version: 24.0.2
See: https://www.keycloak.org/documentation
See: https://www.keycloak.org/docs/latest/authorization_services/index.html
- Resource Servers Resource servers are managed using the Keycloak Administration Console. There you can enable any registered client application as a resource server and start managing the resources and scopes you want to protect. A resource can be a web page, a RESTFul resource, a file in your file system, an EJB, and so on. They can represent a group of resources (just like a Class in Java) or they can represent a single and specific resource. For instance, you might have a Bank Account resource that represents all banking accounts and use it to define the authorization policies that are common to all banking accounts. However, you might want to define specific policies for Alice Account (a resource instance that belongs to a customer), where only the owner is allowed to access some information or perform an operation. Resources can be managed using the Keycloak Administration Console or the Protection API. In the latter case, resource servers are able to manage their resources remotely.
- Policies
- Permission
A permission associates the object being protected with the policies that must be evaluated to determine whether access is granted.
X CAN DO Y ON RESOURCE Z
where …
X represents one or more users, roles, or groups, or a combination of them. You can also use claims and context here.
Y represents an action to be performed, for example, write, view, and so on.
Z represents a protected resource, for example, "/accounts".
-
Create a realm
-
Create a client app
- enable
Client Authentication
- Enable Authorization services
-
enable
Authorization
-
enable some Authentication flow:
Standard flow
Direct access grants
Service accounts roles
-
Show Sub-tabs in
Authorization
- Settings
- Policy Enforcement Mode
- Enforcing
- Permissive
- Disables
- Dicision strategy
- Unanimous: Negative if permissions are in conflict(one is P, another is N).
- Affirmaative: Positive if permissions are in conflict(one is P, another is N).
- Remote resource management: if False, resources can be managed only from the admin console.
- Policy Enforcement Mode
- Resource: An object being protected. An asset of an app and org.
- Scope: A bounded extent of access that is possible to perform on a resource, like verbs. (ex.
view, edit, delete, or cost, etc.
) - Policy
- Permission
- X CAN DO Y ON RESOURCE Z
- X: Users, roles, Groups, etc.
- Y: An action. ex. write, view, ...
- Z: A protected resource. ex. "/accounts"
- Dicision strategy
- Unanimous: Negative if permissions are in conflict(one is P, another is N).
- Affirmaative: Positive if permissions are in conflict(one is P, another is N).
- Consensus: Positive decision counts > Negative decision counts
- Resource-based Permission
- Resource itself
- Resource Type
- Scope-based Permission
- X CAN DO Y ON RESOURCE Z
- Evaluate
- Export
- Settings
- Configure it
- Resources
Default Resource
: all resources(/*
)- Type(
urn:<realm>:resources:default
): It can be used to group resources together
- Policies(referred to as the only from realm policy)
Default Policy
: Javascript-based policy ($evaluation.grant();
)
- Permission
Default Permission
: Resource-based
- Export and import the configuration
Can I define all future-coming resources for now?
Just define an upper level: domains
Use Types
:
Define conditions for your permission, where a type is permitted to access an object.
- JS (default one):
- Aggregated: A Composite policy
- Client: by clients
- Client Scope: by client scopes
- Group: by group
- User: by user
- Regex: regex
- Role: by role
- Time: time condition
- Resource-based Permission: require
Resource
- Scope-based Permission: require
Authorization scope
- Scope-based Permission
- Authorization scopes
- Policies
- Roles:
Realm roles
orClient roles
- Logic:
Positive
&Negative
- Roles:
- Name a Role
- Define a Policy: False(Role) or True(Role)
- realm
- realm-role
- client
- scope
- resource
- policy
- permission(scoped)
- Permission
- Resource-based: working on Resources directly
- Scope-based: working on scopes or scopes with resources
- Resources: Objects which users will be accessisng or performing an action on
- Authorization Scopes: Actions that users can perform on the specific object
- Policies: Resource protection using fine-grained authorization policies and different access control mechanisms
- Permissions: Mapping actually occur here
See: https://medium.com/@harsh.manvar111/keycloak-authorization-service-rbac-1c3204a33a50