[keycloak-user] FW: Access control and client setup
Pedro Igor Silva
psilva at redhat.com
Thu Jul 26 08:00:17 EDT 2018
On Wed, Jul 25, 2018 at 4:21 AM, Wyns Dean <dean.wyns at aptus.be> wrote:
> Hi
>
> I'm evaluating Keycloak as our IAM and SSO and it seems very powerful, but
> I can't seem to wrap my head around some things.
>
> We want to separate our APIs from the IAM. The sole purpose of Keycloak is
> to provide an identity and access token, primarily using the implicit flow.
> The client-side application (usually SPAs) uses the access token in all API
> calls and the resource server checks the signature of the access token but
> does not access Keycloak at all.
>
> Each backend has a few operations, and each operation gets its own
> "permission". For example one API can manage "items", so there are four
> permissions:
> - create:item
> - read:item
> - update:item
> - delete:item
>
> Is it best practice with Keycloak to model these permissions as scopes?
> And then use roles/permissions/policies to limit the scope of the user? The
> backend can then just decode the access token and read the granted scopes.
>
Ideally, you should define your authorization settings based on on your
model. So if you have a resource "Item", which is a protected resource in
your API you should have a "Item Resource" in Keycloak. The actions/methods
create, read, update and delete can be scopes associated with your "Item"
resource.
Once you have your item resource and scopes, you can define permissions
that govern access for the resource itself or for each scope individually.
All depends on how you create those permissions (resource vs scope
permissions) and policies associated with them.
The backend could just decode the token and check for the "permissions"
claim. Or you can also query the Keycloak server on every request to obtain
a decision.
>
> Also, in a SPA + API set-up, do I create two clients in Keycloak, one for
> each? This is only useful when the API needs resource protection, right? I
> guess in my case I only need one client for the SPA because the API only
> needs the scope from the access token by decoding it.
>
I would say you should have two clients representing both applications.
They have different requirements and are really different things. Your SPA
is probably a reguar public client while your API is a resource server.
>
> Thanks for any feedback
>
> Kind regards
> Dean
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list