Restricting user access to clients (aka RBAC for clients)
1,830 views
Skip to first unread message
Sven-Torben Janus
Jul 26, 2021, 12:03:32 PM7/26/21
to Keycloak Dev
Hello!
I get some requests from customers for restricting access to certain clients to a specific set of users, or a group, or a role on a per client basis.
Since Keycloak 13, we have the ability to set this up with Allow/Deny Access authenticators and conditional flows. I think this was a huge step forward to support their needs. However, in practice this tends to be a bit cumbersome and inflexible, esepcially when many clients are involved. That is because of the need to set up a new authentication flow for each new role and client combination and use authentication flow overrides for every client.
I wrote a litte extension a while back to support this use case. You can find details on the Github project page.
I would like to have your opinion on whether I could/should file a feature request for this. Do you see a chance for such a feature in Keycloak?
Regards
Sven-Torben
Thomas Darimont
Jul 26, 2021, 12:33:39 PM7/26/21
to Keycloak Dev
Hi Sven-Torben,
thanks for sharing your extension, I'll check it out!
A while ago there was a discussion about multiple approaches to restrict access to clients based on some condition.
Here is the discussion: https://groups.google.com/g/keycloak-dev/c/44CPivh6jFY/m/ndaGRUX2BQAJ
Based on that discussion I build also two authenticator PoCs:
- Authz policy based client authenticator https://github.com/thomasdarimont/keycloak-extension-playground/tree/master/auth-check-authz-policy-extension
- Custom access-policy DSL based client authenticator https://github.com/thomasdarimont/keycloak-extension-playground/tree/master/auth-require-access-policy-extension
Perhaps you find that interesting too :)
Cheers,
Thomas
Sven-Torben Janus
Jul 27, 2021, 3:42:22 AM7/27/21
to Keycloak Dev
Thanks for the pointer to that discussion, Thomas.
I will have a look at your PoCs as well.
Regards
Sven-Torben
Stian Thorgersen
Jul 27, 2021, 6:59:37 AM7/27/21
to Sven-Torben Janus, Keycloak Dev
We would definitely like to have some pluggable (SPI) approach for this purpose, where some sensible implementations could be "Keycloak Authorization Services" and "OPA". We would probably also want something simpler that is just based on roles. The simplest I can think of is really just to require at least one client role.
--
You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/19ff4c39-a63b-46ad-9296-7d14745f3eean%40googlegroups.com.
Thomas Darimont
Jul 27, 2021, 7:55:59 AM7/27/21
to Keycloak Dev
Hi Stian,
I think this is possible to do that with a version of my authz authenticator [1] combined with a custom `org.keycloak.authorization.policy.provider.PolicyProvider` implementation
which evaluates a OPA policy with the data from the current EvaluationContext (user, (user roles, groups, attributes), client).
Or do you really want to introduce a dedicated "AuthorizationProvider" layer with the two implementations KeycloakAuthorizationProvider and OpaAuthorizationProvider?
However I think it would be more convenient for users of they had simpler ways to configure this instead of having to declare an authz policy.
In the client configuration we could have a new section: "Access Management" or "Access Policies".
In this section there could be a simple setting like:
- "Required Roles" -> specify the roles that users need to have in order to access this client, default empty.
- "Required Group" -> specify the Groups that user need to be member of in order to access this client, default empty
- "Required Attributes" -> specify the attributes that users need to have in order to access this client, default empty
- "Required Policy Outcome" -> specify the policies that need to evaluate to a certain outcome have in order to access this client, default empty.
- "Default Access" -> Deny / Allow
Some options probable need some additional configuration to configure things like:
- require all / at least one role / attribute / group membership
- logic: positive / negative
Btw. it would be cool if there were a way to group clients within a realm to bind access policies to a set of clients, either via explicit client groups, or based on tags / labels.
Cheers,
Thomas
Sven-Torben Janus
Jul 30, 2021, 2:07:19 AM7/30/21
to Keycloak Dev
Hey Stian,
thanks for your feedback on this.
What could such an SPI look like? Would that simply be an additional authenticator that chooses a provider (via configuration) and passes the AuthenticationFlowContext from Authenticator.authenticate to the chosen provider?
Is it that simple or do you have something more substantial in mind here?
Regards
Sven-Torben
On Tuesday, 27 July 2021 at 12:59:37 UTC+2 stho...@redhat.com wrote:
Sven-Torben Janus
Jul 30, 2021, 2:30:10 AM7/30/21
to Keycloak Dev
Hey all,
I fully aggree to Thomas when he said
>
However I think it would be more convenient for users of they had simpler ways to configure this instead of having to declare an authz policy.
The most common question I get from my customers is whether they can restrict access to a certain group or role. Most don't have the need for policies.
Another requirement I get a lot is to simply distinguish two types of clients where some clients should be accesible by (internal) employees only and the other by employees and (external) partners.
Currently this is cumbersome to configure. Since Keycloak 13 at least Deny/Allow Access authenticators can be used with conditional flows. But you need to have two flows at least, one for each type of client. Then you need to use authenitcation flow overrides to assign them. This is especially cumbersome with a large amount of clients.
Regards
Sven-Torben
Reply all
Reply to author
Forward
0 new messages