Can we include external check in authorization flow?

Hello,

I wanted to know if it would be possible to call an external API and evaluate its answers as part of the authorization flow.

This external API would provide some additional context that I want to use to grant or not the access (I guess this is Context Based Access Control).

Is this achievable ? What would I have to use or add to make it work ?

Thank you in advance for your answers ! :smiley:

You could look into an API gateway or write a custom filter in your own API that evaluates the additional security checks you need.

Thank you for your answer @zonaut. Unfortunately, I do not understand what you mean…

To be clear:

My comprehension is that KC allows to have centralized policies that can be applied for different services.
Policies can be role based, attribute based or time based.

What if I want to create a policy which rely on an external check ?

In my context, an API is returning me few user attributes, and I want to take the authorization decision based on the state of those attributes. Is there a way to call the API from within a policy ?
Maybe I understood keycloak authorization wrongly…

Hey IAM,

this is possible. You need to extend EventListenerProvider: https://github.com/keycloak/keycloak/blob/master/server-spi-private/src/main/java/org/keycloak/events/EventListenerProvider.java

and create your own keycloak module. You can capture events such as LOGIN or TOKEN_EXCHANGE, here is the full list: https://github.com/keycloak/keycloak/blob/master/server-spi-private/src/main/java/org/keycloak/events/EventType.java

checkout my blog post here for an example (it uses the REGISTER event, but you can use any event that you want): http://www.zakariaamine.com/2019-06-14/extending-keycloak

2 Likes