简体繁体 English

我应该如何使用 Keycloak 为“无角色”（ACL、ABAC）REST API 设置授权？

[英]How should I set up authorization for a “role-less” (ACL, ABAC) REST API with Keycloak?

原文 2020-05-13 10:15:27 6 2 rest/ security/ web/ authorization/ keycloak

My reasoning is based on the premise that when it comes to security, one should not reinvent the wheel and is better off studying which of the available solutions fits best.我的推理基于这样一个前提，即在安全方面，人们不应该重新发明轮子，最好研究哪种可用的解决方案最适合。

Suppose you have an application that lets users create things and allow their friends to change them in some way.假设您有一个应用程序允许用户创建事物并允许他们的朋友以某种方式更改它们。 I imagine that using a role-based approach would not work well in this situation and that something like an access control list for each thing is closer to ideal.我想在这种情况下使用基于角色的方法不会很好地工作，并且每件事的访问控制列表之类的东西更接近理想。

Following the premise I presented in the first paragraph, I studied Keycloak's documentation in search of something akin to ACLs, as I'll also need an authentication mechanism.根据我在第一段中提出的前提，我研究了 Keycloak 的文档以寻找类似于 ACL 的东西，因为我还需要一种身份验证机制。 I could not come up with a solution that didn't feel "hacky", to say the least...至少可以说，我想不出一个不会让人觉得“hacky”的解决方案......

Instead of writing an exhaustive list of what I thought of, I'd like to ask:我不想写一个详尽的清单，我想问：

Is my reasoning correct?我的推理正确吗？
Is Keycloak really what I'm looking for or I should use it in tandem with something like casbin? Keycloak 真的是我正在寻找的东西，还是我应该将它与 casbin 之类的东西结合使用？
How would you solve this?你会如何解决这个问题？

Thanks!谢谢！

Edit (14/05/20)编辑(14/05/20)

To further discuss this topic, I'll provide a more concrete (albeit simple) example.为了进一步讨论这个主题，我将提供一个更具体（虽然简单）的示例。 I'll also share some advice from a key contributor to Keycloak.我还将分享一些来自 Keycloak 的主要贡献者的建议。

Let's say we're developing a simple Medium clone that allows users to coedit articles.假设我们正在开发一个简单的 Medium 克隆，允许用户共同编辑文章。 Lance is an already registered and authenticated user that wants to start writing an article on bicycles, so he navigates to an "editing screen" in our SPA. Lance 是一个已经注册并通过身份验证的用户，他想开始写一篇关于自行车的文章，因此他导航到我们 SPA 中的“编辑屏幕”。 Lance then gives it a title, write a few words and hits a "Create" button that sends a POST request to a resource server (already protected by Keycloak).然后，Lance 给它一个标题，写几个字并点击“创建”按钮，该按钮将 POST 请求发送到资源服务器（已受 Keycloak 保护）。 The resource server (service) will then: 1. Persist the article to a database;资源服务器（服务）将： 1. 将文章保存到数据库； 2. Create a resource via Keycloak's Protection API with its owner attribute set to Lances's user ID and an empty "editors" attribute. 2. 通过 Keycloak 的保护 API 创建一个资源，其所有者属性设置为 Lances 的用户 ID 和一个空的“编辑器”属性。

Later on Lance decides that it would be good to have his friend Chris' opinion as well and therefore adds him to the list of editors.后来，Lance 决定最好让他的朋友 Chris 也发表意见，因此将他添加到编辑列表中。 This could be done via Keycloak's Protection API, too.这也可以通过 Keycloak 的保护 API 来完成。

This set-up would then allow us to set a JavaScript-Based policy to protect further edits.然后，此设置将允许我们设置基于 JavaScript 的策略来保护进一步的编辑。

2 个解决方案

Your reasoning is correct, as it actually fits the definition of "resource".您的推理是正确的，因为它实际上符合“资源”的定义。 Being your own application the resource server, Keycloak provides the authorization to access it or not, depending on what you consider.作为您自己的应用程序资源服务器，Keycloak 提供访问或不访问它的授权，具体取决于您的考虑。

I guess your concrete case is covered by User Managed Access :我想您的具体案例已包含在User Managed Access中：

As an example, consider a user Alice (resource owner) using an Internet Banking Service (resource server) to manage his Bank Account (resource).例如，考虑用户 Alice（资源所有者）使用网上银行服务（资源服务器）来管理他的银行账户（资源）。 One day, Alice decides to open her bank account to Bob (requesting party), a accounting professional.有一天，爱丽丝决定向会计专业人士鲍勃（请求方）开设她的银行账户。 However, Bob should only have access to view (scope) Alice's account.但是，Bob 应该只能查看（范围）Alice 的帐户。

As a resource server, the Internet Banking Service must be able to protect Alice's Bank Account.作为资源服务器，网上银行服务必须能够保护 Alice 的银行账户。 For that, it relies on Keycloak Resource Registration Endpoint to create a resource in the server representing Alice's Bank Account.为此，它依靠 Keycloak Resource Registration Endpoint 在服务器中创建代表 Alice 银行账户的资源。

At this moment, if Bob tries to access Alice's Bank Account, access will be denied.此时，如果 Bob 试图访问 Alice 的银行账户，访问将被拒绝。 The Internet Banking Service defines a few default policies for banking accounts.网上银行服务为银行账户定义了一些默认策略。 One of them is that only the owner, in this case Alice, is allowed to access her bank account.其中之一是只有所有者（在本例中为 Alice）才被允许访问她的银行账户。

However, Internet Banking Service in respect to Alice's privacy also allows her to change specific policies for the banking account.然而，关于 Alice 隐私的网上银行服务也允许她更改银行账户的特定政策。 One of these policies that she can change is to define which people are allowed to view her bank account.她可以更改的其中一项政策是定义允许哪些人查看她的银行帐户。 For that, Internet Banking Service relies on Keycloak to provide to Alice a space where she can select individuals and the operations (or data) they are allowed to access.为此，网上银行服务依靠 Keycloak 向 Alice 提供一个空间，她可以在该空间中 select 个人及其被允许访问的操作（或数据）。 At any time, Alice can revoke access or grant additional permissions to Bob.在任何时候，Alice 都可以撤销访问或授予 Bob 额外的权限。

For your case the resource would be the thing and your application would need to register it in the Resource Registration Endpoint.对于您的情况，资源将是事物，您的应用程序需要在资源注册端点中注册它。 Then, you might use policies to define who accesses the resource and how .然后，您可以使用策略来定义访问资源的人员以及访问方式。

From what I've been told from the contributor I mentioned in my question (post-edit), this reasoning is correct and it is one way it could be done.根据我在问题（编辑后）中提到的贡献者告诉我的内容，这种推理是正确的，并且是可以做到的一种方式。 Also, as @Xtreme Biker said, we could also make use of the UMA features Keycloak provides to let users manage their resources.此外，正如@Xtreme Biker 所说，我们还可以利用 Keycloak 提供的 UMA 功能来让用户管理他们的资源。

The contributor also said one should weigh in the overhead and duplication of this solution might add and consider keeping fine-grained authorization closer to the application/resource server/service.贡献者还表示，应该权衡此解决方案的开销和重复，可能会添加并考虑将细粒度授权更接近应用程序/资源服务器/服务。