I'm part of a frontend project and I need some help to bring our authorization model into keycloak. We're building on node.js and the whole project uses stateless micro services - as well as our frontend middleware as the whole backend services we use. The frontend uses the standard JS adapter for session and token management.
So far we have identified four roles: travel agent, back office, configurator and data security officer. That's easy so far. My problem is how to model the next authorization layer we need.
For example: For the travel agents we want to be able to grant per person whether he can see specific customer data or is able to cancel orders. There are about 6-8 options for the travel agents. Thus, for the back office there shall be options for stock operations or different views on orders.
Like the backend we don't persist any data! That's why I have store all the things in keycloak and find a way to easily bring these information back to our middleware.
Here's what I tried / thought of so far:
* Use groups for the first layer and roles for the second one. --> doesn't work because the groups don't get exposed in the token.
* Use realm roles for the upper and attributes for the lower hierarchy. --> attributes are not included in the access token.
* Use realm roles for the upper and client roles on the lower hierarchy. --> works, but we have to make sure that roles on the second layer are definitely associated with only one role on the first layer. I don't know how yet.
* Use roles for the first layer and resources on the second one. --> That seems to get very close to what we need. But at the moment I can't figure out the correct approach with all these policies and permissions...
Discussions here at Stack Overflow seem very fruitful and I wanted to give it a try, although I don't have any code to offer.
Thanks for any help and please let me know, if I shall provide some further information.
Sven
Unlike the downvoter, I find this to be a legitimate question.
It looks like you're on the right path in terms of using Keycloak groups/roles/attributes. You can pick a combination that suits your needs. For example, if you need a hierarchy structure, you might use groups. Or you might want to use roles since these can be composite.
Regardless of which path you choose, your problem is how to expose these in the token. It can be done using mapper configurations.
For example, to expose Roles for the user, you'll want to create a "User Realm Role" mapper that adds your roles as a claim on the tokens. To do this:
click on "clients" in the left side menu
click on the client you're using
click on the "Mappers" tab
add a mapper of type "User Realm Role".
There are also mappers for "Group Membership" and "User Attribute" that can be used to add these two concepts as claims. If those aren't enough, or if you need more fine-grained control, you can roll your own custom mapper. See the Keycloak documentation and other questions here on Stack Overflow for how to do this.
Related
We are developing a keycloak(5.0.0) based solution where our clients can create their account with us and manage their own users - and only their users.
Initially with thought that we could use realms for this. Every client gets their own realm. After initial testing we deemed it might not be a good solution as after creating ~500 realms the application becomes unresponsive(https://issues.jboss.org/browse/KEYCLOAK-4593).
We decided to try using Groups to emulate a tenant. Our objective is to create during an external process(keycloak REST API) a group with an admin user.
Can't find currently a way how to restrict this administrator to be able to only manage their own group(creating subgroups, managing users, and giving them roles).
I've noticed several emails mentioning these features but I fail to find actual examples to make this work.
http://lists.jboss.org/pipermail/keycloak-user/2017-June/010882.html
http://lists.jboss.org/pipermail/keycloak-dev/2017-June/009496.html
The second link shows exactly what we would like to achieve.
Current alternative I can see is to implement a facade(client or separate web app) which would restrict visibility and access to other groups.
Are there other alternatives?
I'm having a bunch of apis which return several types of data.
All users can query all data by using a GET rest api.
A few users can also change data. What is a common approach when designing REST API, to query only the data that can be changed by the current user but still allow the api to return all data (for display mode).
To explain it further:
The software manages projects. All projects are accessible for all users (also anonymous) via an api (let's call it GET api/projects).
A user has the ability to see a list of all projects he is involved in and which he can edit.
The api should return exactly the same data but limited to the projects he is involed in.
Should I create an additonal parameter, or maybe pass an http header, or what else?
There's no one-size-fits-all answer to this, so I will give you one recommendation that works for some people.
I don't really like creating resources that have 'complex access control'. Instead, I would prefer to create distinct resources for different access levels.
If you want to return limit results for people that have partial access, it might be better to create new resources that reflect this.
I think this might also help a bit thinking about the abstract role of a person who is not allowed to do everything. The abstraction probably doesn't exist per-property, but it exists somewhere as a business rule.
Being new to perfect server side swift, I cannot find any packages that help with role based access authorization. In Spring there is for example,
.antMatchers("/homePage").access("hasRole('ROLE_USER') or hasRole('ROLE_ADMIN')")
.antMatchers("/adminPage").access("hasRole('ROLE_ADMIN')")
Is there something already existing in perfect to help with this? Is there a recommended way of handling access control in perfect?
As you use perfect server, you may take a look at:
PerfectlySoft Perfect-Authentication
perfect.org authentication
perfect.org Turnstile
Perfect provides system level of authentication.
Firstly, you can go to github and search PerfectlySoft/Perfect-LocalAuthentication for user identity validation, however, it doesn't contain the role control as you asked.
It can be done in other approaches. For example, you can use Perfect-LDAP to access an LDAP server for all kinds of roles and groups.
I am working on an application where I need to setup identity server 4. I have an api as resource. and a web forms application as client.I have few roles like teachers, students, parents in my database. How can I use this custom database and perform authentication and authorization without using identity?
Please suggest.
From your other question here I get a better idea of what you want.
I think one solution for what you want would be to setup identityserver4 in a seperate project with its own seperate database. I noticed the tag identityserver3, but I think it is quite safe to go for identityserver4. It shouldn't make a difference for the client/user since they are conceptually compatible.
1) Give your application a client/secret (which you configure in identityserver) in order to identify your application and grant access to the resource api. Here is some information: http://docs.identityserver.io/en/dev/quickstarts/1_client_credentials.html
You'll only need to configure one client to protect your resource from the outside. The only way to access the resource api is through your application, since your application is making the actual calls. This is also the drawback, you cannot expose the token to the outside world.
Since your client isn't the actual user, you'll need to identify the user. You can use any mechanism based on your current model as you like. A simple user/pass (with or without asp.net identity) could be enough to determine the roles. But please keep in mind that your application has full access to the resource api.
2) However, since identityserver is available, why not use it? Why don't you want to use the identitymodel? I think you should consider to seperate the identity information and your datamodel. Your datamodel shouldn't be aware of the security. And the security has nothing to do with your datamodel.
When you create a seperate database for identityserver you have one place to configure the identity users. All you need is a reference (sub) to the user in the datamodel. http://docs.identityserver.io/en/dev/quickstarts/2_resource_owner_passwords.html
Add claims or roles and everything is in place and you'll see there is no need to keep identity data in your custom database. The structure of your custom database stays intact, including the user table but without the identity data.
I think this is a safer solution and considering the good documentation and sample projects it may even turn out to be a quicker solution.
I am designing a to-do list manager for the iPhone using GAE as the back end. My end goal is to create user sharable lists, and I was looking for some advice/examples of how to go about designing something like that. I know the google user API provides functionality for authenticating users, but from what I can tell any additional user management would be something I would need to implement myself.
Can something like this be done by simply adding usernames to a list that is a property of the data I want to share? I am guessing I am oversimplifying things, but any suggestions would be appreciated.
Thanks
you're right, app engine doesn't have any built in support for user ACLs or permissions, and a few quick web searches didn't immediately turn up any obvious open source libraries.
how to implement full-fledged permissions and ACLs for group sharing is definitely a nontrivial design question. there are a number of other questions here about it.
having said that, as a very rough first pass, you're probably on the right track with storing lists of users. i'd suggest that you abstract the list into separate Group entities, and attach those to yor data instead, so that users can define groups once instead of for every piece of data. i'd also consider storing separate lists of groups that can read vs write. finally, i'd store User properties in the group entities, instead of string usernames or email addresses.