Skip to content

Part 4: Using Keycloak Authorization

Advantage of Keycloak Authorization Feature

Buisness Case

  • The Account Deletion Operation should move for the Admin role the the superadmin role
  • We don’t want to change the source code

In a standard Quarkus Rest App we need to change @RolesAllowed(“admin”) annotation to @RolesAllowed(“superadmin”) in our java app and redeploy the app

@DELETE
    @Path("/{id}")

    @RolesAllowed("admin") 
    @Produces(MediaType.APPLICATION_JSON)
    public Uni<JsonObject> deleteUserFromKeycloakRealm(...= 

The Problem with this approach is that we need to change our source code which may not be possible at all. If we want to change this behaviour dynamically we need to use Keycloak Authorization feature.

Disable scope Delete permission for manage_account_perm

Remove the scopes:delete scope manage_account_perm permission

Validate change

$ ./quarkus_DELETE_deleteUser.sh   testadmin  4238ac97-1dbc-4911-9623-13d83e4ddfa7

 *** run as  testadmin with secret: .....  and Keylcloak URL: http://localhost:8280

 *** Trying to delete UserID 4238ac97-1dbc-4911-9623-13d83e4ddfa7 from Realm RBAC
..
*** Testing HTTP DELETE Request
*   Trying 127.0.0.1:8080...
* Connected to localhost (127.0.0.1) port 8080 (#0)
> DELETE /account/4238ac97-1dbc-4911-9623-13d83e4ddfa7 HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.83.1
> Accept: */*
> Authorization: Bearer eyJhbGciOiJ...

>
* Mark bundle as not supporting multiuse
< HTTP/1.1 403 Forbidden
< content-length: 0
<
* Connection #0 to host localhost left intact

********************************************************

Without any change in our source Code we have disabled the Account Deletion Operation in our java app. This way we can easilay control our app without any changes to our Java Code.

Create new superadmin Account

Create new role rbac_superadmin_role

Create superadmin account and assign role superadmin


Create superadmin policy

Create superadmin Permission with delete scope

Validate results

$ ./quarkus_DELETE_deleteUser.sh   superadmin  0fc33e0b-4e61-4c6d-977a-2651be11fc02

 *** run as  superadmin with secret: 0a32b2ad-7b58-4c5b-bffe-7d3673fe70a3 and Keylcloak URL: http://localhost:8280

 *** Trying to delete UserID 0fc33e0b-4e61-4c6d-977a-2651be11fc02 from Realm RBAC 
...
*** Testing HTTP DELETE Request
*   Trying 127.0.0.1:8080...
* Connected to localhost (127.0.0.1) port 8080 (#0)
> DELETE /account/0fc33e0b-4e61-4c6d-977a-2651be11fc02 HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.83.1
> Accept: */*
> Authorization: Bearer eyJhbGciOi...
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< content-length: 234
< Content-Type: application/json
<
{"title":"Vertx JSON Object","kc_code":"204","kc_method":"DELETE","kc_message":null,"kc_username":"superadmin","kc_status":"No Content","kc_url":"http:/localhost:8280/auth/admin/realms/RBAC/users/0fc33e0b-4e61-4c6d-977a-2651be11fc02"}* Connection #0 to host localhost left intact

Reference

Published inAllgemein

Be First to Comment

Leave a Reply