Skip to main content

Keycloak Authz

  • 授权服务
  • 访问控制方式 / Policy
    • ABAC - Attribute-based access control - 基于属性
    • RBAC- Role-based access control - 基于角色
    • UBAC - User-based access control - 基于用户
    • CBAC - Context-based access control - 基于上下文
    • Rule-based access control - 基于规则
      • 可以使用 JavaScript
    • Time-based access control - 基于时间
    • 通过策略 SPI (Service Provider Interface) 自定义访问控制机制 (ACMs - access control mechanisms)
abbrdetailrole
PAPPolicy Administration PointAdmin UI
PDPPolicy Decision PointAuthorization Services
PEPPolicy Enforcement Point请求拦截
PIPPolicy Information Point策略信息
RTPRequesting party token
  • 授权流程
    • 资源管理
      • 创建资源服务 / Resource Server
      • 创建资源 / Resource
        • 例如 URL PATH, UUID, ID
      • 创建和关联资源域 / Scope
        • 一般关联 Action+Resource
        • 可以通过资源属性定义
    • 权限和策略管理
      • 创建策略 / Policy
        • 例如 要求匹配 资源和 Scope
        • 支持 JavaScript 定义策略
      • 定义权限 / Permission
        • Resource + Scope + Policy -> grant/deny
      • 应用策略到权限
    • Policy Enforcement
      • 在服务中添加拦截,请求 Keycloak 进行鉴权
  • Authorization Services - 授权服务 - 提供接口给后端进行权限交互
    • Token Endpoint
      • Token 包含策略信息
      • RPT - Requesting Party Token
    • Resource Management Endpoint
      • 资源管理 - 创建、删除、FindByID、Query
    • Permission Management Endpoint
      • Issue Permission Tickets
  • 资源/Protection API
    • 满足 UMA 规范定义的资源标识符
    • 需要 uma_protection scope
  • 权限/Permission
    • 权限决策策略
      • Unanimous - 默认 - 所有都允许
      • Affirmative - 至少一个允许
      • Consensus - 至少一半以上允许
// 拒绝
$evaluation.deny();
// 允许
$evaluation.grant();
public interface Evaluation {

/**
* Returns the {@link ResourcePermission} to be evaluated.
*
* @return the permission to be evaluated
*/
ResourcePermission getPermission();

/**
* Returns the {@link EvaluationContext}. Which provides access to the whole evaluation runtime context.
*
* @return the evaluation context
*/
EvaluationContext getContext();

/**
* Returns a {@link Realm} that can be used by policies to query information.
*
* @return a {@link Realm} instance
*/
Realm getRealm();

/**
* Grants the requested permission to the caller.
*/
void grant();

/**
* Denies the requested permission.
*/
void deny();
}

public interface EvaluationContext {
/**
* Returns the {@link Identity} that represents an entity (person or non-person) to which the permissions must be granted, or not.
*
* @return the identity to which the permissions must be granted, or not
*/
Identity getIdentity();
/**
* Returns all attributes within the current execution and runtime environment.
*
* @return the attributes within the current execution and runtime environment
*/
Attributes getAttributes();
}

Attributes

nametypedesc
kc.time.date_timeStringCurrent date and time - MM/dd/yyyy hh:mm:ss
kc.client.network.ip_addressStringIPv4 address of the client
kc.client.network.hostStringClient’s host name
kc.client.idStringThe client id
kc.client.user_agentString[]The value of the 'User-Agent' HTTP header
kc.realm.nameStringThe name of the realm

PEP

UMA

http://${host}:${port}/auth/realms/${realm_name}/authz/protection/uma-policy/{resource_id}

Example

ResourceTypeURIScopes
Admin Resourceshttp://photoz.com/admin/admin/*admin:manage
User Profile Resourcehttp://photoz.com/profile/profileprofile:view
Album Resourcehttp://photoz.com/album/album/*album:delete
album:view

Policies

  • Only Owner and Administrators Policy
    • type=aggregate AFFIRMATIVE
    • Administration Policy,Only Owner Policy
  • Administration Policy
    • type=aggregate
    • Any Admin Policy,Only From a Specific Client Address
  • Only Owner Policy
    • script-only-owner.js
  • Any Admin Policy
    • type=role logic=POSITIVE
    • roles=admin
  • Only From a Specific Client Address
    • script-only-keycloak-domain-or-admin.js
  • Any User Policy
    • type=role logic=POSITIVE
    • roles=user,photoz-restful-api/manage-albums
  • Admin Resource Permission
  • Album Resource Permission
    • type=scope logic=POSITIVE
    • scopes=album:view,album:delete
    • resources=Album Resource
  • View User Permission
    • type=scope logic=POSITIVE
    • scopes=profile:view

Permission

{
"grant_type": "urn:ietf:params:oauth:grant-type:uma-ticket",
"audience:": "resource_server_client_id",
"permission": ["Resource A#Scope A"],
"ticket": "permission_ticket"
}
{
"access_token": "${rpt}"
}
  • Requesting party token
{
"authorization": {
"permissions": [
{
"resource_set_id": "d2fe9843-6462-4bfc-baba-b5787bb6e0e7",
"resource_set_name": "Hello World Resource"
}
]
}
}