[keycloak-user] Policy Enforcing for nodejs REST Api

Pedro Igor Silva psilva at redhat.com
Tue May 14 14:33:08 EDT 2019


Hi,

We've added more docs to NodeJS PEP recently [1]. They should be available
in the next release. Please, let me know if that is enough or if we need to
add more information.

In your case, this code:

app.use('/api', keycloak.enforcer({WHAT_COMES_HERE}), routes);

Would be:

app.use('/api', keycloak.enforcer('{resource_name}:{resource_scope}'),
routes);

If you have a resource in Keycloak called "foo" and a scope associated with
this resource called "bar", the code would be:

app.use('/api', keycloak.enforcer('foo:bar'), routes);

Hope it helps.

[1] https://github.com/keycloak/keycloak-documentation/pull/654

On Tue, May 14, 2019 at 1:25 PM Jahn, Lasse <
Lasse.Jahn at student.hpi.uni-potsdam.de> wrote:

> Hello,
>
> It's the first time writing to keycloak mailing list (I hope this is the
> correct one?) so excuse if I forget to provide some information or any
> other mistakes ..
> Sorry for the text wall.
>
> Shortly what I try to do (maybe I got something completely wrong):
> I create a backend (node.js Bearer Only) which shall offer an REST api.
> Partially it is used via a frontend (keycloak-clients) or directly by some
> devices.
> In general I try to create an application with a lot of CRUD. User
> Management is done in keycloak and only I forward these requests to the
> admin REST Api. Other stuff like the devices ... I store in a separate
> database.
> So the backend is the abstraction layer for frontend and other use-cases.
>
> So far so good, but for the beginning it was enough to check weather the
> request comes from an authenticated person or not, so all handled via
> keycloak.protect() The Token from the authenticated person was passed
> But now I'd want to offer different authorization level (can differ due to
> reasons of multitenancy, why I want to solve this via policies and co in
> admin-console inside the client configuariton) because the normal user
> shall have access to only some routes and the management shall have full
> access to the api, but of course don't need the keycloak admin access.
> So I enabled the service account for my backend client and gave this one
> the realm-admin role so the client has access to everything and I can
> handle the authorization inside the backend client it self (using policies,
> permissions, .. inside the admin-console).
> (Just in case no one gets what I'm talking about. Fixing [1] should help
> me fixing my issue I guess)
>
> Setup
> - node.js application using express
> - registered as single client in keycloak admin-console (confidential, but
> config inside the code is bearer-only)
> - Keycloak is running in a docker-container (version 4.5)
> - all services are running in a docker-compose network and are behind a
> reverse proxy for common uri
> - enabled Authorization in client and changed the default policy to
> Negative to always deny => to see if it is enforced)
>
> My Problem
> I don't understand how to use the policies, permissions and Co I created
> in the admin-console inside the backend it self. How do I enforce that
> these are used?
> I tried to check different examples and documentation, but could get it
> working.
> The last thing I found was that the entitlement api was removed, but a
> policy-enforcer was added to the nodejs adapter. In the documentation for
> the policy-enforcer [2] I couldn't find a documentation of the middleware
> (keycloak.enforcer({}) [3][4]).
>
> My Code
>
> *****
> app.js
>
> const express = require('express');
> const app = express();
> const Keycloak = require('keycloak-connect');
> const session = require('express-session');
> const routes = require('./routes/index');
>
>
> const kcConfig = {
>     'realm': 'master',
>     'bearer-only': true,
>     'auth-server-url': `https://DOMAIN/auth<https://domain/auth>`,
>     'ssl-required': 'all',
>     'resource': 'fm-backend',
>     'credentials': {
>         secret: 'SOME_SECRET',
>     },
>     'confidential-port': 0,
>     'policy-enforcer': {                                //tried with an
> without this, changed nothing
>         'enforcement-mode': 'ENFORCING',
>     },
> };
>
> const memoryStore = new session.MemoryStore();
> const keycloak = new Keycloak({ memoryStore }, kcConfig);
>
> app.use(keycloak.middleware({ logout: '/api/logout', protected:
> '/api/gates' }));
>
> // used before, worked for well for authentication
> app.use('/api', keycloak.protect(), routes);
>
> // now unfortunately I don't understand how to use keycloak.enforcer()
> middleware
> app.use('/api', keycloak.enforcer({WHAT_COMES_HERE}), routes);
>
> module.exports = app;
>
> *****
>
> [1]
> https://stackoverflow.com/questions/53722033/how-to-enable-policy-enforcing-in-keycloak-for-node-js-application
> [2]
> https://keycloak-docs.github.io/deploy-docs/dev/master/authorization_services/index.html#_enforcer_overview
> [3]
> https://github.com/keycloak/keycloak-documentation/blob/master/securing_apps/topics/oidc/nodejs-adapter.adoc
> [4]
> https://github.com/keycloak/keycloak-nodejs-connect/blob/master/example/index.js
>
>
> Any Help is appreciated :)
>
>
> With kind regards
> Lasse
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list