[keycloak-user] Fw: Associating a REST api end point to multiple resources in Keycloak in Policy Enforcer

Sushil Singh sushil.singh at guavus.com
Mon Nov 18 10:12:14 EST 2019


Hi ,

I would suggest to play with keycloak standalone by following https://medium.com/@bcarunmail/securing-rest-api-using-keycloak-and-spring-oauth2-6ddf3a1efcc2

And if you want to integrate your application using keycloak adapters please follow quick-start example of your requirement from https://github.com/keycloak/keycloak-quickstarts.

Also you can follow keycloak official documention  https://www.keycloak.org/docs/7.0/authorization_services/
Authorization Services Guide<https://www.keycloak.org/docs/7.0/authorization_services/>
For instance, you might have a Bank Account resource that represents all banking accounts and use it to define the authorization policies that are common to all banking accounts. However, you might want to define specific policies for Alice Account (a resource instance that belongs to a customer), where only the owner is allowed to access some information or perform an operation.
www.keycloak.org

[https://miro.medium.com/max/1200/0*WNyZiK6UEu-d0_RY]<https://medium.com/@bcarunmail/securing-rest-api-using-keycloak-and-spring-oauth2-6ddf3a1efcc2>
Securing REST API using Keycloak and Spring Oauth2 - Arun B Chandrasekaran - Medium<https://medium.com/@bcarunmail/securing-rest-api-using-keycloak-and-spring-oauth2-6ddf3a1efcc2>
Keycloak is Open Source Identity and Access Management Server, which is a OAuth2 and OpenID Connect(OIDC) protocol complaint. This article is to explain how Spring Boot REST APIs can be secured ...
medium.com

[https://avatars2.githubusercontent.com/u/4921466?s=400&v=4]<https://github.com/keycloak/keycloak-quickstarts>
GitHub - keycloak/keycloak-quickstarts<https://github.com/keycloak/keycloak-quickstarts>
Keycloak Quickstarts. Keycloak is an Open Source Identity and Access Management solution for modern Applications and Services.. The quickstarts demonstrate securing applications with Keycloak.They provide small, specific, working examples that can be used as a reference for your own project.
github.com



From: Tumenjargal B <b.tume at yahoo.com>
Sent: 16 November 2019 10:15
To: Sushil Singh <sushil.singh at guavus.com>
Subject: Re: [keycloak-user] Fw: Associating a REST api end point to multiple resources in Keycloak in Policy Enforcer

Thank you very much Sushil,

You're helped much time. One question I cant find any example or production case How to search example or config files?




On Friday, November 15, 2019, 06:42:48 PM GMT+8, Sushil Singh <sushil.singh at guavus.com> wrote:


Based on my understanding ,

In keycloak what ever you want to protect is a Resource

In your case Resources will be created based on Organizations

Organization (Resources)

Example

/org/O1
/org/O2
/org/O3
/org/O4

So create two roles and associate policies with them

1. Account-role  [ assign Account-role to the users / groups whom you want to give multiple access]
2. General-role  [ assign General-role to users / groups whom you don’t want to give organization]

So you can create Role based policy and attach that policy to the permission

You can Associate the Resource with a Permission and Associate the permission with the above Policies

Checkout these links to get an overview of how to manage  resources, policies and permissions

https://www.keycloak.org/docs/latest/authorization_services/index.html#_resource_overview

https://www.keycloak.org/docs/latest/authorization_services/index.html#_policy_overview

https://www.keycloak.org/docs/latest/authorization_services/index.html#_permission_overview
Authorization Services Guide - Keycloak<https://www.keycloak.org/docs/latest/authorization_services/index.html#_permission_overview>
For instance, you might have a Bank Account resource that represents all banking accounts and use it to define the authorization policies that are common to all banking accounts. However, you might want to define specific policies for Alice Account (a resource instance that belongs to a customer), where only the owner is allowed to access some information or perform an operation.
www.keycloak.org

Thanks

Sushil
Authorization Services Guide - Keycloak<https://www.keycloak.org/docs/latest/authorization_services/index.html#_policy_overview>
For instance, you might have a Bank Account resource that represents all banking accounts and use it to define the authorization policies that are common to all banking accounts. However, you might want to define specific policies for Alice Account (a resource instance that belongs to a customer), where only the owner is allowed to access some information or perform an operation.
www.keycloak.org







________________________________
From: Tumenjargal B <b.tume at yahoo.com>
Sent: 15 November 2019 15:39
To: Stian Thorgersen <sthorger at redhat.com>; Pedro Igor Silva <psilva at redhat.com>; Sushil Singh <sushil.singh at guavus.com>
Subject: Re: [keycloak-user] Fw: Associating a REST api end point to multiple resources in Keycloak in Policy Enforcer

Hello dears,

I want to integrate old system to keycloak. A user has many organization.
my case  Users have account and general account position.  a Account position has working many organization.  How to intergate keycloak? How to save organization data of user on keycloak?

Thank you



On Friday, November 15, 2019, 05:52:03 PM GMT+8, Sushil Singh <sushil.singh at guavus.com> wrote:


________________________________
From: Tumenjargal B <b.tume at yahoo.com>
Sent: 16 November 2019 10:15
To: Sushil Singh <sushil.singh at guavus.com>
Subject: Re: [keycloak-user] Fw: Associating a REST api end point to multiple resources in Keycloak in Policy Enforcer

Thank you very much Sushil,

You're helped much time. One question I cant find any example or production case How to search example or config files?




On Friday, November 15, 2019, 06:42:48 PM GMT+8, Sushil Singh <sushil.singh at guavus.com> wrote:


Based on my understanding ,

In keycloak what ever you want to protect is a Resource

In your case Resources will be created based on Organizations

Organization (Resources)

Example

/org/O1
/org/O2
/org/O3
/org/O4

So create two roles and associate policies with them

1. Account-role  [ assign Account-role to the users / groups whom you want to give multiple access]
2. General-role  [ assign General-role to users / groups whom you don’t want to give organization]

So you can create Role based policy and attach that policy to the permission

You can Associate the Resource with a Permission and Associate the permission with the above Policies

Checkout these links to get an overview of how to manage  resources, policies and permissions

https://www.keycloak.org/docs/latest/authorization_services/index.html#_resource_overview

https://www.keycloak.org/docs/latest/authorization_services/index.html#_policy_overview

https://www.keycloak.org/docs/latest/authorization_services/index.html#_permission_overview
Authorization Services Guide - Keycloak<https://www.keycloak.org/docs/latest/authorization_services/index.html#_permission_overview>
For instance, you might have a Bank Account resource that represents all banking accounts and use it to define the authorization policies that are common to all banking accounts. However, you might want to define specific policies for Alice Account (a resource instance that belongs to a customer), where only the owner is allowed to access some information or perform an operation.
www.keycloak.org

Thanks

Sushil
Authorization Services Guide - Keycloak<https://www.keycloak.org/docs/latest/authorization_services/index.html#_policy_overview>
For instance, you might have a Bank Account resource that represents all banking accounts and use it to define the authorization policies that are common to all banking accounts. However, you might want to define specific policies for Alice Account (a resource instance that belongs to a customer), where only the owner is allowed to access some information or perform an operation.
www.keycloak.org







________________________________
From: Tumenjargal B <b.tume at yahoo.com>
Sent: 15 November 2019 15:39
To: Stian Thorgersen <sthorger at redhat.com>; Pedro Igor Silva <psilva at redhat.com>; Sushil Singh <sushil.singh at guavus.com>
Subject: Re: [keycloak-user] Fw: Associating a REST api end point to multiple resources in Keycloak in Policy Enforcer

Hello dears,

I want to integrate old system to keycloak. A user has many organization.
my case  Users have account and general account position.  a Account position has working many organization.  How to intergate keycloak? How to save organization data of user on keycloak?

Thank you



On Friday, November 15, 2019, 05:52:03 PM GMT+8, Sushil Singh <sushil.singh at guavus.com> wrote:




________________________________
From: Sushil Singh <sushil.singh at guavus.com<mailto:sushil.singh at guavus.com>>
Sent: 15 November 2019 15:14
To: Vishnu Prakash <vishnuprakash323 at gmail.com<mailto:vishnuprakash323 at gmail.com>>; Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>; Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com>>
Subject: Re: [keycloak-user] Associating a REST api end point to multiple resources in Keycloak in Policy Enforcer

Hi,

I think the use case is similar to what I am proposing

@Vishnu Prakash<mailto:vishnuprakash323 at gmail.com<mailto:vishnuprakash323 at gmail.com>>

I have also proposed to impose custom policy-enforcement on a set of resources.

https://github.com/keycloak/keycloak/pull/6448
[https://repository-images.githubusercontent.com/11125589/bd31cf00-70f4-11e9-9fb2-4f241568e586]<https://github.com/keycloak/keycloak/pull/6448>
KEYCLOAK-11300 : Creating CustomEnforcer functionality for spring adapters by sushil-singh-guavus · Pull Request #6448 · keycloak/keycloak<https://github.com/keycloak/keycloak/pull/6448>
KEYCLOAK-11300 : Creating CustomEnforcer functionality for spring adapters https://issues.jboss.org/browse/KEYCLOAK-11300
github.com


Where user can specify a Map<Resource, Set<scopes>> and it will evaluate to a positive result only if it satisfies permission for all resources in the Map

Currently I don't think this functionality is available in keycloak

Thanks,

Sushil
________________________________
From: keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org> <keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org>> on behalf of Vishnu Prakash <vishnuprakash323 at gmail.com<mailto:vishnuprakash323 at gmail.com>>
Sent: 15 November 2019 10:01
To: keycloak-user <keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
Subject: [keycloak-user] Associating a REST api end point to multiple resources in Keycloak in Policy Enforcer

Hi,
I want to protect my REST api's using Keycloak. I am deploying my
application in Wildfly application server and using keyclaok wildfly
adapters.
Is it possible to associate a REST api end point to multiple resources in
keycloak using the Policy Enforcer. If the user is having permission to
access all the associated resources, then only access should be granted to
the api.

Any input will be a great help to me.

Thanks & Regards,
Vishnu Prakash
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


More information about the keycloak-user mailing list