[keycloak-user] Securing RESTful API Best Practices

Farzad Panahi farzad.panahi at gmail.com
Tue May 21 17:41:03 EDT 2019 

Thanks Pedro. I really appreciate your reply.

I think arbitrary claims are what I need to pass the filtering required to
the backend (if I can generate those claims). Also resource types look
interesting. I think as you said I can use that to group my resources.
These two should solve my problems at hand.

That would be also great if you could elaborate on what you meant by
"security constraints" vs "business rules". I just want to have a better
understanding of Keycloak.
My understanding is that Keycloak is an identity and "access management"
system. And when it comes to "access management" my understanding is that
it means "who" has "what" access to "which" resource under "what
conditions".
If this definition is true, wouldn't "who has access to which resources" be
a security constraint under Keycloak's authorization model?

As you said I might need to look into other solutions but I before I do
that I want to make sure I really cannot do what I want to do with Keycloak
and I really cannot implement my requirements under Keycloal's
authorization model, since I have already happily invested lots of time on
Keycloak :)



On Tue, May 21, 2019 at 11:35 AM Pedro Igor Silva <psilva at redhat.com> wrote:

> Hi Farzad,
>
> Sorry for the late reply.
>
> Our authorization model is targeted for enforcing security-related
> constraints, not business rules. Maybe you could consider Drools/BRMS.
>
> Some time ago we had a discussion about data filtering and how to fetch
> resources based on policy decisions. If you look at our documentation [1]
> you'll see that policies can push arbitrary claims back to your application
> when granting access to a permission. This capability allows you to send a
> specific claim along with the permission that represents some filter that
> you can use to query your database.
>
> As a result, you'll have within your token something like:
>
> "permissions": [
>     {
>       "resource_id": "90ccc6fc-b296-4cd1-881e-089e1ee15957",
>       "resource_name": "Book Resource",
>       "claims": ["data.filter": ["book.type = 'foo' or book.type = 'bar'"]]
>     }
>   ]
>
> We do have a "resource group" concept. Resources can have a type and you
> can also have a single resource representing a set of one or more "real"
> resources.
>
> [1]
> https://www.keycloak.org/docs/latest/authorization_services/index.html#pushing-arbitrary-claims-to-the-resource-server
>
> On Tue, May 21, 2019 at 3:14 PM Farzad Panahi <farzad.panahi at gmail.com>
> wrote:
>
>> Any hint or example project to look at would really help to put me in the
>> right direction.
>>
>> Should I post this question with a better and more specific title with
>> more
>> elaborate body to present the question better?
>>
>> On Fri., May 17, 2019, 1:21 p.m. Farzad Panahi, <farzad.panahi at gmail.com>
>> wrote:
>>
>> > This is exactly where I want to use Keycloak to set this business
>> > rule/mapping. Basically I need to associate each user with a subset of B
>> > (books) to which the user has access to. This association is not based
>> on
>> > roles or groups. It is based on individual users.
>> > That's why I was thinking that the only way I can think of doing this to
>> > add every individual book as a resource in Keycloak and then I have to
>> > create a permission for each of them to grant access to any individual
>> user.
>> > It would help if Keycloak had a concept like a resource group I guess.
>> > Then I could put all those resources in a resource group and grant
>> access
>> > to that resource group for an individual user.
>> > Then in order to see which resources each user has access to, I need to
>> > query Keycloak somehow (I need to figure out how exactly) and get the
>> > resources that user has access to, and return only those resources for
>> that
>> > user.
>> >
>> > That's what I can think of right now. I am just wondering if there is a
>> > better way to do this sort of resource oriented access control where
>> each
>> > user has access to specific set of resources only.
>> >
>> >
>> >
>> > On Fri, May 17, 2019 at 11:45 AM Pedro Igor Silva <psilva at redhat.com>
>> > wrote:
>> >
>> >> Sorry, but is still not clear to me how a "user has access to a subset
>> of
>> >> B" is this access based on roles, groups or any other information that
>> you
>> >> gather from the context ? I'm wondering if this is not a business rule
>> >> instead ....
>> >>
>> >> On Fri, May 17, 2019 at 1:42 PM Farzad Panahi <farzad.panahi at gmail.com
>> >
>> >> wrote:
>> >>
>> >>> Hi Pedro,
>> >>>
>> >>> The user is not the book owner. You can think about it this way that
>> if
>> >>> B is the set of all books then each user has access to a subset of B
>> such
>> >>> that these subsets are not mutually exclusive and do overlap.
>> >>>
>> >>> On Fri., May 17, 2019, 6:51 a.m. Pedro Igor Silva, <psilva at redhat.com
>> >
>> >>> wrote:
>> >>>
>> >>>> Hi Farzad,
>> >>>>
>> >>>> How do you check if a user has access to a book ? Is the user the
>> book
>> >>>> owner or you have more conditions that should be taken into account
>> to
>> >>>> grant access to books ?
>> >>>>
>> >>>> [1]
>> >>>>
>> https://www.keycloak.org/docs/latest/authorization_services/index.html#examples
>> >>>>
>> >>>>
>> >>>> On Thu, May 16, 2019 at 8:42 PM Farzad Panahi <
>> farzad.panahi at gmail.com>
>> >>>> wrote:
>> >>>>
>> >>>>> Hi,
>> >>>>>
>> >>>>> I am very new to Keycloak. I have a RESTful API implemented with
>> >>>>> json:api
>> >>>>> <https://jsonapi.org/> spec which I want to secure using Keycloak.
>> >>>>>
>> >>>>> I just want to ask the Keycloak community for best practices when it
>> >>>>> comes
>> >>>>> to securing RESTful APIs.
>> >>>>>
>> >>>>> My endpoints will be something like:
>> >>>>> GET /api/books --> return all books the user has access for
>> >>>>> GET /api/books/123 --> return book with id = 123
>> >>>>>
>> >>>>> My challenge now is to figure out how to define resources in
>> Keycloak.
>> >>>>> Should I add all my books as resources to Keycloak? And then define
>> the
>> >>>>> permission between each user and resource?
>> >>>>>
>> >>>>> What would be the best practice to implement "GET /api/books" to
>> return
>> >>>>> only the books the logged in user has access to? Should I query the
>> >>>>> Keycloak API to get all the resources the logged in user has access
>> >>>>> to, in
>> >>>>> the backend?
>> >>>>>
>> >>>>> Thanks
>> >>>>>
>> >>>>> Farzad
>> >>>>> _______________________________________________
>> >>>>> keycloak-user mailing list
>> >>>>> keycloak-user at lists.jboss.org
>> >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >>>>>
>> >>>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>

More information about the keycloak-user mailing list