5

I am new to Keycloak and I try to use it as authentication server in my solution.

I have the following entity's model: the devices are owned by a particular company to which some users belong. User with role admin can grant permission for viewing some set of devices to a regular user but only those devices that belong to the admin's company. Thus all users except admins can view only a subset of all devices in company. Based on these requirements, I decided to make companies as groups and devices as Keycloak's resources. To evaluate permissions, I chose rule based policy.

The question is -- Can I set group as an owner of resource to check this relation in policy?

If someone is more experienced in keycloak and knows how to better represent such model, please help.

Thank you in advance.

cdan
  • 3,470
  • 13
  • 27
Kirill Liubun
  • 1,965
  • 1
  • 17
  • 35
  • Such a shame this question never received an answer! Dd you find a good way to model it in the end? – Stijn de Witt Jul 19 '17 at 15:46
  • Yes, it is indeed a shame) I wrote it in a rush not even rereading what I ask. Kinda, a keycloak developer told me that I can't set group as owner of resource in current version. So, to represent this relation I decided to create special mapping service that registered in keycloak as resource server. I read on keycloak form that people ran into the same problem and as a solution create separate server for storing relationships. – Kirill Liubun Jul 19 '17 at 16:07
  • Do you have maybe some pointer to where this is described / discussed? – Stijn de Witt Jul 19 '17 at 16:08
  • 1
    Yes, about mapping -- http://lists.jboss.org/pipermail/keycloak-user/2016-July/007070.html and resource owner -- http://lists.jboss.org/pipermail/keycloak-user/2017-June/011095.html – Kirill Liubun Jul 19 '17 at 16:16

2 Answers2

0
  • As working on keycloak, I didn't find any way to set the multiple owners for particular resources.
  • I'm having the alternate option to give the access permission, that owners have for their resources.
  • Let say Resource A owner is OWNER A, now there are two more user USER A and USER B. If suppose OWNER A already share the access permission to USER A and USER A wants to share Resource A to USER B on behalf of the Resource owner, then how should USER A can share the resource scopes to USER B?

Answer

  • Keycloak provides the facility of token exchanging or impersonation feature. With the help of this USER A can able to share the resources to USER B on behalf of the OWNER A (Owner of Resource A).
  • Reference: You just need to follow this Keycloak Impersonation

Add comments if you still face the problem

Akshay Jain
  • 790
  • 1
  • 7
  • 21
-1

In Keycloak, you may represent a particular company (or any organization or organizational unit) as a realm: https://www.keycloak.org/docs/latest/server_admin/index.html#core-concepts-and-terms Create a new realm: https://www.keycloak.org/docs/latest/server_admin/index.html#_create-realm

Then represent the company's users as users in the company's Keycloak realm https://www.keycloak.org/docs/latest/server_admin/index.html#user-management

... and devices as Keycloak Clients (any kind of resource you want enforce permissions on is a Client in Keycloak model): https://www.keycloak.org/docs/latest/server_admin/index.html#core-concepts-and-terms

An admin role is already defined by default for each role (Roles menu).

Instructions tested on Keycloak 4.0.0.

For each device, create the corresponding Client in Keycloak (Clients menu). Switch on Permissions Enabled on the Permissions tab of the new client. A list of admin console permissions will appear just below the switch button, such as the view permission.

Then, in order to assign the permission to view the device to some user, the admin should click on the view permission (link) just mentioned, create a User Policy (Create Policy... listbox) and select the users (assignees) in the Users field.

In order to assign the permission on multiple devices to the same group of people, use a Group or Role Policy instead (put the users in the same group before).

In order to assign the permission to groups of devices, use one Group/Role per group of device, then assign users to the Group/Role.

cdan
  • 3,470
  • 13
  • 27
  • 6
    One should stop reading this answer as soon as "Company = Keycloak realm", as this is completely flawed. – Angelos Pikoulas Feb 06 '19 at 15:41
  • Please help improve/fix if you know better. Could you elaborate on what's wrong for instance? – cdan Feb 09 '19 at 14:02
  • According to Docs, _A realm manages a set of users, credentials, roles, and groups. A user belongs to and logs into a realm. Realms are isolated from one another and can only manage and authenticate the users that they control._ – Angelos Pikoulas Feb 10 '19 at 15:47
  • 1
    In other words, a Realm per Company makes no sense, cause you're creating isolated worlds (i.e realms) that can't share any info... not usefull for a any app! A SUPER_INTERNAL_ADMIN of one realm wont even be able to see any data for another company. Also devices as Keycloak Clients also makes small sense. A client is a service, an API, an API client of your auth system. Not an entity of your business model! You can have Company as entity in keycloak (eg with a 1:M relation to User) & as a Group in Keycloak - you 'll need a federation plugin with your bussiness rules for this. – Angelos Pikoulas Feb 10 '19 at 15:56
  • Using the same realm definition from the doc, but with a different interpretation: it makes great sense for client companies actually, since we could say *a company manages a set of users, credentials, roles, groups* (among other things); *a user belongs to a company*; and *Companies are isolated from one another*, at least by default in the real world, and they should be in the digital world becuse they need to protect their assets from each other, and keep control of their data. So most companies require that isolation, and legal officers, security offers, risk managers, etc. see to that. – cdan Feb 17 '19 at 17:01
  • ... Yet this isn't 100% isolation obviously, but some **level of isolation**; as companies may open up doors to other organizations (e.g. partners or customers), but **within formally agreed scope**: contracts, terms, policy, etc. We can have multiple tenants - e.g. client companies - isolated from each other on the same Keycloak instance - *multi-tenancy* - and [Keycloak realms are designed for that](https://www.keycloak.org/docs/latest/securing_apps/index.html#_multi_tenancy) like in [other IAM solutions](https://docs.oracle.com/cd/B14099_19/idmanage.1012/b14082/oracle_and_oid.htm#i410605). – cdan Feb 17 '19 at 17:01
  • ... (Some companies may need multiple realms as tenants actually, e.g. for US and EU branch.) So I only suggested **a more defensive model regarding companies' isolation and data control**, while satisfying the OP's requirements. There I don't see this one you mention: *A SUPER_INTERNAL_ADMIN of one realm wont even be able to see any data for another company.* The OP only mentions access within the same company. Letting a client company's admin access another client company's data could be considered a data security breach (cf. isolation issue) if not formally authorized. – cdan Feb 17 '19 at 17:01
  • ... Now let's say your app provides IAM as a service (IDaaS) based on Keycloak. You (as the service provider) own the Master realm, so technically you can do and access any info in all your client companies' realms. You just tell them in a formal document (terms, privacy policy, etc.) what you may do with their data. If you don't own the Master realm, you can use OpenID Connect/SAML federation mechanisms, or shared [user storage](https://www.keycloak.org/docs/latest/server_admin/index.html#_user-storage-federation) to access other companies' data (with their approval). – cdan Feb 17 '19 at 17:02
  • ... Finally, regarding devices as clients, Keycloak's definition is broader (quoted from same doc as realms): "***Clients are entities that can request Keycloak to authenticate a user. [...] Clients can also be entities that just want to request identity information or an access token so that they can securely invoke other services on the network that are secured by Keycloak.***" So devices may be Keycloak clients, esp. OIDC/OAuth clients. Btw there's an IETF draft [OAuth device flow](https://datatracker.ietf.org/doc/draft-ietf-oauth-device-flow/) from Google/Microsoft/Ping/ARM on that. – cdan Feb 17 '19 at 17:02
  • ... Google supports it for instance, but Keycloak does not as of now, so you're left with [Service Accounts](https://www.keycloak.org/docs/latest/server_admin/#_service_accounts), possibly combined with [OIDC Dynamic Client Registration](https://www.keycloak.org/docs/latest/securing_apps/#openid-connect-dynamic-client-registration) if there are *many* devices. – cdan Feb 17 '19 at 17:02