如何在Keycloak中实现组成员资格JavaScript策略 [英] How to implement group-membership JavaScript policy in Keycloak

问题描述

一个 2岁的keycloak用户列表问题没有答案:

1. 有一个名为 Project
的受保护资源
2. 和所有者-项目经理
3. 每个项目经理只能访问自己的项目(仅限所有者的策略).
4. 项目经理依次向一个或多个投资组合经理报告.项目组合经理应能够访问其所有项目经理的项目(投资组合经理策略).

1. there’s a protected resource called Project
2. and an owner - a Project Manager
3. Each project manager has access to only their own projects (owner-only policy).
4. Project Managers in turn report to one or more Portfolio Managers. A Portfolio Manager should be able to access all his/her project managers' projects (portforlio-manager policy).

让我们假设系统设计是否灵活，这个事实是特定项目经理的项目组合经理.可以保留在Keycloak中(但不能保留为keycloak 组)或客户端应用本身.如何将其实现为基于JavaScrtipt的Keycloak中的授权政策?我猜请求可以通过某种方式注入此信息，但无法从文档中找出来.

Let’s assume the system design if flexible and this fact who are the Portfolio Managers for a particular Project Manager can be either kept inside Keycloak (but not as keycloak groups) or in the client app itself. How can this be implemented as a JavaScrtipt-based authorization policy in Keycloak? I guess the request can be injected with this info somehow but can’t figure it out from the docs.

推荐答案

事实证明这很容易.我决定将有关经理的信息保留在另一个数据库中，然后应用程序( service-nodejs )需要将此信息作为对keycloak的声明.我已经在 service-nodejs keycloak快速入门上对此进行了测试..以下是相关的片段:

It turned out to be rather easy. I've decided to keep the info about managers in another database, and then the app (service-nodejs) needs to pass this info as a claim to keycloak. I've tested this on the service-nodejs keycloak quickstart. Here are the relevant pieces:

// app.js route:

app.get('/service/project/:id',
  keycloak.enforcer(['Project'], {
      response_mode: 'permissions', 
      claims: (request) => {
          return { "portfolio.managers": ['alice', 'bob'] } //hard-coded
      }
  }), function(req, res) {
      res.json({ message: `got project "operation "` });
  });

保护项目资源的策略是OwnerOnly和PortfolioManagers的总和:

The policy protecting the Project resource is an aggregated of OwnerOnly and PortfolioManagers:

// portfolio-managers-policy:

var context = $evaluation.getContext();
var identity = context.getIdentity();
var userid = identity.getAttributes().getValue('preferred_username').asString(0);
var managers =  context.getAttributes().getValue('portfolio.managers')

if (!managers) {
    print('managers not provided, cannot decide!');
    $evaluation.deny();
} else {
    // check if the user is one of the portfolio managers of this project:
    for (var i = 0; i < managers.size(); i++) {
        if (managers.asString(i) == userid) {
            $evaluation.grant();
            break;
        }
    }
}

请注意，为了调用令牌端点， service-nodejs 密钥斗篷客户端必须是机密.

Note that the service-nodejs keycloak client must be confidential in order to call the token endpoint.

这篇关于如何在Keycloak中实现组成员资格JavaScript策略的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！