Keycloak supports fine-grained authorization policies and is able to combine different access control mechanisms such as:
- Attribute-based access control (ABAC)
- Dynamic Role-based access control (RBAC) without any Java code changes
- User-based access control (UBAC)
- Context-based access control (CBAC)
- Rule-based access control
- Using JavaScript
- Time-based access control
Advantages
- Decouple authorization from services
- Dynamic access control model ( can change access to resources without changing your source code )
- Supports UMA
- Performance – less rountrips to our keycloak server
- Fine grained Access due resource-based approach
UMA Use case
- Jdoe wants to access Alice’s pictures
- Jdoe request access to Alice’s pictures
- Alice is notified about the request and apporove it
- Jdoe can now access Alice’s pictures
- Anytime Alice can revoke access to her pictures
References
- https://www.youtube.com/watch?v=yosg4St0iUw
- https://www.janua.fr/understanding-uma-and-keycloak/
- https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-uma-photoz
- https://www.keycloak.org/docs/latest/authorization_services/#_service_user_managed_access
- https://gruchalski.com/posts/2020-09-05-introduction-to-keycloak-authorization-services/
Be First to Comment