Keycloak as an Authorization Service

Hi,
I would like to use Keycloak as an Authorization black-box (PDP in ABAC terms) for authorization on API GW.

What I am looking for:

  • Keycloak has the rules
  • Authorized client passes request in structure subject-action-object
  • Keycloak responds yes/no

Note that “subject” can be offline user.

The question is: Is Keycloak suitable for such task? How achieve do this?

PS: While reading the documentation, I found that the requests are dependant on OpenID user’s token. What I am looking for is some sort of LDAP uid to pass, like “xuser - view - address”.
In this scenario, authentication for end users will be done via different Access Manager.

I’m not a Keycloak expert, but this doc might help you: https://www.keycloak.org/docs/latest/authorization_services/index.html

Keycloak does have authorization features, and it looks like the “Protection API” might fit your use case?

Thank you, @bjmc. I learned something about OAuth 2.0 and OIDC. It looks like it solves access to user’s data.
What if I want to guard business data in general?

To reiterate my question:

  • Can I forge authorization request for any user (not just the authenticated one) ?

Based on documentation, the policies are evaluated by Policy Enforcer, and permissions are bound to bearer token.

What if I want to guard business data in general?

This is an extremely broad question. The only thing I can really say is that OAuth2/OIDC don’t have anything to do directly with securing data. It’s the responsibility of the application holding the data to store it securely and restrict access so that unauthorized parties cannot read it.

OAuth2 is authorization protocol and OIDC is an authentication protocol. Together, they can be used by an application to help determine who is making a request and what the caller is allowed to do.

Trying to answer your second question, the assumption of OAuth2 is that a request is being made by a client authorized by an “access token” - the “scope” of that token can be used to determine what powers the token grants. If you control both the authorization server (that issues the tokens) and the resource server (that receives the tokens and enforces access) then you can issue tokens for any principal (i.e. user, system, etc) with any scopes you choose.

Be aware of the token generation. We didn’t find a way how to generate token externally to Keycloak. My understanding that you have to create a token using Keycloak, Keycloak should be aware of the user(subject), so you probably need to integrate it with you users management. If Keycloak isn’t an authN, then to perform PDP, on behalf of the user you need to obtaining access_token (from the service) (use “grant_type=urn:ietf:params:oauth:grant-type:token-exchange”) and then call /auth/realms/<my_realm>/protocol/openid-connect/token with “grant_type=urn:ietf:params:oauth:grant-type:uma-ticket” (look for it in the documentation to get more options).
You’ll need to think whether or not you keep resource registration in Keycloak. One way is passing object info as part of the extra claims on each permissions evaluation, then you can extract this info in your policies (rules) and perform the logic. But for me it looks like more workaround and adds some extra work on your service, it has to retrieve the resource attributes prior to calling PDP. Another drawback in this approach that you can’t support “user can manage its own resources” (think a gDoc sharing use-cases). On the other hand, if don’t need the resource duplication - try doing that.
Also, check OPA, if you can pass the triplet and just interested in policies evaluation (stateless approach) OPA might satisfy your requirements

Thank you bmjc for your thoughts!
Thank you dginzbourg for technical insight!

We decided not to try to make PDP from Keycloak. After some evaluation, the limiting factors were the fact, that Keycloak can only decide yes/no on policy request, but further auditing of policies is something that had to be implemented.

So we switched to products that does “External Authorization Service” or “Dynamic Authorization Management”, like PlainID, NextLabs, Axiomatics (paid proprietary software). If you have a tip for opensource that implements XACML or NGAC, I would be grateful.

Have a nice day, Petr