使用keycloak限制单个领域中的客户端访问 [英] Restrict client access in a single realm with keycloak

问题描述

我有一个包含3个单页应用程序和一个共享后端的单一领域.我想限制对其中一个SPA的访问，以使没有特定角色的用户无法登录.

I have a single realm with 3 single-page applications and a shared backend. I want to restrict the access to one of the SPAs so that users without a specific role can't log in.

但是，一旦您在领域中创建了一个用户，该用户便可以登录到每个SPA客户端.我可以限制后端的端点，但是我不想以编程方式拒绝特定SPA中的用户，而是自动在登录页面上.

But once you create a user in the realm, he can log in to every SPA client. I can restrict the endpoints of the backend but I don't want to programmatically reject the user in the specific SPA but automatically on the login page.

在这种情况下，我尝试使用似乎没有作用的客户端角色.到目前为止，我发现的唯一解决方案是创建单独的领域，我认为这在概念上是正确的方法，但不幸的是提出了一些实际问题，例如一个域的管理员必须能够管理另一域的CRUD用户，而这似乎是很不直观的.

I tried to use client roles which don't seem to have an effect in this case. The only solution I have found so far is to create separate realms which I think is conceptually the correct way but unfortunately brings up some practical issues, e.g. the administrators of one realm must be able to manage (CRUD) users of another realm which seems fairly unintuitive.

推荐答案

users without a specific role can't log in-不是很好的要求.如果用户没有登录(身份验证)就具有特定角色，系统如何知道? Keycloak提供Open ID Connect SSO协议，该协议被指定用于身份验证.在成功进行OIDC身份验证之后，将生成令牌，该令牌也可能包含用户角色.因此只有授权才能应用.因此，让我们将要求更改为:users without a specific role can't access SPA，它更适合OIDC概念.

users without a specific role can't log in - it isn't good requirement. How system will known if user has a specific role without log in (authentication)? Keycloak provides Open ID Connect SSO protocol, which is designated for authentication. After successful OIDC authentication is token generated, which may contains also user role. So only then authorization can be applied. So let's change requirement to: users without a specific role can't access SPA, which better fits into OIDC concept.

成熟的OIDC SPA库提供authorization guard(名称可以不同，这是某种后期登录功能)，可以在其中实现授权.授权通常需要在令牌中扮演特定角色，否则用户将被重定向到自定义路由，例如/unauthorized.在该页面上，您可以说出拒绝访问的原因.常见的用例也是根据用户角色定制应用程序.例如，具有管理员角色的用户将在菜单中看到比标准用户更多的项目-这也是一种授权.具有授权保护功能的SPA库的随机示例(我并不是说这是最好的实现)-

The mature OIDC SPA libraries offer authorization guard (name can differs, it is some kind of post login function), where authorization can be implemented. Authorization requires to have a specific role in the token usually, otherwise user is redirected to the custom route, e.g./unauthorized. That's the page, where you can say a reason for denying access. Common use case is also customization of the app based on the user roles. For example users with admin role will see more items in the menu than standard users - that's also kind of authorization. Random example of SPA library with authorization guard (I'm not saying that's a best implementation) - https://github.com/damienbod/angular-auth-oidc-client/issues/441

请记住，SPA不是安全"的. -用户可能会篡改浏览器中的代码/数据，因此从理论上讲，用户可以跳过浏览器中的任何授权.他可能会访问SPA，因此在后端(API)端也具有适当的授权很重要.攻击者可能可以访问SPA，但是如果API拒绝了他的请求，它将毫无用处.

Keep in mind that SPA is not "secure" - user may tamper code/data in the browser, so in theory user may skip any authorization in the browser. He may get access to SPA, so it's is important to have proper authorization also on the backend (API) side. Attacker may have an access to SPA, but it will be useless if API denies his requests.

顺便说一句:您可以在互联网上找到有关如何使用自定义脚本(例如，自定义脚本映射器，它将测试角色存在)向Keycloak客户端添加授权的黑手党建议.那是可怕的架构方法-它正在解决身份验证过程中的授权.尚不清楚用户为什么无法登录-是由于凭据错误或由于某些身份验证过程中需要某些角色.

BTW: You can find hackish advices on the internet how to add authorization to the Keycloak client with custom scripting (e.g. custom scripted mapper, which will test role presence). That is terrible architecture approach - it is solving authorization in the authentication process. It won't be clear why user can't log in - if it is because credentials are wrong or because something requires some role in the authentication process.

这篇关于使用keycloak限制单个领域中的客户端访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！