[keycloak-user] Only bearer client and Authorization

Pedro Igor Silva psilva at redhat.com
Fri Jun 28 11:16:13 EDT 2019 

For realm roles you can use:

var realm = $evaluation.getRealm();

if (realm.isUserInRealmRole('marta', 'role-a')) {
    $evaluation.grant();
}

For client roles:

var realm = $evaluation.getRealm();

if (realm.isUserInClientRole('marta', 'my-client', 'some-client-role')) {
    $evaluation.grant();
}

For roles granted to a group:

var realm = $evaluation.getRealm();

if (realm.isGroupInRole('/Group A/Group D', 'role-a')) {
    $evaluation.grant();
}

Where you can change "marta" in those examples to "identity.getId()".



On Fri, Jun 28, 2019 at 12:02 PM Ronaldo Hideki Yamada <
ronaldo.yamada at serpro.gov.br> wrote:

> Pedro,
>
> Using JSpolicy also not work, as shown in
> https://www.keycloak.org/docs/latest/authorization_services/index.html#checking-for-attributes-from-the-evaluation-context
>
> but: context.getIdentity() also gets data from token, not internal
> identity store,
>
> How get UserModel (or any internal user) from a context?
>
> I find a KeycloakIdentity::getUserFromSessionState but method is private.
>
>
>
>
> /**
>  * JSPolicy: eh_gestor
>  */
>
> var context = $evaluation.getContext();
> var identity = context.getIdentity();
> var Logger = Java.type("org.jboss.logging.Logger");
> var LOG =
> Logger.getLogger(Java.type("org.keycloak.authorization.policy.provider.js.JSPolicyProvider"))
> LOG.info(identity.getAttributes().toMap().toString());
>
> if (identity.hasClientRole('suite-sc', 'gestor')) {
>     $evaluation.grant();
> }
>
> /* EOF */
>
>
>
> # Log output when client roles isn't mapped to token:
> 2019-06-28 11:35:58,823 INFO  [[JavaClass
> org.keycloak.authorization.policy.provider.js.JSPolicyProvider]] (default
> task-102) {sub=[d52ee480-a081-4cee-ba0c-c3fcd31cc19c], acr=[1], nbf=[0],
> azp=[suite-sc], auth_time=[0], name=[Ronaldo Hideki Yamada], typ=[Bearer],
> exp=[1561734358], session_state=[c73b7532-55d6-4d49-a1d1-662fe9fac369],
> iat=[1561732558], jti=[0873781a-b595-4a50-a4e2-33730cede059]}
>
>
> # Log output when client roles is mapped to token:
> 2019-06-28 11:51:42,295 INFO  [[JavaClass
> org.keycloak.authorization.policy.provider.js.JSPolicyProvider]] (default
> task-107) {sub=[d52ee480-a081-4cee-ba0c-c3fcd31cc19c], acr=[1], nbf=[0],
> azp=[suite-sc], auth_time=[0], name=[Ronaldo Hideki Yamada],
> kc.client.suite-sc.roles=[cadastrador, gestor], typ=[Bearer],
> exp=[1561735302], session_state=[af72aa12-3e94-4ebe-9bc7-a47bffeecef1],
> iat=[1561733502], jti=[f8ef05a1-44ab-4c99-863c-1875a82cdd8f]}
>
>
>
>
>
> Ronaldo Hideki Yamada
> SUPES/ESDEA/ESCSP
>
> ----- Mensagem original -----
> De: "Pedro Igor Silva" <psilva at redhat.com>
> Para: "ronaldo.yamada serpro" <ronaldo.yamada at serpro.gov.br>
> Cc: "keycloak-user" <keycloak-user at lists.jboss.org>
> Enviadas: Quarta-feira, 26 de junho de 2019 16:56:53
> Assunto: Re: [keycloak-user] Only bearer client and Authorization
>
> Hi Ronaldo,
> That is a good point and probably something we can improve.
>
> Currently, the roles are always obtained from the bearer token or
> subject_token you are using to make the authorization request. I think we
> could also fall back to checking roles by querying our identity stores
> internally.
>
> One thing you could do for now though is writing a JS policy to perform
> RBAC [1].
>
> [1] [
> https://www.keycloak.org/docs/latest/authorization_services/index.html#checking-for-attributes-from-the-evaluation-context
> |
> https://www.keycloak.org/docs/latest/authorization_services/index.html#checking-for-attributes-from-the-evaluation-context
> ]
>
> On Wed, Jun 26, 2019 at 4:44 PM Ronaldo Hideki Yamada < [ mailto:
> ronaldo.yamada at serpro.gov.br | ronaldo.yamada at serpro.gov.br ] > wrote:
>
>
> Hi,
>
> I have a following use case:
>
> One client A1 (web) makes a authentication code flow and gets a
> access_token.
>
> I want use this access token as Bearer token T1[azp=A1] in backend client
> B1 (api) with authorization enabled.
>
> And validate permissions on Resources#Scopes in client B1 mapped by client
> B1 RolePolicy
>
> I already gets work only if I add builtin protocol mapper "User Client
> Role" to first client A1 and insert client roles of B1 on token T1.
>
> But this largely increases size of access_token T1 and I have limit of 4k.
>
> How make Keycloak evaluate authz permissions [RolePolicy] aganist User
> client role on internal Database, instead information on first token T1?
>
>
>
>
> Ronaldo Hideki Yamada
>
> -
>
>
> "Esta mensagem do SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO),
> empresa pública federal regida pelo disposto na Lei Federal nº 5.615, é
> enviada exclusivamente a seu destinatário e pode conter informações
> confidenciais, protegidas por sigilo profissional. Sua utilização
> desautorizada é ilegal e sujeita o infrator às penas da lei. Se você a
> recebeu indevidamente, queira, por gentileza, reenviá-la ao emitente,
> esclarecendo o equívoco."
>
> "This message from SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) -- a
> government company established under Brazilian law (5.615/70) -- is
> directed exclusively to its addressee and may contain confidential data,
> protected under professional secrecy rules. Its unauthorized use is illegal
> and may subject the transgressor to the law's penalties. If you're not the
> addressee, please send it back, elucidating the failure."
> _______________________________________________
> keycloak-user mailing list
> [ mailto:keycloak-user at lists.jboss.org | keycloak-user at lists.jboss.org ]
> [ https://lists.jboss.org/mailman/listinfo/keycloak-user |
> https://lists.jboss.org/mailman/listinfo/keycloak-user ]
>
>
>
> -
>
>
> "Esta mensagem do SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO),
> empresa pública federal regida pelo disposto na Lei Federal nº 5.615, é
> enviada exclusivamente a seu destinatário e pode conter informações
> confidenciais, protegidas por sigilo profissional. Sua utilização
> desautorizada é ilegal e sujeita o infrator às penas da lei. Se você a
> recebeu indevidamente, queira, por gentileza, reenviá-la ao emitente,
> esclarecendo o equívoco."
>
> "This message from SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) -- a
> government company established under Brazilian law (5.615/70) -- is
> directed exclusively to its addressee and may contain confidential data,
> protected under professional secrecy rules. Its unauthorized use is illegal
> and may subject the transgressor to the law's penalties. If you're not the
> addressee, please send it back, elucidating the failure."
>

More information about the keycloak-user mailing list