Keycloak Authorization Service RBAC

Keycloak is an open-source Identity and Access Management (IAM). Keycloak provides out-of-the-box authentication and authorization services and features like User Federation, Social Login, and Identity Brokering.

Keycloak also provides fine-grained authorization services. This helps organizations to manage permissions for all their services from the Keycloak admin console and gives them the power to define exactly the policies they need.

• Inside Keycloak, you can set 2 types of permissions: Resource-Based & Scope-Based.
• Resource-Based permissions get applies directly to the resources
• Scoped-Based permissions get applies to scope(s) or scope(s) and resources

in Keycloak some terms like :

• Resource : object which users will be accessing or performing the action on
• Auth scopes : Actions that users can perform on the specific object
• Policies : Resource protection using fine-grained authorization policies and different access control mechanisms
• Permission : Mapping actually occur here

If you don’t want to follow the manual way you can export this JSON and all the users, resources, permissions will be auto-set bu keycloak

JSON configuration file

Now let’s see a scenario where :

Now we have few resources like :

1. Account
2. Bot
3. Report

We want to implement the scenario where only specific user can performe specific actions.

Setting up the Keycloak

Create a new realm

1. Click on the Add Realm button.

1. Enter test-v1 as the name.
2. Click on Create.

Create new roles

1. Click on the Roles
2. Click on Add Role
3. Create the roles “admin”, “agent” & “super_admin”

Create a client

• Click on the Clients tab
• Enter app-client in Client ID textbox
• Click on Save
• Select and choose client again to configure other settings
• Verify the client Protocol is openid-connect
• Set Access Type to confidential
• Set Authorization Enabled to On
• Click on Save button at last.
• A new Authorization tab will appear at the top.
• Select on the Authorization tab and then Settings

Check that the Decision Strategy is set to Unanimous. This is the resource server strategy

Create Custom Auth Scopes

Go the Authorization tab Select Authorization Scopes > and click on Create Enter scopes:create & scopes:view in the text and save values.

Create Resource

• Go to Resources tab now > and click on Create
• Enter one by one and create the following resources res:account & res:bot & res:report
• For all resource in scope text select both scopes that we created early scopes:create & scopes:view
• Click Save

Create policies

• Again inside the Authorization tab, select on Policies
• Click on the Create Policy dropdown and select the Role
• In the Name textbox, Admin
• In Realm Roles select role Admin
• Check Logic is set to Positive
• Click Save, Do it same for “Agent” & “Super_admin”

• Again inside the Authorization tab, select on Policies
• Click on the Create Policy dropdown and select the Aggregated
• In the Name textbox, Admin or Super_admin or Agent
• In Realm Roles select role Admin & Super_admin & Agent
• Check Logic is set to Affirmative
• Click Save

Create permission

• Again inside the Authorization tab, select on Permission
• Click on the Create Permissions dropdown and select the Scope-Based
• In the Name textbox, account-create
• In resource box, select the “resource res:account”
• In scopes select, scopes:create
• Apply policy Admin
• We have to set permission same way for all the resources as per requirement

Create user

• Inside the user tab create one test user We will not assign any roles, scopes, or group to it for testing

Let’s Evaluate

• Again inside the Authorization tab, select on Evaluate
• Select the client we created, app-client
• In user select the created user, test
• In roles select the created user, admin
• Resource value, res:account
• Click on Add button
• Click on Evaluate button

You will see grant is permitted as Admin role has access to do operations create and view on resource account.

Let’s Evaluate Again

• Again inside the Authorization tab, select on Evaluate
• Select the client we created, app-client
• In user select the created user, test
• In roles select the created user, admin
• Resource value, res:report
• Scopes value, scopes:create
• Click on Add button
• Click on Evaluate button

You will see grant is Deny as only Super_Admin role has access to do operations create on resource report.