[keycloak-user] Securing RESTful API Best Practices

Pedro Igor Silva psilva at redhat.com
Tue May 28 08:15:54 EDT 2019 

Not right now because policies are basically processing permissions
(requested resource + scope) on a per-resource basis. In the future, we are
looking forward to making the policy engine more flexible so that you could
perform resource-less evaluation based on any data you include in an
authorization request.

On Tue, May 28, 2019 at 3:28 AM Farzad Panahi <farzad.panahi at gmail.com>
wrote:

> Thanks Pedro.
>
> I am thinking to fetch all the permissions granted for the user and from
> there I can get all the resource names (books) and scopes user has access
> for.
>
> I have done this by getting the RPT from the Protection API in the backend
> and iteration over the "permissions". But I am thinking to cut a round-trip
> request and do this in the policy and push the resource names (with granted
> permission) as an arbitrary claim. But as far as I understand I only have
> access to Evaluation instance in the policy.  Is there a way to get all the
> "permissions granted" for a user, in the policy?
>
>
> Cheers
>
> Farzad
>
>
>
> On Wed, May 22, 2019 at 5:12 AM Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> Sure. I'm not telling you that you should not use us to address your
>> requirements, but that you should take into account whether or not you are
>> using our authorization capabilities to process business rules, which is
>> not our focus. I wanted to let you know about other projects that are
>> targeted for this type of work. Sometimes, the borderline between security
>> constraints and business rules are very clear when you are externalizing
>> authorization from your application.
>>
>> But yeah, I think both approaches can work for you. The data filter
>> approach is could be very handy in order to filter resources that users can
>> access. So if you are able to group your users into groups and then write
>> policies that push back a claim based on the user membership, then you
>> should be able to keep your policies simple. This is probably the optimal
>> solution because it avoids additional requests from the server for checking
>> whether or not the user has access to a resource.
>>
>> On the other hand, you can use resource types. Or even have resources in
>> Keycloak that represent your different resource sets. Based on the
>> permissions within the token you should also be able to build the query
>> accordingly in your application.
>>
>> On Tue, May 21, 2019 at 6:41 PM Farzad Panahi <farzad.panahi at gmail.com>
>> wrote:
>>
>>> Thanks Pedro. I really appreciate your reply.
>>>
>>> I think arbitrary claims are what I need to pass the filtering required
>>> to the backend (if I can generate those claims). Also resource types look
>>> interesting. I think as you said I can use that to group my resources.
>>> These two should solve my problems at hand.
>>>
>>> That would be also great if you could elaborate on what you meant by
>>> "security constraints" vs "business rules". I just want to have a better
>>> understanding of Keycloak.
>>> My understanding is that Keycloak is an identity and "access management"
>>> system. And when it comes to "access management" my understanding is that
>>> it means "who" has "what" access to "which" resource under "what
>>> conditions".
>>> If this definition is true, wouldn't "who has access to which resources"
>>> be a security constraint under Keycloak's authorization model?
>>>
>>> As you said I might need to look into other solutions but I before I do
>>> that I want to make sure I really cannot do what I want to do with Keycloak
>>> and I really cannot implement my requirements under Keycloal's
>>> authorization model, since I have already happily invested lots of time on
>>> Keycloak :)
>>>
>>>
>>>
>>> On Tue, May 21, 2019 at 11:35 AM Pedro Igor Silva <psilva at redhat.com>
>>> wrote:
>>>
>>>> Hi Farzad,
>>>>
>>>> Sorry for the late reply.
>>>>
>>>> Our authorization model is targeted for enforcing security-related
>>>> constraints, not business rules. Maybe you could consider Drools/BRMS.
>>>>
>>>> Some time ago we had a discussion about data filtering and how to fetch
>>>> resources based on policy decisions. If you look at our documentation [1]
>>>> you'll see that policies can push arbitrary claims back to your application
>>>> when granting access to a permission. This capability allows you to send a
>>>> specific claim along with the permission that represents some filter that
>>>> you can use to query your database.
>>>>
>>>> As a result, you'll have within your token something like:
>>>>
>>>> "permissions": [
>>>>     {
>>>>       "resource_id": "90ccc6fc-b296-4cd1-881e-089e1ee15957",
>>>>       "resource_name": "Book Resource",
>>>>       "claims": ["data.filter": ["book.type = 'foo' or book.type =
>>>> 'bar'"]]
>>>>     }
>>>>   ]
>>>>
>>>> We do have a "resource group" concept. Resources can have a type and
>>>> you can also have a single resource representing a set of one or more
>>>> "real" resources.
>>>>
>>>> [1]
>>>> https://www.keycloak.org/docs/latest/authorization_services/index.html#pushing-arbitrary-claims-to-the-resource-server
>>>>
>>>> On Tue, May 21, 2019 at 3:14 PM Farzad Panahi <farzad.panahi at gmail.com>
>>>> wrote:
>>>>
>>>>> Any hint or example project to look at would really help to put me in
>>>>> the
>>>>> right direction.
>>>>>
>>>>> Should I post this question with a better and more specific title with
>>>>> more
>>>>> elaborate body to present the question better?
>>>>>
>>>>> On Fri., May 17, 2019, 1:21 p.m. Farzad Panahi, <
>>>>> farzad.panahi at gmail.com>
>>>>> wrote:
>>>>>
>>>>> > This is exactly where I want to use Keycloak to set this business
>>>>> > rule/mapping. Basically I need to associate each user with a subset
>>>>> of B
>>>>> > (books) to which the user has access to. This association is not
>>>>> based on
>>>>> > roles or groups. It is based on individual users.
>>>>> > That's why I was thinking that the only way I can think of doing
>>>>> this to
>>>>> > add every individual book as a resource in Keycloak and then I have
>>>>> to
>>>>> > create a permission for each of them to grant access to any
>>>>> individual user.
>>>>> > It would help if Keycloak had a concept like a resource group I
>>>>> guess.
>>>>> > Then I could put all those resources in a resource group and grant
>>>>> access
>>>>> > to that resource group for an individual user.
>>>>> > Then in order to see which resources each user has access to, I need
>>>>> to
>>>>> > query Keycloak somehow (I need to figure out how exactly) and get the
>>>>> > resources that user has access to, and return only those resources
>>>>> for that
>>>>> > user.
>>>>> >
>>>>> > That's what I can think of right now. I am just wondering if there
>>>>> is a
>>>>> > better way to do this sort of resource oriented access control where
>>>>> each
>>>>> > user has access to specific set of resources only.
>>>>> >
>>>>> >
>>>>> >
>>>>> > On Fri, May 17, 2019 at 11:45 AM Pedro Igor Silva <psilva at redhat.com
>>>>> >
>>>>> > wrote:
>>>>> >
>>>>> >> Sorry, but is still not clear to me how a "user has access to a
>>>>> subset of
>>>>> >> B" is this access based on roles, groups or any other information
>>>>> that you
>>>>> >> gather from the context ? I'm wondering if this is not a business
>>>>> rule
>>>>> >> instead ....
>>>>> >>
>>>>> >> On Fri, May 17, 2019 at 1:42 PM Farzad Panahi <
>>>>> farzad.panahi at gmail.com>
>>>>> >> wrote:
>>>>> >>
>>>>> >>> Hi Pedro,
>>>>> >>>
>>>>> >>> The user is not the book owner. You can think about it this way
>>>>> that if
>>>>> >>> B is the set of all books then each user has access to a subset of
>>>>> B such
>>>>> >>> that these subsets are not mutually exclusive and do overlap.
>>>>> >>>
>>>>> >>> On Fri., May 17, 2019, 6:51 a.m. Pedro Igor Silva, <
>>>>> psilva at redhat.com>
>>>>> >>> wrote:
>>>>> >>>
>>>>> >>>> Hi Farzad,
>>>>> >>>>
>>>>> >>>> How do you check if a user has access to a book ? Is the user the
>>>>> book
>>>>> >>>> owner or you have more conditions that should be taken into
>>>>> account to
>>>>> >>>> grant access to books ?
>>>>> >>>>
>>>>> >>>> [1]
>>>>> >>>>
>>>>> https://www.keycloak.org/docs/latest/authorization_services/index.html#examples
>>>>> >>>>
>>>>> >>>>
>>>>> >>>> On Thu, May 16, 2019 at 8:42 PM Farzad Panahi <
>>>>> farzad.panahi at gmail.com>
>>>>> >>>> wrote:
>>>>> >>>>
>>>>> >>>>> Hi,
>>>>> >>>>>
>>>>> >>>>> I am very new to Keycloak. I have a RESTful API implemented with
>>>>> >>>>> json:api
>>>>> >>>>> <https://jsonapi.org/> spec which I want to secure using
>>>>> Keycloak.
>>>>> >>>>>
>>>>> >>>>> I just want to ask the Keycloak community for best practices
>>>>> when it
>>>>> >>>>> comes
>>>>> >>>>> to securing RESTful APIs.
>>>>> >>>>>
>>>>> >>>>> My endpoints will be something like:
>>>>> >>>>> GET /api/books --> return all books the user has access for
>>>>> >>>>> GET /api/books/123 --> return book with id = 123
>>>>> >>>>>
>>>>> >>>>> My challenge now is to figure out how to define resources in
>>>>> Keycloak.
>>>>> >>>>> Should I add all my books as resources to Keycloak? And then
>>>>> define the
>>>>> >>>>> permission between each user and resource?
>>>>> >>>>>
>>>>> >>>>> What would be the best practice to implement "GET /api/books" to
>>>>> return
>>>>> >>>>> only the books the logged in user has access to? Should I query
>>>>> the
>>>>> >>>>> Keycloak API to get all the resources the logged in user has
>>>>> access
>>>>> >>>>> to, in
>>>>> >>>>> the backend?
>>>>> >>>>>
>>>>> >>>>> Thanks
>>>>> >>>>>
>>>>> >>>>> Farzad
>>>>> >>>>> _______________________________________________
>>>>> >>>>> keycloak-user mailing list
>>>>> >>>>> keycloak-user at lists.jboss.org
>>>>> >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>> >>>>>
>>>>> >>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>

More information about the keycloak-user mailing list