[keycloak-user] Custom Authorization in Keycloak

Muehlburger, Herbert herbert.muehlburger at bearingpoint.com
Mon Aug 28 11:25:58 EDT 2017


Hi,


thank's for the response.


So the only solution that I could think of is to wait for RFE to be implemented? It would indeed solve our use case.


Our authorization model is based on a role based access model (RBAC). But we have some customaziations which give you additional permissions or restrict your permissions to access certain entities. (Kind of a mix between RBAC with row level security. We need to write our custom logic to grant or deny access to the given resource.


We don't want to use internal SPIs that will be changed in future releases and we are not able to migrate our authorization model to Keycloak because of our customizations.


Do you think RFE (https://issues.jboss.org/browse/KEYCLOAK-5346) will be addressed in near future?


Best,

Herbert


________________________________
Von: Pedro Igor Silva <psilva at redhat.com>
Gesendet: Montag, 28. August 2017 14:24
An: Muehlburger, Herbert
Cc: keycloak-user at lists.jboss.org
Betreff: Re: [keycloak-user] Custom Authorization in Keycloak

The only SPI we have in AuthZ Services is for writing custom policy providers. But this SPI is not yet public and should change in next releases.

What do you think about this RFE [1] ?

How your permissions look like in your legacy database ? E.g.: A string like resource:role|group|user:action ?

[1] https://issues.jboss.org/browse/KEYCLOAK-5346


On Fri, Aug 25, 2017 at 6:45 PM, Muehlburger, Herbert <herbert.muehlburger at bearingpoint.com<mailto:herbert.muehlburger at bearingpoint.com>> wrote:
Dear Keycloak Community,


we are evaluating Keycloak and have the use that that we cannot migrate authorization information (roles, permissions, ...) to Keycloak. We have this information stored in a legacy database. Is it possible to write an extension to Keycloak which handles with authorization decisions there? It would load our roles and permissions, etc. and decide if it grants access to the user or client being present. I know about the extension mechanism on writing custom User Store providers but I'm not sure if this is the right place to do that for authorization information as well?


Thank you for any help,

Best regard,

Herbert?



Herbert Mühlburger
Senior System Engineer

[http://signature.bearingpoint.com/BrP_Logo.png]

T  +43 316 8003<tel:%2B43%20316%208003>
F  +43 316 8003 1080<tel:%2B43%20316%208003%201080>

BearingPoint
Seering 6, Block B
8141 Premstätten
Austria

herbert.muehlburger at bearingpoint.com<mailto:herbert.muehlburger at bearingpoint.com> <mailto:herbert.muehlburger at bearingpoint.com<mailto:herbert.muehlburger at bearingpoint.com>>
www.bearingpoint.com<http://www.bearingpoint.com><http://www.bearingpoint.com/>
________________________________
BearingPoint Technology GmbH
Sitz: Premstätten bei Graz
Firmenbuchgericht: Landesgericht für ZRS Graz
Firmenbuchnummer: FN 44354b

The information in this email is confidential and may be legally privileged. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system.
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

________________________________
BearingPoint Technology GmbH
Sitz: Premstätten bei Graz
Firmenbuchgericht: Landesgericht für ZRS Graz
Firmenbuchnummer: FN 44354b

The information in this email is confidential and may be legally privileged. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system.


More information about the keycloak-user mailing list