如何在Keycloak中实现组成员资格JavaScript策略 [英] How to implement group-membership JavaScript policy in Keycloak
问题描述
一个 2岁的keycloak用户列表问题没有答案:
- 有一个名为 Project 的受保护资源
- 和所有者-项目经理
- 每个项目经理只能访问自己的项目(仅限所有者的策略).
- 项目经理依次向一个或多个投资组合经理报告.项目组合经理应能够访问其所有项目经理的项目(投资组合经理策略).
- there’s a protected resource called Project
- and an owner - a Project Manager
- Each project manager has access to only their own projects (owner-only policy).
- Project Managers in turn report to one or more Portfolio Managers. A Portfolio Manager should be able to access all his/her project managers' projects (portforlio-manager policy).
让我们假设系统设计是否灵活,这个事实是特定项目经理的项目组合经理.可以保留在Keycloak中(但不能保留为keycloak 组)或客户端应用本身.如何将其实现为基于JavaScrtipt的Keycloak中的授权政策?我猜请求可以通过某种方式注入此信息,但无法从文档中找出来.
Let’s assume the system design if flexible and this fact who are the Portfolio Managers for a particular Project Manager can be either kept inside Keycloak (but not as keycloak groups) or in the client app itself. How can this be implemented as a JavaScrtipt-based authorization policy in Keycloak? I guess the request can be injected with this info somehow but can’t figure it out from the docs.
推荐答案
事实证明这很容易.我决定将有关经理的信息保留在另一个数据库中,然后应用程序( service-nodejs
)需要将此信息作为对keycloak的声明.我已经在 service-nodejs keycloak快速入门上对此进行了测试..以下是相关的片段:
It turned out to be rather easy. I've decided to keep the info about managers in another database, and then the app (service-nodejs
) needs to pass this info as a claim to keycloak. I've tested this on the service-nodejs keycloak quickstart. Here are the relevant pieces:
// app.js route:
app.get('/service/project/:id',
keycloak.enforcer(['Project'], {
response_mode: 'permissions',
claims: (request) => {
return { "portfolio.managers": ['alice', 'bob'] } //hard-coded
}
}), function(req, res) {
res.json({ message: `got project "operation "` });
});
保护项目资源的策略是OwnerOnly和PortfolioManagers的总和:
The policy protecting the Project resource is an aggregated of OwnerOnly and PortfolioManagers:
// portfolio-managers-policy:
var context = $evaluation.getContext();
var identity = context.getIdentity();
var userid = identity.getAttributes().getValue('preferred_username').asString(0);
var managers = context.getAttributes().getValue('portfolio.managers')
if (!managers) {
print('managers not provided, cannot decide!');
$evaluation.deny();
} else {
// check if the user is one of the portfolio managers of this project:
for (var i = 0; i < managers.size(); i++) {
if (managers.asString(i) == userid) {
$evaluation.grant();
break;
}
}
}
请注意,为了调用令牌端点, service-nodejs
密钥斗篷客户端必须是机密.
Note that the service-nodejs
keycloak client must be confidential in order to call the token endpoint.
这篇关于如何在Keycloak中实现组成员资格JavaScript策略的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!