Check authorization from trusted client, without user token

pphysch · April 12, 2023, 6:59pm

I have a trusted client that should be able to execute something like is_authorized(user_id, scopes, resource_id) and return a boolean for whether the user is authorized to perform the operation in the realm, while letting Keycloak do the heavy-lifting.

However, it seems authorization checks are only supported with a valid user token, e.g. something like is_authorized(user_token, scopes, resource_id). This requires access to user credentials, or impersonation.

Is there any way to query Keycloak authorization on a trusted client without bricking the whole security model with impersonation? I am surprised that it is so hard to figure out how to do this; trusted clients can easily create users, resources, scopes, and policies, but can’t get a yes/no answer on authorization decisions?

pphysch · April 13, 2023, 12:12am

After some RE’ing of the admin GUI I found the undocumented admin endpoint:

POST /admin/realms/{realm_name}/clients/{client_id}/authz/resource-server/policy/evaluate

which essentially accepts a user_id and resource-scope list, and returns a lot of useful information about the authorization process and result. It’s a bit heavy but it gets the job done for now.

Topic		Replies	Views
Obtain permissions without a user token, only by user id Getting advice oidc	1	396	November 8, 2023
API to check if user token has roles for a particular resource Securing applications	1	829	July 19, 2020
Authorization Rule not respected Securing applications	3	514	October 14, 2021
Client to client communication and authorization Getting advice	1	1353	December 18, 2019
API To GET Client Authorization Policies And Permissions Getting advice	3	1984	May 17, 2022

Check authorization from trusted client, without user token

Related Topics