Documentation is unclear. Policy Enforcer #9612
-
|
https://www.keycloak.org/docs/latest/authorization_services/#_enforcer_overview This part is unclear for me. I'm using dot net core and can't understand what keycloak.json is? I have no object model for keycloak, so I can't pass it anywhere. Is there way to configure resource security through the web UI or via REST API? By resource security I mean I want to be able to limit specific users from accessing specific URL with specific http methods, like it works in Casbin. For example, to allow this: PS: and of cause I should be able to change this list during the time while users changing access list of theirs classes. |
Beta Was this translation helpful? Give feedback.
Replies: 7 comments 5 replies
-
|
@VerdonTrigance The Unfortunately, we don't have any official adapter for dot net and that is why I think it is confusing for you. In order to use authorization services in your dot net application, you would need to implement your own PEP and implement the necessary logic to introspect tokens and invoke our APIs to make access decisions. |
Beta Was this translation helpful? Give feedback.
-
|
@pedroigor Thank you for reply. May you point me REST API documentation of authz services referenced here https://www.keycloak.org/docs/latest/authorization_services/#_service_overview? I only found this https://www.keycloak.org/docs-api/15.0/rest-api/index.html but it's not about authorization. |
Beta Was this translation helpful? Give feedback.
-
|
Not yet, but @jonkoops is working on improving our docs. I know this is very bad ... But the only resources I have to help you is what we have the official doc, references to our code base, and the Keycloak Authz Java Client. |
Beta Was this translation helpful? Give feedback.
-
|
I started a topic here: https://stackoverflow.com/questions/71145631/keycloak-uma-authorization-rest-api-requires-to-send-thousands-requests |
Beta Was this translation helpful? Give feedback.
-
|
@VerdonTrigance take a look at this example (Angular SPA and DotNetCore Backend API that uses Authorization Services) There is also a comprehensive presentation available here: https://www.youtube.com/watch?v=kLwjIqNg0Mc |
Beta Was this translation helpful? Give feedback.
-
|
@thomasdarimont thx, but this is not a case. If you read carefully, I don't use RBAC, but UMA with wildcard URIs. In my post I already described how to get decision for non-wildcard resources. |
Beta Was this translation helpful? Give feedback.
-
|
Now I need call https://host1/auth/admin/realms/realm1/clients/client1/authz/resource-server/resource under client id and secret. Is it possible or should I use admin account only? |
Beta Was this translation helpful? Give feedback.
-
|
@VerdonTrigance That endpoint is within the scope of the Admin API. You can use it if you want a deep integration with the server. Another option is to use the Protection Endpoint as manage user resources from there. |
Beta Was this translation helpful? Give feedback.
-
|
No, it’s not possible as your endpoint doesn’t have a method to grab all resources. |
Beta Was this translation helpful? Give feedback.
-
|
@VerdonTrigance The Protection API is based on the UMA specification. Looks like it does not serve your needs because you need to manage any resource protected by a resource server (regardless of the owner/user). In this case, the only option is to use the Admin API. |
Beta Was this translation helpful? Give feedback.
-
|
We could provide a set of endpoints within the Protection API to manage resource server resources. But that is a bit tricky as it would be a proprietary and Keycloak specific API. |
Beta Was this translation helpful? Give feedback.
-
|
@pedroigor I describe use case in stackoverflow. It’s a basic case because user doesn’t know anything about resource server, which means it operates only with object ID in database, which means I have to find this resource ID before I will do something with it. And for this I have to search resources by its url. And so on and so on. More of it in post above. |
Beta Was this translation helpful? Give feedback.
@VerdonTrigance The
keycloak.jsonis the configuration file used by the Keycloak adapters.Unfortunately, we don't have any official adapter for dot net and that is why I think it is confusing for you.
In order to use authorization services in your dot net application, you would need to implement your own PEP and implement the necessary logic to introspect tokens and invoke our APIs to make access decisions.