Resources, scopes, permissions and policies in keycloak
I want to create a fairly simple role-based access control system using Keycloak\'s authorizaion system. The system Keycloak is replacing allows us to create a \"user\", who is
-
I was looking to enforce authorization via pure HTTP methods, without using the adapter as Lua did not have an adapter. Hope this answer helps people looking for non-adapter based method.
If you are looking for the adapter the quick start guide is the best place to start. Especially the spring boot authz example.
For pure HTTP based implementation:
Step 1:
Define the policies and permission in the Keycloak Admin UI
Step 2
Have an internal mapping of which HTTP paths belong to which resources and the required scopes for each path. This can be also saved in the configuration file. When a particular route is invoked, call the Keycloak token endpoint to validate the claims of the access token.
{ "policy-enforcer": { "user-managed-access" : {}, "enforcement-mode" : "ENFORCING" "paths": [ { "path" : "/someUri/*", "methods" : [ { "method": "GET", "scopes" : ["urn:app.com:scopes:view"] }, { "method": "POST", "scopes" : ["urn:app.com:scopes:create"] } ] } ] } }If you are using an adapter and does not specify the path or resource, the adapter will internally search for the paths and resources from Keycloak.
Step 3:
Use the token endpoint to get or evaluate the permissions. You can use
response_modeparameter to either obtain the final decision (whether to provide access) or retrieve the entire permissions.curl -X POST \ http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token \ -H "Authorization: Bearer ${access_token}" \ --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \ --data "permission=Resource A#Scope A"If the authorization request does not map to any permission, a
403HTTP status code is returned instead.
加载中...
- 热议问题