[keycloak-user] Securing RESTful API Best Practices
Farzad Panahi
farzad.panahi at gmail.com
Tue May 28 02:27:58 EDT 2019
Thanks Pedro.
I am thinking to fetch all the permissions granted for the user and from
there I can get all the resource names (books) and scopes user has access
for.
I have done this by getting the RPT from the Protection API in the backend
and iteration over the "permissions". But I am thinking to cut a round-trip
request and do this in the policy and push the resource names (with granted
permission) as an arbitrary claim. But as far as I understand I only have
access to Evaluation instance in the policy. Is there a way to get all the
"permissions granted" for a user, in the policy?
Cheers
Farzad
On Wed, May 22, 2019 at 5:12 AM Pedro Igor Silva <psilva at redhat.com> wrote:
> Sure. I'm not telling you that you should not use us to address your
> requirements, but that you should take into account whether or not you are
> using our authorization capabilities to process business rules, which is
> not our focus. I wanted to let you know about other projects that are
> targeted for this type of work. Sometimes, the borderline between security
> constraints and business rules are very clear when you are externalizing
> authorization from your application.
>
> But yeah, I think both approaches can work for you. The data filter
> approach is could be very handy in order to filter resources that users can
> access. So if you are able to group your users into groups and then write
> policies that push back a claim based on the user membership, then you
> should be able to keep your policies simple. This is probably the optimal
> solution because it avoids additional requests from the server for checking
> whether or not the user has access to a resource.
>
> On the other hand, you can use resource types. Or even have resources in
> Keycloak that represent your different resource sets. Based on the
> permissions within the token you should also be able to build the query
> accordingly in your application.
>
> On Tue, May 21, 2019 at 6:41 PM Farzad Panahi <farzad.panahi at gmail.com>
> wrote:
>
>> Thanks Pedro. I really appreciate your reply.
>>
>> I think arbitrary claims are what I need to pass the filtering required
>> to the backend (if I can generate those claims). Also resource types look
>> interesting. I think as you said I can use that to group my resources.
>> These two should solve my problems at hand.
>>
>> That would be also great if you could elaborate on what you meant by
>> "security constraints" vs "business rules". I just want to have a better
>> understanding of Keycloak.
>> My understanding is that Keycloak is an identity and "access management"
>> system. And when it comes to "access management" my understanding is that
>> it means "who" has "what" access to "which" resource under "what
>> conditions".
>> If this definition is true, wouldn't "who has access to which resources"
>> be a security constraint under Keycloak's authorization model?
>>
>> As you said I might need to look into other solutions but I before I do
>> that I want to make sure I really cannot do what I want to do with Keycloak
>> and I really cannot implement my requirements under Keycloal's
>> authorization model, since I have already happily invested lots of time on
>> Keycloak :)
>>
>>
>>
>> On Tue, May 21, 2019 at 11:35 AM Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>> Hi Farzad,
>>>
>>> Sorry for the late reply.
>>>
>>> Our authorization model is targeted for enforcing security-related
>>> constraints, not business rules. Maybe you could consider Drools/BRMS.
>>>
>>> Some time ago we had a discussion about data filtering and how to fetch
>>> resources based on policy decisions. If you look at our documentation [1]
>>> you'll see that policies can push arbitrary claims back to your application
>>> when granting access to a permission. This capability allows you to send a
>>> specific claim along with the permission that represents some filter that
>>> you can use to query your database.
>>>
>>> As a result, you'll have within your token something like:
>>>
>>> "permissions": [
>>> {
>>> "resource_id": "90ccc6fc-b296-4cd1-881e-089e1ee15957",
>>> "resource_name": "Book Resource",
>>> "claims": ["data.filter": ["book.type = 'foo' or book.type =
>>> 'bar'"]]
>>> }
>>> ]
>>>
>>> We do have a "resource group" concept. Resources can have a type and you
>>> can also have a single resource representing a set of one or more "real"
>>> resources.
>>>
>>> [1]
>>> https://www.keycloak.org/docs/latest/authorization_services/index.html#pushing-arbitrary-claims-to-the-resource-server
>>>
>>> On Tue, May 21, 2019 at 3:14 PM Farzad Panahi <farzad.panahi at gmail.com>
>>> wrote:
>>>
>>>> Any hint or example project to look at would really help to put me in
>>>> the
>>>> right direction.
>>>>
>>>> Should I post this question with a better and more specific title with
>>>> more
>>>> elaborate body to present the question better?
>>>>
>>>> On Fri., May 17, 2019, 1:21 p.m. Farzad Panahi, <
>>>> farzad.panahi at gmail.com>
>>>> wrote:
>>>>
>>>> > This is exactly where I want to use Keycloak to set this business
>>>> > rule/mapping. Basically I need to associate each user with a subset
>>>> of B
>>>> > (books) to which the user has access to. This association is not
>>>> based on
>>>> > roles or groups. It is based on individual users.
>>>> > That's why I was thinking that the only way I can think of doing this
>>>> to
>>>> > add every individual book as a resource in Keycloak and then I have to
>>>> > create a permission for each of them to grant access to any
>>>> individual user.
>>>> > It would help if Keycloak had a concept like a resource group I guess.
>>>> > Then I could put all those resources in a resource group and grant
>>>> access
>>>> > to that resource group for an individual user.
>>>> > Then in order to see which resources each user has access to, I need
>>>> to
>>>> > query Keycloak somehow (I need to figure out how exactly) and get the
>>>> > resources that user has access to, and return only those resources
>>>> for that
>>>> > user.
>>>> >
>>>> > That's what I can think of right now. I am just wondering if there is
>>>> a
>>>> > better way to do this sort of resource oriented access control where
>>>> each
>>>> > user has access to specific set of resources only.
>>>> >
>>>> >
>>>> >
>>>> > On Fri, May 17, 2019 at 11:45 AM Pedro Igor Silva <psilva at redhat.com>
>>>> > wrote:
>>>> >
>>>> >> Sorry, but is still not clear to me how a "user has access to a
>>>> subset of
>>>> >> B" is this access based on roles, groups or any other information
>>>> that you
>>>> >> gather from the context ? I'm wondering if this is not a business
>>>> rule
>>>> >> instead ....
>>>> >>
>>>> >> On Fri, May 17, 2019 at 1:42 PM Farzad Panahi <
>>>> farzad.panahi at gmail.com>
>>>> >> wrote:
>>>> >>
>>>> >>> Hi Pedro,
>>>> >>>
>>>> >>> The user is not the book owner. You can think about it this way
>>>> that if
>>>> >>> B is the set of all books then each user has access to a subset of
>>>> B such
>>>> >>> that these subsets are not mutually exclusive and do overlap.
>>>> >>>
>>>> >>> On Fri., May 17, 2019, 6:51 a.m. Pedro Igor Silva, <
>>>> psilva at redhat.com>
>>>> >>> wrote:
>>>> >>>
>>>> >>>> Hi Farzad,
>>>> >>>>
>>>> >>>> How do you check if a user has access to a book ? Is the user the
>>>> book
>>>> >>>> owner or you have more conditions that should be taken into
>>>> account to
>>>> >>>> grant access to books ?
>>>> >>>>
>>>> >>>> [1]
>>>> >>>>
>>>> https://www.keycloak.org/docs/latest/authorization_services/index.html#examples
>>>> >>>>
>>>> >>>>
>>>> >>>> On Thu, May 16, 2019 at 8:42 PM Farzad Panahi <
>>>> farzad.panahi at gmail.com>
>>>> >>>> wrote:
>>>> >>>>
>>>> >>>>> Hi,
>>>> >>>>>
>>>> >>>>> I am very new to Keycloak. I have a RESTful API implemented with
>>>> >>>>> json:api
>>>> >>>>> <https://jsonapi.org/> spec which I want to secure using
>>>> Keycloak.
>>>> >>>>>
>>>> >>>>> I just want to ask the Keycloak community for best practices when
>>>> it
>>>> >>>>> comes
>>>> >>>>> to securing RESTful APIs.
>>>> >>>>>
>>>> >>>>> My endpoints will be something like:
>>>> >>>>> GET /api/books --> return all books the user has access for
>>>> >>>>> GET /api/books/123 --> return book with id = 123
>>>> >>>>>
>>>> >>>>> My challenge now is to figure out how to define resources in
>>>> Keycloak.
>>>> >>>>> Should I add all my books as resources to Keycloak? And then
>>>> define the
>>>> >>>>> permission between each user and resource?
>>>> >>>>>
>>>> >>>>> What would be the best practice to implement "GET /api/books" to
>>>> return
>>>> >>>>> only the books the logged in user has access to? Should I query
>>>> the
>>>> >>>>> Keycloak API to get all the resources the logged in user has
>>>> access
>>>> >>>>> to, in
>>>> >>>>> the backend?
>>>> >>>>>
>>>> >>>>> Thanks
>>>> >>>>>
>>>> >>>>> Farzad
>>>> >>>>> _______________________________________________
>>>> >>>>> keycloak-user mailing list
>>>> >>>>> keycloak-user at lists.jboss.org
>>>> >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>> >>>>>
>>>> >>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
More information about the keycloak-user
mailing list