Keycloak-基于资源的角色和功能范围基础认证 [英] Keycloak - Resource based Role & scope base auth
问题描述
我有一种情况,我想限制用户进入密钥斗篷
我有用户
用户可以访问多个帐户在多个帐户中,可以使用管理员或代理(阅读者)
用户||| -------帐户1|||| -------管理员| -------帐户2|||| -------代理
我们如何在Keycloak中使用策略,权限和角色对此进行映射?
任何参考文档的任何示例都很有帮助
也基于:
- 关于
law
,我们只将他与Reader
和bank-reader
关联.
将客户范围与客户相关联
通过以下方式创建客户范围:
- 点击左侧>上的
Client Scopes
链接.点击Create
>在Name
字段中输入custom-client-scope
,然后点击Save.看起来应该像这样
- 点击左侧>上的
Clients
.选择my-demo-client
>点击顶部>上的Client Scopes
标签.为了方便起见,我们将其移至Assigned Default Client Scopes
.
检查访问令牌
我们可以通过Keycloak轻松为我们的设置生成访问令牌,以查看其外观.为此:
-
单击
客户范围
下的评估
选项卡. -
选择
paul
作为用户 -
点击蓝色的
Evaluate
按钮 -
点击
生成的访问令牌
.检查令牌时,请查找:-
resource_access
以查看与paul
相关联的客户端级别角色 -
realm_access
查看保罗
的领域级别角色 -
scope
来查看我们创建的名为custom-client-scope
的Client Scope
-
-
如果为
law
生成令牌,则与paul
相比,您会看到较少的角色.
政策评估后获得范围
继续我们的设置:
- 我已经创建了一个
account/{id}
资源,该资源具有两个称为account:read
和account:modify的
Authorization Scopes
像这样
- 此外,我还创建了两个基于角色的策略,分别称为
Only Reader Role Policy
和Only Admin Role Policy
,其中前者需要Reader
领域角色,而后者需要Admin
领域角色.这是一个示例供参考.
-
请注意,如果愿意,您可以在客户端级别进一步增强该策略,但我选择不这样做.
-
此外,我已经创建了两个基于范围的权限,称为
Read Account Scope Permission
和Modify Account Scope权限
. -
如果用户是
Admin管理员,则
Read Account Scope权限
将授予account:read
Authorization Scope
或一个阅读器
.这里要注意的一件事是,必须将决策策略设置为Affirmative
,以实现此行为.
- 另一方面,
-
修改帐户权限
向具有Admin
的用户授予account:modify
Authorization Scope
角色.
- 现在,如果您选择针对
Account Resource的用户
,他将被同时授予paul
(请记住他同时是Admin
和Reader
)进行评估account:read
和account:modify
Authorization Scopes
.让我们看看这是否正确.这是我们的Evaluate
屏幕,请注意,我没有将任何角色与paul
相关联,因为这已经通过Users
>完成.角色映射
标签
- 这是预期的评估结果
- 这是
法律
的评估结果.由于他不是Admin
管理员,因此将拒绝他account:modify
范围,但将为他授予account:read
范围.
- 最后,我们可以通过单击
Show Authorization Data
(显示授权数据)进一步确认这一点,其中显示了law
的访问令牌内的权限
希望这可以帮助您查看难题的每个部分在您的体系结构中的位置.干杯!
i have a scenario where i want to restrict the user in keycloak
i have user
user can have access to multiple accounts in multiple accounts, use can be Admin or agent (reader)
user
|
|
|-------account-1
| |
| |-------admin
|-------account-2
| |
| |-------agent
How can we map this in Keycloak with Policy, Permission, and role?
any reference document any example really helpful
also based from : Resources, scopes, permissions and policies in keycloak
From the answer of Andy, i have created one resource Account and role admin & agent.
created same policies as in example.
i am looking forward to add scopes (auth scope) and roles to JWT token how to map that part so that API gateway or service can verify further.
@changa, I've rewritten my answer based on our discussion. Hope this helps!
Let me first clarify some key areas before I answer. My main focus on the answer that you've linked was really on how to play around the Evaluate
tool and I didn't really dive too deeply into some of the concepts - so let's do that :)
In Keycloak, you'll encounter Client and Authorization Scopes. For a formal definition of these terms please check out the Core Concepts and Terms in the Server Administration Guide, but simply put:
Client Scopes are scopes which are granted to clients when they are requested via the scope
parameter (once the resource owner permits it). Note that there's also the concept of Default Client Scope
but I've chosen to keep things simple. Furthermore, you can leverage protocol and role scope mappers to tailor what claims and assertions are present in the access token.
Authorization Scopes on the other hand are granted to clients after successful evaluation of the policies against a protected resource. These scopes are not granted to clients based on user consent.
The key differences between the two is really when and how a client obtains these scopes. To help you visualize all of this, here's a scenario:
A renowned martial artist called
Bob
authenticates via KeycloakBob
get presented with a consent screen where he is asked to share his name, his fighting style and his age.Bob
chooses to give access to his name and fighting style but he declines to share his age.When we inspect the token now, we would see the following (completely made up) entries for the
scope
attribute of the access token:name
andfighting_style
.Additionally, let's assume that we've set up a couple of protocol mappers (e.g. User Attribute Mapper Type - there are a ton) to display the values for full name and fighting style via the following token claims:
fighter_name
andmartial_arts
when the twoClient Scopes
above are present in the access token. In addition to two previously mentioned scopes, we would also see something likefighter_name: Robert Richards
andmartial_arts: Freestyle Karate
when examining the access token.- Side Note: Given the length of this answer, I've decided to skip this topic but please check out this awesome video at around the 7 minute mark along with the associated GitHub Project for more information. The README is pretty good.
Additionally, let's assume that
Bob
is mapped to a realm role calledContestant
and a client role ofFighter
and we did place any restrictions in Keycloak when it comes to sharing this info. So in addition to all the things mentioned above, we would see that information inside the token as well.- Needless to say, this is an oversimplification on my part as I'm simply setting up the stage for demo. purposes and there's much more information inside the access token.
Bob
doesn't like how the tournament bracket is laid out as he's eager to fight the world champ as soon as possible, so he attempts to change his placement by sending a request againsttournament/tekken6/bracket/{id}
. This resource is associated with the scopebracket:modify
. Additionally, there is a permission which associates the resource in question with a role based policy namedReferee Role Required
. IfBob
were aReferee
then he would be granted thebracket:modify
scope but since he isn't, then he is denied that scope.- I've barely touched the surface when it comes to the inner workings of the Authorization process in Keycloak. For more information, check out this practical guide. You can do some pretty cool stuff with UMA.
Ok, so that's enough theory. Let's set up our environment to demo all of this. I'm using the following:
- A realm called
demo
- A client called
my-demo-client
- A client scope called
client_roles
- 2 users -
paul
andlaw
- Two realms level roles -
Admin
andReader
- Two client level roles -
demo-admin
anddemo-reader
Please note that I will using Keycloak 12.0.4 and I will skip almost all the basic setup instructions. I will only share the relevant bits. If you're not sure how to set this all up, please check out the Getting Started Guide or this answer. The answer contains steps for version 8 but the differences are very minor as far as I could tell.
Associating Users And Roles
In order to associate paul
with the Admin
, Reader
, bank-admin
and bank-reader
roles, please do the following:
- Click on
Users
>View all users
> Click on theID
value forpaul
> Click onRole Mappings
> UnderRealm Roles
moveAdmin
andReader
underAssigned Roles
> Selectmy-demo-client
under theClient Roles
select box and movedemo-admin
anddemo-reader
underAssigned Roles
like so
- As for
law
we'll just associate him withReader
andbank-reader
.
Associating a client scope with a client
Create a Client Scope by:
- Clicking on the
Client Scopes
link on the left > Click onCreate
> Entercustom-client-scope
for theName
field and Hit Save. It should look like this
- Click on
Clients
on the left > Select themy-demo-client
> Click on theClient Scopes
tab at the top > and let's just move it toAssigned Default Client Scopes
for convenience.
Inspecting the Access Token
We can easily generate an access token for our setup via Keycloak to see what it looks like. In order to do so:
Click on
Evaluate
tab underClient Scopes
.Select
paul
as the userClick on the blue
Evaluate
buttonClick on
Generated Access Token
. While inspecting the token, look for:resource_access
to see client level roles associated withpaul
realm_access
to seepaul
's realm level rolesscope
to see theClient Scope
that we created calledcustom-client-scope
If you generate a token for
law
, you would see less roles when compared topaul
.
Obtaining a Scope After Policy Evaluation
Continuing with our setup:
- I've created an
account/{id}
resource with twoAuthorization Scopes
calledaccount:read
andaccount:modify
like so
- Additionally, I've created two role based policies called
Only Reader Role Policy
andOnly Admin Role Policy
where the former requires theReader
realm role while the latter requires theAdmin
realm role. Here's an example for reference.
Note that you can further enhance that policy at the client level if you wish but to keep things simple, I chose not to do so.
Furthermore, I've created two scoped based permissions called
Read Account Scope Permission
andModify Account Scope Permission
.The
Read Account Scope Permission
will grant theaccount:read
Authorization Scope
if the user is either anAdmin
or aReader
. One key thing to notice here is the the Decision Strategy has to be set toAffirmative
in order to achieve this behavior.
Modify Account Permission
on the other hand grants theaccount:modify
Authorization Scope
to users with theAdmin
role.
- Now, if you choose the evaluate the user
paul
(remember he is bothAdmin
andReader
) against theAccount Resource
, he will be granted both theaccount:read
andaccount:modify
Authorization Scopes
. Let's see if this true. Here's ourEvaluate
screen and notice that I did not associate any roles withpaul
since this was already done via theUsers
>Role Mappings
tab
- And here are the results of that evaluation as predicted
- Here is the evaluation result for
law
. Since he's not anAdmin
he'll be denied theaccount:modify
scope but he'll be granted theaccount:read
scope.
- And finally, we can further confirm this by click on
Show Authorization Data
which shows the permissions inside the access token forlaw
Hopefully this helps you see where each piece of the puzzle fits in your architecture. Cheers!
这篇关于Keycloak-基于资源的角色和功能范围基础认证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!