Uri based resources and access

Getting advice
1

I have created different resources in my keycloak-client like
service/api/*, service/api/product
and there are three scopes read,write and delete.
for the resources I have a role based access that means a user with one role have access to all endpoints, and another role have read access to service/api/products.
Now is there a way to evaluate if user have access based one the uri and scope
uri will be any endpoints in the application like
service/api/user
service/api/product

I can pass the bearer token of the user, uri, scope to keyloak and keyclaok should evaluate and confirms if the the user have access to the resource

eg: if i pass uri as service/api/user and scope as read, keyclaok should return success if the user have access to the service/api/* else failure.

Is there a way to achieve this in keyclaok?

2

The Keycloak Authorization Services could be your friend.

3

Hi @dasniko

I am testing it based the documentation link you provided, but facing an issue
I have created two resources

image
image2456×1538 222 KB

scopes

image
image2456×1538 212 KB

Two policies

image
image2456×1538 208 KB

image
image2456×1538 154 KB

image
image2456×1538 157 KB

And two permissions
image
image2456×1538 213 KB

image
image2456×1538 171 KB

image
image2456×1538 168 KB

but when I call this api

curl --location 'http://localhost:7089/realms/erp/protocol/openid-connect/token' \
--header 'Authorization: Bearer <TOKEN>' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:uma-ticket' \
--data-urlencode 'audience=erp-client' \
--data-urlencode 'permission=/erp/api/rr#read' \
--data-urlencode 'permission_resource_matching_uri=true' \
--data-urlencode 'permission_resource_format=URI' \
--data-urlencode 'response_mode=permissions'

Its returning success

[
    {
        "scopes": [
            "read",
            "delete",
            "write"
        ],
        "rsid": "b1fffb3a-ec67-4f4b-b25e-06df42bb2c67",
        "rsname": "erp-api-customer-all"
    }
]

even though the user doesn’t have access to that uri.
Even if I don’t pass anything in permission this api is returning success , if any permission is associated with the role of the user.
if I remove the permission associated with the role of the user in my case (cs_admin:erp-api-customer-all)
then its returning

{
    "error": "access_denied",
    "error_description": "not_authorized"
}

am I doing anything wrong here?

4

Sorry, I can‘t help you here. I‘m not using the AuthZ services for a reason.

1 Like
5

Is there an issue in using Authorization Services? Can you elaborate?