Advantage of Keycloak Authorization Feature
Buisness Case
- The Account Deletion Operation should move for the Admin role the the superadmin role
- We don’t want to change the source code
In a standard Quarkus Rest App we need to change @RolesAllowed(“admin”) annotation to @RolesAllowed(“superadmin”) in our java app and redeploy the app
@DELETE @Path("/{id}") @RolesAllowed("admin") @Produces(MediaType.APPLICATION_JSON) public Uni<JsonObject> deleteUserFromKeycloakRealm(...=
The Problem with this approach is that we need to change our source code which may not be possible at all. If we want to change this behaviour dynamically we need to use Keycloak Authorization feature.
Disable scope Delete permission for manage_account_perm
Remove the scopes:delete scope manage_account_perm permission
Validate change
$ ./quarkus_DELETE_deleteUser.sh testadmin 4238ac97-1dbc-4911-9623-13d83e4ddfa7 *** run as testadmin with secret: ..... and Keylcloak URL: http://localhost:8280 *** Trying to delete UserID 4238ac97-1dbc-4911-9623-13d83e4ddfa7 from Realm RBAC .. *** Testing HTTP DELETE Request * Trying 127.0.0.1:8080... * Connected to localhost (127.0.0.1) port 8080 (#0) > DELETE /account/4238ac97-1dbc-4911-9623-13d83e4ddfa7 HTTP/1.1 > Host: localhost:8080 > User-Agent: curl/7.83.1 > Accept: */* > Authorization: Bearer eyJhbGciOiJ... > * Mark bundle as not supporting multiuse < HTTP/1.1 403 Forbidden < content-length: 0 < * Connection #0 to host localhost left intact ********************************************************
Without any change in our source Code we have disabled the Account Deletion Operation in our java app. This way we can easilay control our app without any changes to our Java Code.
Create new superadmin Account
Create new role rbac_superadmin_role
Create superadmin account and assign role superadmin
Create superadmin policy
Create superadmin Permission with delete scope
Validate results
$ ./quarkus_DELETE_deleteUser.sh superadmin 0fc33e0b-4e61-4c6d-977a-2651be11fc02 *** run as superadmin with secret: 0a32b2ad-7b58-4c5b-bffe-7d3673fe70a3 and Keylcloak URL: http://localhost:8280 *** Trying to delete UserID 0fc33e0b-4e61-4c6d-977a-2651be11fc02 from Realm RBAC ... *** Testing HTTP DELETE Request * Trying 127.0.0.1:8080... * Connected to localhost (127.0.0.1) port 8080 (#0) > DELETE /account/0fc33e0b-4e61-4c6d-977a-2651be11fc02 HTTP/1.1 > Host: localhost:8080 > User-Agent: curl/7.83.1 > Accept: */* > Authorization: Bearer eyJhbGciOi... > * Mark bundle as not supporting multiuse < HTTP/1.1 200 OK < content-length: 234 < Content-Type: application/json < {"title":"Vertx JSON Object","kc_code":"204","kc_method":"DELETE","kc_message":null,"kc_username":"superadmin","kc_status":"No Content","kc_url":"http:/localhost:8280/auth/admin/realms/RBAC/users/0fc33e0b-4e61-4c6d-977a-2651be11fc02"}* Connection #0 to host localhost left intact
Be First to Comment