Keycloak Authz
- 授权服务
- 访问控制方式 / Policy
- ABAC - Attribute-based access control - 基于属性
- RBAC- Role-based access control - 基于角色
- UBAC - User-based access control - 基于用户
- CBAC - Context-based access control - 基于上下文
- Rule-based access control - 基于规则
- 可以使用 JavaScript
- Time-based access control - 基于时间
- 通过策略 SPI (Service Provider Interface) 自定义访问控制机制 (ACMs - access control mechanisms)
abbr | detail | role |
---|---|---|
PAP | Policy Administration Point | Admin UI |
PDP | Policy Decision Point | Authorization Services |
PEP | Policy Enforcement Point | 请求拦截 |
PIP | Policy Information Point | 策略信息 |
RTP | Requesting party token |
- 授权流程
- 资源管理
- 创建资源服务 / Resource Server
- 创建资源 / Resource
- 例如 URL PATH, UUID, ID
- 创建和关联资源域 / Scope
- 一般关联 Action+Resource
- 可以通过资源属性定义
- 权限和策略管理
- 创建策略 / Policy
- 例如 要求匹配 资源和 Scope
- 支持 JavaScript 定义策略
- 定义权限 / Permission
- Resource + Scope + Policy -> grant/deny
- 应用策略到权限
- 创建策略 / Policy
- Policy Enforcement
- 在服务中添加拦截,请求 Keycloak 进行鉴权
- 资源管理
- Authorization Services - 授权服务 - 提供接口给后端进行权限交互
- Token Endpoint
- Token 包含策略信息
- RPT - Requesting Party Token
- Resource Management Endpoint
- 资源管理 - 创建、删除、FindByID、Query
- Permission Management Endpoint
- Issue Permission Tickets
- Token Endpoint
- 资源/Protection API
- 满足 UMA 规范定义的资源标识符
- 需要 uma_protection scope
- 权限/Permission
- 权限决策策略
- Unanimous - 默认 - 所有都允许
- Affirmative - 至少一个允许
- Consensus - 至少一半以上允许
- 权限决策策略
// 拒绝
$evaluation.deny();
// 允许
$evaluation.grant();
public interface Evaluation {
/**
* Returns the {@link ResourcePermission} to be evaluated.
*
* @return the permission to be evaluated
*/
ResourcePermission getPermission();
/**
* Returns the {@link EvaluationContext}. Which provides access to the whole evaluation runtime context.
*
* @return the evaluation context
*/
EvaluationContext getContext();
/**
* Returns a {@link Realm} that can be used by policies to query information.
*
* @return a {@link Realm} instance
*/
Realm getRealm();
/**
* Grants the requested permission to the caller.
*/
void grant();
/**
* Denies the requested permission.
*/
void deny();
}
public interface EvaluationContext {
/**
* Returns the {@link Identity} that represents an entity (person or non-person) to which the permissions must be granted, or not.
*
* @return the identity to which the permissions must be granted, or not
*/
Identity getIdentity();
/**
* Returns all attributes within the current execution and runtime environment.
*
* @return the attributes within the current execution and runtime environment
*/
Attributes getAttributes();
}
Attributes
name | type | desc |
---|---|---|
kc.time.date_time | String | Current date and time - MM/dd/yyyy hh:mm:ss |
kc.client.network.ip_address | String | IPv4 address of the client |
kc.client.network.host | String | Client’s host name |
kc.client.id | String | The client id |
kc.client.user_agent | String[] | The value of the 'User-Agent' HTTP header |
kc.realm.name | String | The name of the realm |