How Authorization is supposed to work?

After using others IAM solution, I’m trying to figure out how authorization is supposed to work with Keycloak.

In a testing environement, I’ve connected an apache application with mod_auth_openidc, and the authentication works great.

Now, I’ve 2 users, and I modify in Keycloak console the client in order to make authorization, I set a User type policy to replace the default policy, in order to authorize only user1. But user2 can still login into the application, when I expect a denied access.

After reading some post in the forum, duplicating the browser flow can be a solution to solve this issue. But it doesn’t look like a good way to use for a huge company with a lot of clients (or I’m wrong? )
Why the authorization rules of the client doesn’t work ? Why user2 can still reach the application ? Can you tell me how I suppose to use properly the Authorization configuration in the client ?

In other IAM solutions, I set control access based on groups, for exemple URI /admin to admin group, URI /user to users groups, … There is an easy way to set this kind of configuration in Keaycloak ?

Thanks for your advices!

First of all, you have to ask yourself which standard you want to use for authorization and also have a clear picture of your authorization architecture, identifying who acts as the PDP, PEP, PIP, etc [1]. Another point is to try not to mix the concepts of authentication and authorization.

Here are some options to start reading about authorization scenarios:

  • Keycloak acting as the authorization server with one of the authorization models such as RBAC, GBAC, ABAC, etc., following the UMA standard [2]. Good luck with UMA complexity …
  • Just using OAuth 2.0. Therefore, your APIs will act as an OAuth Resource Server [3], and you can apply your authorization rules based on scopes or identity claims [4], generally using some authorization model.
  • Additionally, there are other options that vary depending on the specific use case, incorporating different standards, authorization architectures, authorization models, etc

[1] Authorization Services Guide
[2] Authorization Services Guide
[3] RFC 6749 - The OAuth 2.0 Authorization Framework
[4] GitHub - embesozzi/oauth-demoapi-jwt-rbac-spring: API protection based identity claims

1 Like