Spring Boot 2 and Keycloak Authorization: implementing a simple REST API
im using Spring Boot 2 and Keycloak (keycloak-spring-boot-starter) to implement a REST API. However, I just can't get it right.
My API resources look like this:
POST /api/a to create a, if granted a:write
GET /api/a to read all granted with a:read
GET /api/a/{name} to read a single a (if granted with a:read)
POST /api/a/{name}/b to create b under a, if granted b:write
and so on...
Every API resource should also get a ResourceRepresentation in Keycloak, as the requirement is to give read access on a per-resource base to users. I am planning on using groups for this and assigning users to groups that match the name of the resource. (e.g. resource name will be /a1/b1, which will also be a group to which i assign users with read access)
Write permissions will only be granted to admins, which will be in a group assigned with a role accordingly.
I've been trying all week, to no success. Both my API implementation and Keycloak configuration look like a battlefield. The example on github is way too simplistic, as it doesn't show nested resources and the correlation between HTTP methods and scopes.
How would you structure
- Your Keycloak server (i.e. the client config: resources (includings URIs), scopes, policies, permissions; as well as: groups, roles)?
- Your Spring Boot 2 application.properties (to work with Keycloak Authz)?
- Is the following statement true: If I get my API set up right (mapping paths and methods to scopes), i can completely control access to my resources via Keycloak users, groups, roles, policies and permissions.
- Can the policy-enforcer-config be mixed? Meaning one part from the application.properties, the other from the Keycloak server? Will it merge all possible paths? How will paths be resolved?
spring-boot authorization keycloak
add a comment |
im using Spring Boot 2 and Keycloak (keycloak-spring-boot-starter) to implement a REST API. However, I just can't get it right.
My API resources look like this:
POST /api/a to create a, if granted a:write
GET /api/a to read all granted with a:read
GET /api/a/{name} to read a single a (if granted with a:read)
POST /api/a/{name}/b to create b under a, if granted b:write
and so on...
Every API resource should also get a ResourceRepresentation in Keycloak, as the requirement is to give read access on a per-resource base to users. I am planning on using groups for this and assigning users to groups that match the name of the resource. (e.g. resource name will be /a1/b1, which will also be a group to which i assign users with read access)
Write permissions will only be granted to admins, which will be in a group assigned with a role accordingly.
I've been trying all week, to no success. Both my API implementation and Keycloak configuration look like a battlefield. The example on github is way too simplistic, as it doesn't show nested resources and the correlation between HTTP methods and scopes.
How would you structure
- Your Keycloak server (i.e. the client config: resources (includings URIs), scopes, policies, permissions; as well as: groups, roles)?
- Your Spring Boot 2 application.properties (to work with Keycloak Authz)?
- Is the following statement true: If I get my API set up right (mapping paths and methods to scopes), i can completely control access to my resources via Keycloak users, groups, roles, policies and permissions.
- Can the policy-enforcer-config be mixed? Meaning one part from the application.properties, the other from the Keycloak server? Will it merge all possible paths? How will paths be resolved?
spring-boot authorization keycloak
how to add scopes with resources in application side? Like i have read and write scope for resourcea
– Sriram Gunaseelan
Jan 11 at 10:53
How do you configure the resources with scopes in the controller?
– Siva Thangaraj
Jan 11 at 10:55
add a comment |
im using Spring Boot 2 and Keycloak (keycloak-spring-boot-starter) to implement a REST API. However, I just can't get it right.
My API resources look like this:
POST /api/a to create a, if granted a:write
GET /api/a to read all granted with a:read
GET /api/a/{name} to read a single a (if granted with a:read)
POST /api/a/{name}/b to create b under a, if granted b:write
and so on...
Every API resource should also get a ResourceRepresentation in Keycloak, as the requirement is to give read access on a per-resource base to users. I am planning on using groups for this and assigning users to groups that match the name of the resource. (e.g. resource name will be /a1/b1, which will also be a group to which i assign users with read access)
Write permissions will only be granted to admins, which will be in a group assigned with a role accordingly.
I've been trying all week, to no success. Both my API implementation and Keycloak configuration look like a battlefield. The example on github is way too simplistic, as it doesn't show nested resources and the correlation between HTTP methods and scopes.
How would you structure
- Your Keycloak server (i.e. the client config: resources (includings URIs), scopes, policies, permissions; as well as: groups, roles)?
- Your Spring Boot 2 application.properties (to work with Keycloak Authz)?
- Is the following statement true: If I get my API set up right (mapping paths and methods to scopes), i can completely control access to my resources via Keycloak users, groups, roles, policies and permissions.
- Can the policy-enforcer-config be mixed? Meaning one part from the application.properties, the other from the Keycloak server? Will it merge all possible paths? How will paths be resolved?
spring-boot authorization keycloak
im using Spring Boot 2 and Keycloak (keycloak-spring-boot-starter) to implement a REST API. However, I just can't get it right.
My API resources look like this:
POST /api/a to create a, if granted a:write
GET /api/a to read all granted with a:read
GET /api/a/{name} to read a single a (if granted with a:read)
POST /api/a/{name}/b to create b under a, if granted b:write
and so on...
Every API resource should also get a ResourceRepresentation in Keycloak, as the requirement is to give read access on a per-resource base to users. I am planning on using groups for this and assigning users to groups that match the name of the resource. (e.g. resource name will be /a1/b1, which will also be a group to which i assign users with read access)
Write permissions will only be granted to admins, which will be in a group assigned with a role accordingly.
I've been trying all week, to no success. Both my API implementation and Keycloak configuration look like a battlefield. The example on github is way too simplistic, as it doesn't show nested resources and the correlation between HTTP methods and scopes.
How would you structure
- Your Keycloak server (i.e. the client config: resources (includings URIs), scopes, policies, permissions; as well as: groups, roles)?
- Your Spring Boot 2 application.properties (to work with Keycloak Authz)?
- Is the following statement true: If I get my API set up right (mapping paths and methods to scopes), i can completely control access to my resources via Keycloak users, groups, roles, policies and permissions.
- Can the policy-enforcer-config be mixed? Meaning one part from the application.properties, the other from the Keycloak server? Will it merge all possible paths? How will paths be resolved?
spring-boot authorization keycloak
spring-boot authorization keycloak
asked Nov 15 '18 at 18:44
Hash BananaHash Banana
105
105
how to add scopes with resources in application side? Like i have read and write scope for resourcea
– Sriram Gunaseelan
Jan 11 at 10:53
How do you configure the resources with scopes in the controller?
– Siva Thangaraj
Jan 11 at 10:55
add a comment |
how to add scopes with resources in application side? Like i have read and write scope for resourcea
– Sriram Gunaseelan
Jan 11 at 10:53
How do you configure the resources with scopes in the controller?
– Siva Thangaraj
Jan 11 at 10:55
how to add scopes with resources in application side? Like i have read and write scope for resourcea
– Sriram Gunaseelan
Jan 11 at 10:53
how to add scopes with resources in application side? Like i have read and write scope for resourcea
– Sriram Gunaseelan
Jan 11 at 10:53
How do you configure the resources with scopes in the controller?
– Siva Thangaraj
Jan 11 at 10:55
How do you configure the resources with scopes in the controller?
– Siva Thangaraj
Jan 11 at 10:55
add a comment |
2 Answers
2
active
oldest
votes
Conceptually, i had to make a distinction between single resources and list resources:
/buildings/building-1 associated with scopes building:read, building:write, roomS:read, roomS:write
/buildings/building-1/rooms requires the roomS:read or roomS:write respectively
/buildings/building-1/rooms/room-1 associated with scopes room:read, room:write
Note the plural in the scopes for the /rooms
resource.
Also, mixed policy-enforcer-config between application.properties and the Keycloak server works: endpoints are mapped to scopes in application.properties and concrete resource paths are managed by the Keycloak server.
Hope this helps someone else!
add a comment |
Here is the configuration to enforce the scope based permission -
keycloak.policy-enforcer-config.paths[1].path=/api/resourcea
keycloak.policy-enforcer-config.paths[1].scopes=profile:view,album:delete
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53326032%2fspring-boot-2-and-keycloak-authorization-implementing-a-simple-rest-api%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
Conceptually, i had to make a distinction between single resources and list resources:
/buildings/building-1 associated with scopes building:read, building:write, roomS:read, roomS:write
/buildings/building-1/rooms requires the roomS:read or roomS:write respectively
/buildings/building-1/rooms/room-1 associated with scopes room:read, room:write
Note the plural in the scopes for the /rooms
resource.
Also, mixed policy-enforcer-config between application.properties and the Keycloak server works: endpoints are mapped to scopes in application.properties and concrete resource paths are managed by the Keycloak server.
Hope this helps someone else!
add a comment |
Conceptually, i had to make a distinction between single resources and list resources:
/buildings/building-1 associated with scopes building:read, building:write, roomS:read, roomS:write
/buildings/building-1/rooms requires the roomS:read or roomS:write respectively
/buildings/building-1/rooms/room-1 associated with scopes room:read, room:write
Note the plural in the scopes for the /rooms
resource.
Also, mixed policy-enforcer-config between application.properties and the Keycloak server works: endpoints are mapped to scopes in application.properties and concrete resource paths are managed by the Keycloak server.
Hope this helps someone else!
add a comment |
Conceptually, i had to make a distinction between single resources and list resources:
/buildings/building-1 associated with scopes building:read, building:write, roomS:read, roomS:write
/buildings/building-1/rooms requires the roomS:read or roomS:write respectively
/buildings/building-1/rooms/room-1 associated with scopes room:read, room:write
Note the plural in the scopes for the /rooms
resource.
Also, mixed policy-enforcer-config between application.properties and the Keycloak server works: endpoints are mapped to scopes in application.properties and concrete resource paths are managed by the Keycloak server.
Hope this helps someone else!
Conceptually, i had to make a distinction between single resources and list resources:
/buildings/building-1 associated with scopes building:read, building:write, roomS:read, roomS:write
/buildings/building-1/rooms requires the roomS:read or roomS:write respectively
/buildings/building-1/rooms/room-1 associated with scopes room:read, room:write
Note the plural in the scopes for the /rooms
resource.
Also, mixed policy-enforcer-config between application.properties and the Keycloak server works: endpoints are mapped to scopes in application.properties and concrete resource paths are managed by the Keycloak server.
Hope this helps someone else!
answered Nov 18 '18 at 10:40
Hash BananaHash Banana
105
105
add a comment |
add a comment |
Here is the configuration to enforce the scope based permission -
keycloak.policy-enforcer-config.paths[1].path=/api/resourcea
keycloak.policy-enforcer-config.paths[1].scopes=profile:view,album:delete
add a comment |
Here is the configuration to enforce the scope based permission -
keycloak.policy-enforcer-config.paths[1].path=/api/resourcea
keycloak.policy-enforcer-config.paths[1].scopes=profile:view,album:delete
add a comment |
Here is the configuration to enforce the scope based permission -
keycloak.policy-enforcer-config.paths[1].path=/api/resourcea
keycloak.policy-enforcer-config.paths[1].scopes=profile:view,album:delete
Here is the configuration to enforce the scope based permission -
keycloak.policy-enforcer-config.paths[1].path=/api/resourcea
keycloak.policy-enforcer-config.paths[1].scopes=profile:view,album:delete
answered Feb 22 at 18:54
Debiprasanna MalliaDebiprasanna Mallia
61
61
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53326032%2fspring-boot-2-and-keycloak-authorization-implementing-a-simple-rest-api%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
how to add scopes with resources in application side? Like i have read and write scope for resourcea
– Sriram Gunaseelan
Jan 11 at 10:53
How do you configure the resources with scopes in the controller?
– Siva Thangaraj
Jan 11 at 10:55