[keycloak-user] Authorisation services: resource server managing permissions

Fabio Berta fnberta at gmail.com
Wed Mar 20 08:33:15 EDT 2019


Hi

I have a couple of questions regarding Keycloak's authorisation services.
Premiss:
- I don't really need the whole user managed permissions and permission
sharing features that UMA gives. All permissions are given by admin users.
- My resource server is a NodeJS application, hence I cannot use the
pre-made Java adapters
- I'm not sending RPT tokens to public clients at the moment, the resource
server checks permissions by making a request to Keycloak

Let's assume I want to protect the entity "Config". I need to restrict
create/delete/update rights for all configs and read rights for every
single instance of config. To achieve that, I created the the scopes
"config:read", "config:create", "config:delete" and "config:update". I
created the resource "config" and attached the scopes "config:create",
"config:delete" and "config:update". Because only users with the realm role
"admin" should be able to create/update/delete, I created a role based
policy specifying the "admin" role and connected it with the resource
"config" and the scopes "config:create", "config:delete" and
"config:update" in a scope-based permission.  So far everything is pretty
straightforward and works well.

Where it's get more complicated is the read rights for individual configs.
What I have in mind is an interface where admins can create configs and
manage permissions for them without going through the keycloak admin
console. Whenever an admin creates a new config, the resource server
creates a corresponding resource (e.g. config/configId) and stores the id
of the resource next to the config. I can do that with Protection API
(authz/protection/resource_set).

What I have not yet figured out is how the resource server can set
permissions at this point. Let's assume the admin has specified two users
that should be able to access the new config. The resource server should
create a new user based policy containing the two users and connect it with
the "config/configId" resource and the scope "config:read" in a scope-based
permission. From the documentation it looks like the Policy API might be
able to handle this. But two things confuse me:
- It says "This API is protected by a bearer token that must represent a
consent granted by the user to the resource server to manage permissions on
his behalf". I don't need to manage on the users behalf, the resource is
owned by the resource server and the created permission would also be owned
by the resource server.
- The examples for the API somehow combine policies and permissions into
one?
I tried to use this API with a token obtained via the client credentials
grant but it failed to create permissions (empty response and nothing got
created).

I see that the Java Admin Client has the ability to manage permissions but
I can't find documentation on the REST endpoints it uses. (
https://www.keycloak.org/docs-api/5.0/rest-api/index.html doesn't contain
anything authz related). Would the Admin API be the thing to use here or
can I do this with the Policy API? Or maybe my approach is fundamentally
flawed and I should approach this from another angle?

This message got way to long but I hope I was able to make my questions
clear. Grateful for any help I can get!

Best regards,
Fabio Berta


More information about the keycloak-user mailing list