I'm using Keycloak (21.0.0) to manage the authorization for my Spring Boot (2.7.10) application.
I have configured some resources that can only be accessed by certain users.
This works great!
Now I want to allow the admin to access all resources.
Here is an overview of my Keycloak configuration.
** Authorization - Settings **
Decision strategy: Affirmative
**Authorization - Resources**
name: all comments
URIs: /api/comments/*
Authorization scopes: GET
name: first comment
URIs: /api/comments/1
Authorization scopes: GET
**Authorization - Scopes**
name: GET
**Authorization - Policies**
[role policy]
Name: admin
Roles: admin
[user policy]
Name: fubar
Users: fubar
**Authorization - Permissions**
[Scope based]
Name: admin_can_read_all_comments
Resources: all comments
Authorization scopes: GET
Policies: admin
[Scope based]
Name: fubar_can_read_first_comment
Resources: first comments
Authorization scopes: GET
Policies: fubar
When I evaluate Fubar in the Keycloak web client, the all_comments resource evaluates to DENY and the first_comment resource evaluates to PERMIT. When I evaluate admin in the Keycloak web client, the all_comments resource evaluates to PERMIT and the first_comment resource evaluates to DENY.
I would expect that both fubar and admin can GET /api/comments/1
But in reality the admin get's 403 when he tries to GET /api/comments/1
Is this behavior expected?
I'm guessing this behavior is related to the implementation of the keycloak-policy-enforcer. What will the policy enforcer do when a URI maps to multiple resources with a different outcome?
Here is my Spring Boot Config:
keycloak:
securityConstraints:
- authRoles:
- "*"
securityConstraints[0]:
securityCollections[0]:
patterns[0]: /*
principal-attribute: preferred_username
auth-server-url: http://kc-host:8080/auth
realm: my-realm
resource: my-authz-client
bearer-only: true
credentials:
secret: s3cr3t
policy-enforcer-config:
http-method-as-scope: true
lazy-load-paths: true
enforcement-mode: enforcing
path-cache-config:
lifespan: 0
In Keycloak, evaluating a user's access to a resource typically involves the use of policies and permissions defined within Keycloak's Authorization Services.
You need to enable and configure Authorization Services in Keycloak. This involves setting up policies, permissions, resources, and scopes.
Resources
: The things you want to protect, such as APIs, web pages, or any other resource. It is target of API.Scopes
: It is action, like a read, write, delete to performed on the resource.Permission
: the association between resources and scopes. It decide allow or not to access a resource.Policy
: Define the conditions under which access to a resource is granted.So The "fubar" user is assigned the "fubar" role. The "admin" user is assigned the "admin" role.
The "fubar policy" has two roles, admin role and fubar role. The "admin policy" has one role, admin role only.
The "fubar permission" has fubar policy and 1st comment resource. The "admin permission" has admin policy and all comment resource.
Evaluate scenario 1,2,3,4 cases
Case 1 : admin user access all comment resource
Case 2 : admin user access 1st comment resource
Case 3 : admin user access all comment resource
Case 4 : admin user access 1st comment resource
Reason explain
See the following picture. (Why)
Case 1 : all comment resource has admin policy by all permission admin policy has admin role, admin role has admin user. so, admin user can access all resource.
Case 2 : 1st comment resource has fubar policy by 1st permission fubar policy has admin role, admin role has admin user. so, admin user can access 1st resource.
Case 3 : all comment resource has admin policy by all permission admin policy has admin role, admin role has admin user. so, fubar user can't access all resource.
Case 4 : 1st comment resource has fubar policy by 1st permission fubar policy has fubar role, fubar role has fubar user. so, fubar user can access 1st resource.
If the "admin" user is accessing both resources despite being assigned only the "admin" role
This
fubar_policy
can do it assign role for bothmy-client
admin &my-client
fubar roleThis
admin_policy
only assign role formy-client
admin roleClient roles
Assign user for roles
Resource setup
Scope & Permission setup
Mapping policy and permission
Result
Admin permit both resources
fubar only permit for
first_comment
Evaluate API
Payload
Response Example