Skip to main content

Keycloak Authz

  • 授权服务
  • 访问控制方式 / Policy
    • ABAC - Attribute-based access control - 基于属性
    • RBAC- Role-based access control - 基于角色
    • UBAC - User-based access control - 基于用户
    • CBAC - Context-based access control - 基于上下文
    • Rule-based access control - 基于规则
      • 可以使用 JavaScript
    • Time-based access control - 基于时间
    • 通过策略 SPI (Service Provider Interface) 自定义访问控制机制 (ACMs - access control mechanisms)
abbrdetailrole
PAPPolicy Administration PointAdmin UI
PDPPolicy Decision PointAuthorization Services
PEPPolicy Enforcement Point请求拦截
PIPPolicy Information Point策略信息
  • 授权流程
    • 资源管理
      • 创建资源服务 / Resource Server
      • 创建资源 / Resource
        • 例如 URL PATH, UUID, ID
      • 创建和关联资源域 / Scope
        • 一般关联 Action+Resource
        • 可以通过资源属性定义
    • 权限和策略管理
      • 创建策略 / Policy
        • 例如 要求匹配 资源和 Scope
        • 支持 JavaScript 定义策略
      • 定义权限 / Permission
        • Resource + Scope + Policy -> grant/deny
      • 应用策略到权限
    • Policy Enforcement
      • 在服务中添加拦截,请求 Keycloak 进行鉴权
  • Authorization Services - 授权服务 - 提供接口给后端进行权限交互
    • Token Endpoint
      • Token 包含策略信息
      • RPT - Requesting Party Token
    • Resource Management Endpoint
      • 资源管理 - 创建、删除、FindByID、Query
    • Permission Management Endpoint
      • Issue Permission Tickets
  • 资源/Protection API
    • 满足 UMA 规范定义的资源标识符
    • 需要 uma_protection scope
  • 权限/Permission
    • 权限决策策略
      • Unanimous - 默认 - 所有都允许
      • Affirmative - 至少一个允许
      • Consensus - 至少一半以上允许
// 拒绝$evaluation.deny();// 允许$evaluation.grant();
public interface Evaluation {
    /**     * Returns the {@link ResourcePermission} to be evaluated.     *     * @return the permission to be evaluated     */    ResourcePermission getPermission();
    /**     * Returns the {@link EvaluationContext}. Which provides access to the whole evaluation runtime context.     *     * @return the evaluation context     */    EvaluationContext getContext();
    /**     * Returns a {@link Realm} that can be used by policies to query information.     *     * @return a {@link Realm} instance     */    Realm getRealm();
    /**     * Grants the requested permission to the caller.     */    void grant();
    /**     * Denies the requested permission.     */    void deny();}
public interface EvaluationContext {    /**     * Returns the {@link Identity} that represents an entity (person or non-person) to which the permissions must be granted, or not.     *     * @return the identity to which the permissions must be granted, or not     */    Identity getIdentity();    /**     * Returns all attributes within the current execution and runtime environment.     *     * @return the attributes within the current execution and runtime environment     */    Attributes getAttributes();}

Attributes

nametypedesc
kc.time.date_timeStringCurrent date and time - MM/dd/yyyy hh:mm:ss
kc.client.network.ip_addressStringIPv4 address of the client
kc.client.network.hostStringClient’s host name
kc.client.idStringThe client id
kc.client.user_agentString[]The value of the 'User-Agent' HTTP header
kc.realm.nameStringThe name of the realm

PEP#

UMA#

http://${host}:${port}/auth/realms/${realm_name}/authz/protection/uma-policy/{resource_id}

Example#

ResourceTypeURIScopes
Admin Resourceshttp://photoz.com/admin/admin/*admin:manage
User Profile Resourcehttp://photoz.com/profile/profileprofile:view
Album Resourcehttp://photoz.com/album/album/*album:delete
album:view

Policies

  • Only Owner and Administrators Policy
    • type=aggregate AFFIRMATIVE
    • Administration Policy,Only Owner Policy
  • Administration Policy
    • type=aggregate
    • Any Admin Policy,Only From a Specific Client Address
  • Only Owner Policy
    • script-only-owner.js
  • Any Admin Policy
    • type=role logic=POSITIVE
    • roles=admin
  • Only From a Specific Client Address
    • script-only-keycloak-domain-or-admin.js
  • Any User Policy
    • type=role logic=POSITIVE
    • roles=user,photoz-restful-api/manage-albums
  • Admin Resource Permission
  • Album Resource Permission
    • type=scope logic=POSITIVE
    • scopes=album:view,album:delete
    • resources=Album Resource
  • View User Permission
    • type=scope logic=POSITIVE
    • scopes=profile:view