[keycloak-user] Securing RESTful API Best Practices

Pedro Igor Silva psilva at redhat.com
Tue May 28 14:31:52 EDT 2019


Yeah, you mean calling the token endpoint ....

On Tue, May 28, 2019 at 2:50 PM Farzad Panahi <farzad.panahi at gmail.com>
wrote:

> That would be really helpful. Is there an open ticket for it that I can
> watch?
>
> So if I can't granted permissions on the policy engine then I don't have
> any other option but doing this on the backend bycalling the Protection
> API, right?
>
> On Tue., May 28, 2019, 5:16 a.m. Pedro Igor Silva, <psilva at redhat.com>
> wrote:
>
>> Not right now because policies are basically processing permissions
>> (requested resource + scope) on a per-resource basis. In the future, we are
>> looking forward to making the policy engine more flexible so that you could
>> perform resource-less evaluation based on any data you include in an
>> authorization request.
>>
>> On Tue, May 28, 2019 at 3:28 AM Farzad Panahi <farzad.panahi at gmail.com>
>> wrote:
>>
>>> Thanks Pedro.
>>>
>>> I am thinking to fetch all the permissions granted for the user and from
>>> there I can get all the resource names (books) and scopes user has access
>>> for.
>>>
>>> I have done this by getting the RPT from the Protection API in the
>>> backend and iteration over the "permissions". But I am thinking to cut a
>>> round-trip request and do this in the policy and push the resource names
>>> (with granted permission) as an arbitrary claim. But as far as I understand
>>> I only have access to Evaluation instance in the policy.  Is there a way to
>>> get all the "permissions granted" for a user, in the policy?
>>>
>>>
>>> Cheers
>>>
>>> Farzad
>>>
>>>
>>>
>>> On Wed, May 22, 2019 at 5:12 AM Pedro Igor Silva <psilva at redhat.com>
>>> wrote:
>>>
>>>> Sure. I'm not telling you that you should not use us to address your
>>>> requirements, but that you should take into account whether or not you are
>>>> using our authorization capabilities to process business rules, which is
>>>> not our focus. I wanted to let you know about other projects that are
>>>> targeted for this type of work. Sometimes, the borderline between security
>>>> constraints and business rules are very clear when you are externalizing
>>>> authorization from your application.
>>>>
>>>> But yeah, I think both approaches can work for you. The data filter
>>>> approach is could be very handy in order to filter resources that users can
>>>> access. So if you are able to group your users into groups and then write
>>>> policies that push back a claim based on the user membership, then you
>>>> should be able to keep your policies simple. This is probably the optimal
>>>> solution because it avoids additional requests from the server for checking
>>>> whether or not the user has access to a resource.
>>>>
>>>> On the other hand, you can use resource types. Or even have resources
>>>> in Keycloak that represent your different resource sets. Based on the
>>>> permissions within the token you should also be able to build the query
>>>> accordingly in your application.
>>>>
>>>> On Tue, May 21, 2019 at 6:41 PM Farzad Panahi <farzad.panahi at gmail.com>
>>>> wrote:
>>>>
>>>>> Thanks Pedro. I really appreciate your reply.
>>>>>
>>>>> I think arbitrary claims are what I need to pass the filtering
>>>>> required to the backend (if I can generate those claims). Also resource
>>>>> types look interesting. I think as you said I can use that to group my
>>>>> resources. These two should solve my problems at hand.
>>>>>
>>>>> That would be also great if you could elaborate on what you meant by
>>>>> "security constraints" vs "business rules". I just want to have a better
>>>>> understanding of Keycloak.
>>>>> My understanding is that Keycloak is an identity and "access
>>>>> management" system. And when it comes to "access management" my
>>>>> understanding is that it means "who" has "what" access to "which" resource
>>>>> under "what conditions".
>>>>> If this definition is true, wouldn't "who has access to which
>>>>> resources" be a security constraint under Keycloak's authorization model?
>>>>>
>>>>> As you said I might need to look into other solutions but I before I
>>>>> do that I want to make sure I really cannot do what I want to do with
>>>>> Keycloak and I really cannot implement my requirements under Keycloal's
>>>>> authorization model, since I have already happily invested lots of time on
>>>>> Keycloak :)
>>>>>
>>>>>
>>>>>
>>>>> On Tue, May 21, 2019 at 11:35 AM Pedro Igor Silva <psilva at redhat.com>
>>>>> wrote:
>>>>>
>>>>>> Hi Farzad,
>>>>>>
>>>>>> Sorry for the late reply.
>>>>>>
>>>>>> Our authorization model is targeted for enforcing security-related
>>>>>> constraints, not business rules. Maybe you could consider Drools/BRMS.
>>>>>>
>>>>>> Some time ago we had a discussion about data filtering and how to
>>>>>> fetch resources based on policy decisions. If you look at our documentation
>>>>>> [1] you'll see that policies can push arbitrary claims back to your
>>>>>> application when granting access to a permission. This capability allows
>>>>>> you to send a specific claim along with the permission that represents some
>>>>>> filter that you can use to query your database.
>>>>>>
>>>>>> As a result, you'll have within your token something like:
>>>>>>
>>>>>> "permissions": [
>>>>>>     {
>>>>>>       "resource_id": "90ccc6fc-b296-4cd1-881e-089e1ee15957",
>>>>>>       "resource_name": "Book Resource",
>>>>>>       "claims": ["data.filter": ["book.type = 'foo' or book.type =
>>>>>> 'bar'"]]
>>>>>>     }
>>>>>>   ]
>>>>>>
>>>>>> We do have a "resource group" concept. Resources can have a type and
>>>>>> you can also have a single resource representing a set of one or more
>>>>>> "real" resources.
>>>>>>
>>>>>> [1]
>>>>>> https://www.keycloak.org/docs/latest/authorization_services/index.html#pushing-arbitrary-claims-to-the-resource-server
>>>>>>
>>>>>> On Tue, May 21, 2019 at 3:14 PM Farzad Panahi <
>>>>>> farzad.panahi at gmail.com> wrote:
>>>>>>
>>>>>>> Any hint or example project to look at would really help to put me
>>>>>>> in the
>>>>>>> right direction.
>>>>>>>
>>>>>>> Should I post this question with a better and more specific title
>>>>>>> with more
>>>>>>> elaborate body to present the question better?
>>>>>>>
>>>>>>> On Fri., May 17, 2019, 1:21 p.m. Farzad Panahi, <
>>>>>>> farzad.panahi at gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>> > This is exactly where I want to use Keycloak to set this business
>>>>>>> > rule/mapping. Basically I need to associate each user with a
>>>>>>> subset of B
>>>>>>> > (books) to which the user has access to. This association is not
>>>>>>> based on
>>>>>>> > roles or groups. It is based on individual users.
>>>>>>> > That's why I was thinking that the only way I can think of doing
>>>>>>> this to
>>>>>>> > add every individual book as a resource in Keycloak and then I
>>>>>>> have to
>>>>>>> > create a permission for each of them to grant access to any
>>>>>>> individual user.
>>>>>>> > It would help if Keycloak had a concept like a resource group I
>>>>>>> guess.
>>>>>>> > Then I could put all those resources in a resource group and grant
>>>>>>> access
>>>>>>> > to that resource group for an individual user.
>>>>>>> > Then in order to see which resources each user has access to, I
>>>>>>> need to
>>>>>>> > query Keycloak somehow (I need to figure out how exactly) and get
>>>>>>> the
>>>>>>> > resources that user has access to, and return only those resources
>>>>>>> for that
>>>>>>> > user.
>>>>>>> >
>>>>>>> > That's what I can think of right now. I am just wondering if there
>>>>>>> is a
>>>>>>> > better way to do this sort of resource oriented access control
>>>>>>> where each
>>>>>>> > user has access to specific set of resources only.
>>>>>>> >
>>>>>>> >
>>>>>>> >
>>>>>>> > On Fri, May 17, 2019 at 11:45 AM Pedro Igor Silva <
>>>>>>> psilva at redhat.com>
>>>>>>> > wrote:
>>>>>>> >
>>>>>>> >> Sorry, but is still not clear to me how a "user has access to a
>>>>>>> subset of
>>>>>>> >> B" is this access based on roles, groups or any other information
>>>>>>> that you
>>>>>>> >> gather from the context ? I'm wondering if this is not a business
>>>>>>> rule
>>>>>>> >> instead ....
>>>>>>> >>
>>>>>>> >> On Fri, May 17, 2019 at 1:42 PM Farzad Panahi <
>>>>>>> farzad.panahi at gmail.com>
>>>>>>> >> wrote:
>>>>>>> >>
>>>>>>> >>> Hi Pedro,
>>>>>>> >>>
>>>>>>> >>> The user is not the book owner. You can think about it this way
>>>>>>> that if
>>>>>>> >>> B is the set of all books then each user has access to a subset
>>>>>>> of B such
>>>>>>> >>> that these subsets are not mutually exclusive and do overlap.
>>>>>>> >>>
>>>>>>> >>> On Fri., May 17, 2019, 6:51 a.m. Pedro Igor Silva, <
>>>>>>> psilva at redhat.com>
>>>>>>> >>> wrote:
>>>>>>> >>>
>>>>>>> >>>> Hi Farzad,
>>>>>>> >>>>
>>>>>>> >>>> How do you check if a user has access to a book ? Is the user
>>>>>>> the book
>>>>>>> >>>> owner or you have more conditions that should be taken into
>>>>>>> account to
>>>>>>> >>>> grant access to books ?
>>>>>>> >>>>
>>>>>>> >>>> [1]
>>>>>>> >>>>
>>>>>>> https://www.keycloak.org/docs/latest/authorization_services/index.html#examples
>>>>>>> >>>>
>>>>>>> >>>>
>>>>>>> >>>> On Thu, May 16, 2019 at 8:42 PM Farzad Panahi <
>>>>>>> farzad.panahi at gmail.com>
>>>>>>> >>>> wrote:
>>>>>>> >>>>
>>>>>>> >>>>> Hi,
>>>>>>> >>>>>
>>>>>>> >>>>> I am very new to Keycloak. I have a RESTful API implemented
>>>>>>> with
>>>>>>> >>>>> json:api
>>>>>>> >>>>> <https://jsonapi.org/> spec which I want to secure using
>>>>>>> Keycloak.
>>>>>>> >>>>>
>>>>>>> >>>>> I just want to ask the Keycloak community for best practices
>>>>>>> when it
>>>>>>> >>>>> comes
>>>>>>> >>>>> to securing RESTful APIs.
>>>>>>> >>>>>
>>>>>>> >>>>> My endpoints will be something like:
>>>>>>> >>>>> GET /api/books --> return all books the user has access for
>>>>>>> >>>>> GET /api/books/123 --> return book with id = 123
>>>>>>> >>>>>
>>>>>>> >>>>> My challenge now is to figure out how to define resources in
>>>>>>> Keycloak.
>>>>>>> >>>>> Should I add all my books as resources to Keycloak? And then
>>>>>>> define the
>>>>>>> >>>>> permission between each user and resource?
>>>>>>> >>>>>
>>>>>>> >>>>> What would be the best practice to implement "GET /api/books"
>>>>>>> to return
>>>>>>> >>>>> only the books the logged in user has access to? Should I
>>>>>>> query the
>>>>>>> >>>>> Keycloak API to get all the resources the logged in user has
>>>>>>> access
>>>>>>> >>>>> to, in
>>>>>>> >>>>> the backend?
>>>>>>> >>>>>
>>>>>>> >>>>> Thanks
>>>>>>> >>>>>
>>>>>>> >>>>> Farzad
>>>>>>> >>>>> _______________________________________________
>>>>>>> >>>>> keycloak-user mailing list
>>>>>>> >>>>> keycloak-user at lists.jboss.org
>>>>>>> >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>> >>>>>
>>>>>>> >>>>
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user at lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>>>>


More information about the keycloak-user mailing list