[keycloak-user] Only bearer client and Authorization
Pedro Igor Silva
psilva at redhat.com
Wed Jun 26 15:56:53 EDT 2019
Hi Ronaldo,
That is a good point and probably something we can improve.
Currently, the roles are always obtained from the bearer token or
subject_token you are using to make the authorization request. I think we
could also fall back to checking roles by querying our identity stores
internally.
One thing you could do for now though is writing a JS policy to perform
RBAC [1].
[1]
https://www.keycloak.org/docs/latest/authorization_services/index.html#checking-for-attributes-from-the-evaluation-context
On Wed, Jun 26, 2019 at 4:44 PM Ronaldo Hideki Yamada <
ronaldo.yamada at serpro.gov.br> wrote:
> Hi,
>
> I have a following use case:
>
> One client A1 (web) makes a authentication code flow and gets a
> access_token.
>
> I want use this access token as Bearer token T1[azp=A1] in backend client
> B1 (api) with authorization enabled.
>
> And validate permissions on Resources#Scopes in client B1 mapped by client
> B1 RolePolicy
>
> I already gets work only if I add builtin protocol mapper "User Client
> Role" to first client A1 and insert client roles of B1 on token T1.
>
> But this largely increases size of access_token T1 and I have limit of 4k.
>
> How make Keycloak evaluate authz permissions [RolePolicy] aganist User
> client role on internal Database, instead information on first token T1?
>
>
>
>
> Ronaldo Hideki Yamada
>
> -
>
>
> "Esta mensagem do SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO),
> empresa pública federal regida pelo disposto na Lei Federal nº 5.615, é
> enviada exclusivamente a seu destinatário e pode conter informações
> confidenciais, protegidas por sigilo profissional. Sua utilização
> desautorizada é ilegal e sujeita o infrator às penas da lei. Se você a
> recebeu indevidamente, queira, por gentileza, reenviá-la ao emitente,
> esclarecendo o equívoco."
>
> "This message from SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) -- a
> government company established under Brazilian law (5.615/70) -- is
> directed exclusively to its addressee and may contain confidential data,
> protected under professional secrecy rules. Its unauthorized use is illegal
> and may subject the transgressor to the law's penalties. If you're not the
> addressee, please send it back, elucidating the failure."
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list