Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Keycloak Auhtorization fuer .NET Entwickler

Keycloak Auhtorization fuer .NET Entwickler

Boris Wilhelms

October 06, 2021
Tweet

More Decks by Boris Wilhelms

Other Decks in Programming

Transcript

  1. Boris Wilhelms • Consultant and Architect at Thinktecture AG •

    Focus on • Identity- & Access-Management solutions • Web-based, cloud nativ application architectures • .NET Core • Email: [email protected] • Twitter: @boriswilhelms Keycloak Authorization for .NET Developers Who am I?
  2. Authentication Confirms users are who they say they are. Authorization

    Gives users permission to access a resource Keycloak Authorization for .NET Developers Authorization
  3. • Roll your own • Resource Server has code to

    check if a user has access to a resource • Use User-Managed Access (UMA) protocol with Keycloak • Use Requesting Party Token (RPT) • Client uses a special acess token containing the permissions to access the Resource Server • Use User-Managed Access (UMA) protocol extensions with Keycloak • Use permission request • Client can retrieve a list of all permission from Keycloak • Use decision request • Resource Server makes a special UMA request to Keycloak to check if user have permission Keycloak Authorization for .NET Developers Ways to do authorization with Keycloak
  4. • Resource Server has code to check if a user

    has access to a resource • For ASP.NET Core we can use Authorization policies to protect • Endpoints • Data (use IAuthorizationService) • Use database to limit access to data (where clauses, views, etc.) Keycloak Authorization for .NET Developers Roll your own
  5. • Authorization Services lets you move authorization decisions to Keycloak

    • Authorizations consist of • Resources • Authorization Scopes • Policies • Permissions (combines Resources, Authorization Scopes and Policies) • Client must be confidential client • Authorization must be enabled on the client • Keycloak needs all relevant data to check the authorization • Either must be part of resources (attributes) • Or must be part of the RPT/decision request Keycloak Authorization for .NET Developers Authorization with Keycloak
  6. Requesting Party Token 1. Authorization is configured in Keycloak 2.

    Client requests RPT using current access token 3. Keycloak checks permissions and returns RPT 4. Client uses RPT as access token to access resource server 5. Resource server checks permission in RPT • Poor library support. Needs custom code in client. • No library support ASP.NET Core. Needs custom code in resource server. • RPT is a normal JWT • Client can send additional data when requesting RPT Keycloak Authorization for .NET Developers Use User-Managed Access protocol with Keycloak
  7. Client 1. Authorization is configured in Keycloak 2. Client requests

    all permissions for a resource server using current access token 3. Keycloak checks permissions and returns array of permission 4. Client can use permissions to guard actions (hide buttons, guard routes, etc.) • No library support. Needs custom code in client. • Client can send additional data when requesting permissions Keycloak Authorization for .NET Developers Use User-Managed Access protocol extensions with Keycloak
  8. Resource Server 1. Authorization is configured in Keycloak 2. Client

    uses normal access token to access resource server 3. Resource server makes a „decision“ request to Keycloak 4. Keycloak checks permission and return Ok or Forbidden • No library support ASP.NET Core. Needs custom code in resource server. • Resource server can send additional data when requesting permissions Keycloak Authorization for .NET Developers Use User-Managed Access protocol extensions with Keycloak
  9. Keycloak Authorization for .NET Developers Comparison Roll your own UMA

    Requesting Party Token UMA Decision Request Most flexible Limited flexibility Limited flexibility Resource server usually has all data to check permission Data might be replicated to Keycloak and/or client to check permission Data might be replicated to Keycloak to check permission No defined way to get permissions into the client Permissions request can be used to get permission into the client Permissions request can be used to get permission into the client No library support No library support No library support Needs code in client and/or server Needs code in client and server No code in client needed. Server needs code Permission change might need deployment Permissions can be changed at runtime Permissions can be changed at runtime • Roll your own when you want the most flexibility and do not want to replicate data to Keycloak. • Use UMA when you want to centralize authorization and not much data for authorization is needed.
  10. Keycloak Authorization for .NET Developers Boris Wilhelms [email protected] @boriswilhelms Thank

    you! https://github.com/thinktecture-labs/webinar-keycloak-authorization