I have a considerable amount of protected resources owned by a resource server.
Users have access to these resources with different scopes.
I’m using the Java client for this.
I need to be able to find all the resources a user has access to, I’ve found a couple of ways to achieve this, but it is prohibitively slow and I’m wondering if there’s any other way to do it.
Here’s the ones I know about:
-
I can use the Java API to query RPTs issued for a user but this does not escalate well.
-
I can also make use of the authorisation API to request an RPT for a resource server and then use the token introspection API. This gets us a list of all the resources the user can access, but once again this is a very costly operation.
I was unable to find a reasonable way to leverage keycloak capabilities to list all the permissions a specific user has. UMA flow usually starts when a user wants to access a specific resource. Keycloak doesn’t seem to offer much support for the “get me all the resources I have access to” scenario, or at least I was unable to find it.
Any ideas on how I should approach this?
Thanks!
2 Likes
If you don’t have a lot of users and resources and if all of your resources have consistent resource types, you could use the Policy Evaluation endpoint, https://www.keycloak.org/docs/4.8/authorization_services/index.html#_policy_evaluation_api, with only specifying resource types. It’s not ideal but it would work.
Interestingly, the Policy Evaluation endpoint primes Keycloak’s internal permission evaluation cache. So, if you have a small number of unique users and resources and the permissions themselves don’t change frequently, there might be a way to prime the cache for all combinations of O(users * resources). Then the responses would be served up from cache. You still have the problem that the Policy Evaluation endpoint does not page the response but Keycloak would not have to evaluate every policy in real time.
Unfortunately, you’re in the same boat I am in that I have a lot of users and resources, the Policy Evaluation endpoint is dreadfully slow and the response is not paged. So you’d end up with large responses and long call times, without the ability to prime the cache.
I’m at a loss at how to do this as well. My best idea at this point is to see if I can write some logic in my app to deduce the resources by querying all permissions and figuring out which policies might pertain to the user and building a collection of resource IDs per user. Which defeats the separation of concerns between the resource server and authorization server and won’t work for some of the policy types like JavaScript, time-based or client policies. Then in my processing code, I’d call evaluate on the resource ID and keycloak user ID. I’m not optimistic that this is a good solution or will work either.
Hi Zambonilli,
I have similar use case where a user should only be able access his resource(say photos).
Example: http://localhost/user/photos/{photo-id}
Where both users and resources are dynamic and cannot be part of token. For this use case, I thought of using JS based policy, in which I can query my from own cache(redis) and check if incoming {photo-id} is contained in users photo list. Does it sound good ? Do you see any problem in this approach ?
That’s pretty much the approach we’re trying as well. We’re trying to create a PermissionManager class that encapsulates this awkwardness with Keycloak and maintains 2 sets in redis (userId->resourceId & resourceId->userId). We’re then making all permission reads/writes go through this class to keep redis and keycloak in sync. Finally, we have a true up job that reads in all policies and reverse engineers them into the sets in redis.
that this will work
1 Like
@Zambonilli does it work well? any takeaways?