investigation stage on moving from a
>     $BigExpensiveVendor solution toward keycloak, and we're looking
>     for a solution to help manage both Course and Fine grained
>     entitlements.  Keycloak appears to be a fantastic authentication
>     solution, but I'm wondering what are you, the keycloak community
>     using to handle Authorization?
>
>     Thanks!
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160203/6ccb06bc/attachment.html

More information about the keycloak-user mailing list