[keycloak-user] How to get the role -> permissions for an authenticated user

Thu May 23 14:35:08 EDT 2019

Ok Pedro,
I think I got it. Thanks a lot for thr clarification.
My current plan is to make the exchange in API-GW.
I get 2 advantages:

1) No change in client application and no need to involve client with server side authorization.

2) I need to make sure access token is still valid and user did not performed logout. API-GW seems the correct place to do that. So in a single call to KC I get both token validation and token exchange.

I will try that and update the forum if succeeded. I think this is a typical classic deployment and such a documented solution can assist a lot of people.

Ori.

Get Outlook for Android<https://aka.ms/ghei36>

________________________________
From: Pedro Igor Silva <psilva at redhat.com>
Sent: Thursday, May 23, 2019 6:58:41 PM
To: Ori Doolman
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] How to get the role -> permissions for an authenticated user

On Thu, May 23, 2019 at 12:21 PM Ori Doolman <Ori.Doolman at cyberark.com<mailto:Ori.Doolman at cyberark.com>> wrote:
Hi Pedro,
Thanks for the prompt response :)

Yes, I need RBAC only at the moment.

When you said my web application should make the token exchange, do you mean client side (javascript ) or server side?

Client-side

I can also make it from API-GW which is even better I think. what is the common practice to send it to the server? I cannot use the Authorization header since it alteady contains the access token.

Not sure if API-GW is better but you can replace the access token with permissions (sent by the client) in the authorization header. It is just an access token + permissions. Pretty much the original + permissions.

Also, it means that I will have to make this call once per session (after login) rather than once in a process lifetime, since the roles->permissions mapping is pretty much static information.
It doesn't sounds like the optimal approach.

Yes, you would need a per session exchange.

Ori.

Get Outlook for Android<https://urldefense.proofpoint.com/v2/url?u=https-3A__aka.ms_ghei36&d=DwMFaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=kd7NLazIlAUReoX4xn1Isinku-QmPbxzujKjkg5CF78&s=kSulN2o1ygvKOHFKkrsYVnKZdGvuWpqYi8uwdhUudUc&e=>

________________________________
From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Sent: Thursday, May 23, 2019 5:49:11 PM
To: Ori Doolman
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] How to get the role -> permissions for an authenticated user

There is no way to automatically set the permissions (from a client authorization settings) when an access token is issued. Like you said, you need another call to the token endpoint using the uma-grant-type.

However, your web application will make that call only once in order to exchange the access token with another one with the permissions you need to access your backend. Your client should also be able to perform incremental authorization and limit the numbers of permissions within the token.

Using a pure RBAC approach also works for your case, I think. Although you are limited to RBAC (thus tied with the roles you are using to protect resources) and not able to use resource-based authorization.

On Thu, May 23, 2019 at 11:23 AM Ori Doolman <Ori.Doolman at cyberark.com<mailto:Ori.Doolman at cyberark.com>> wrote:
Hi,

I have a web application (Angular) which calls a REST API in a Java microservice.

In my application, which manages books, I have a "regular" and "admin" roles.
"regular" is allowed to execute API readBook.
"admin" is allowed to execute APIs readBook, deleteBook, createBook.

The mapping between the user roles to the permissions (book:read , book:create, book:delete) is currently in my app DB. I guess I can migrate all roles and permissions into Keycloak using the resources/permissions/policies entities.

I get an access token in the client (using code flow or implicit flow). The token contains the current user roles. But not the permissions.
When I call my REST API I send the access token to my REST endpoint in the http header. The token contains the user roles, but not the user permissions. In fact, what I really need is the user permissions for checking authorization.

  1.  What is the best practice of getting the user permissions in my REST service? Can I have them become part of the JWT access token when the token is created?
Or is there any other recommended way to "map" the roles into the effective permissions at runtime?
Maybe keep the role->permissions in my current DB and load them to service cache ?

  2.  I want to avoid calling Keycloak for every REST API call because this will result bad performance. From what I read, if I want to use Keycloak authorization services I must call Keycloak for every API request and get the permissions (an RPT token). Is that the only way?

  1.  Another alternative I thought of:
have 2 user groups "Admins" and "Regulars". For "Admins" I will add roles "book:read" , "book:create", "book:delete" and for the "Regulars" group I will add only "book:read" role.
This way, if a user belongs to the admins group, he will have all the permissions (roles) in the JWT access token.

Thanks,
Ori.

----------------------------------------------------------------------
_______________________________________________
This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure.
If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error.
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwMFaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=C06JksmJ3-aEjipshrthQDy_e_8SFfiWTVg3xaAAi90&s=h3yWPfEVBy7AdTCBc2za37uwC0fzq34oyXd6IxbksNU&e=>