$30 off During Our Annual Pro Sale. View Details »

Keycloak Auhtorization fuer .NET Entwickler

Boris Wilhelms
October 06, 2021
Programming
0
3.9k

Keycloak Auhtorization fuer .NET Entwickler

Boris Wilhelms

October 06, 2021
Tweet

More Decks by Boris Wilhelms

See All by Boris Wilhelms
Pragmatische Architektur-Modernisierung Migration von WCF zu gRPC mit ASP.NET Core 7
boriswilhelms
0
130
Cloud-Native_-_ASPNETCore.pdf
boriswilhelms
0
250
FIDO2/WebAuthn
boriswilhelms
0
540
Keycloak fuer .NET Entwickler
boriswilhelms
0
6.2k
Keycloak fuer .NET Entwickler
boriswilhelms
0
1.7k
Azure Functions - Serverless für .NET Entwickler
boriswilhelms
0
720
Advanced Azure Functions @ Global Azure Bootcamp 2019 - Frankfurt
boriswilhelms
0
430
Feature Folders
boriswilhelms
1
120

Other Decks in Programming

See All in Programming
ゆめみの Flutter エンジニア育成方法
morikann
0
220
Organizational Pattern Hatching
koic
0
230
OpenTelemetry の Trace を中心としたパフォーマンス改善
rmatsuoka
0
410
Java 8 から 21 へのバージョンアップでどう変わる?:実アプリケーションで学ぶ実装のポイント / 20231111 Key Implementation Points from Java 8 to 21
mackey0225
6
510
Postman CLI で Integration Test
codemountains
1
290
kube-proxy入門
bells17
7
890
[Helvetic Ruby 2023] Profiling Ruby tests with Swiss precision
palkan
0
290
Accelerating App Dev with Cloudflare Workers
chimame
0
190
Git 和 DevOps - 在混亂的流星群開發流程中找到小確幸
eddie
1
860
動くコードを書こう / let's code a process
kishida
20
6k
アクセシビリティを理解するとフロントエンドのテストが楽になる!
nano72mkn
1
1.7k
Expo Router は Expo 導入の決め手となるか フロントエンドカンファレンス沖縄2023 @Kaito-Dogi
doggy
3
1.5k

Featured

See All Featured
Producing Creativity
orderedlist
PRO
336
38k
Principles of Awesome APIs and How to Build Them.
keavy
119
16k
What the flash - Photography Introduction
edds
64
11k
The MySQL Ecosystem @ GitHub 2015
samlambert
241
11k
Streamline your AJAX requests with AmplifyJS and jQuery
dougneiner
130
9.8k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
17
1.4k
Practical Orchestrator
shlominoach
179
9.4k
[RailsConf 2023] Rails as a piece of cake
palkan
16
3.1k
5 minutes of I Can Smell Your CMS
philhawksworth
199
19k
The Brand Is Dead. Long Live the Brand.
mthomps
48
6k
A better future with KSS
kneath
230
16k
Rails Girls Zürich Keynote
gr2m
90
12k

Transcript

  1. Keycloak Authorization for .NET Developers
    Boris Wilhelms
    @boriswilhelms
    Consultant

    View Slide

  2. Boris Wilhelms
    • Consultant and Architect at Thinktecture AG
    • Focus on
    • Identity- & Access-Management solutions
    • Web-based, cloud nativ application architectures
    • .NET Core
    • Email: [email protected]
    • Twitter: @boriswilhelms
    Keycloak Authorization for .NET Developers
    Who am I?

    View Slide

  3. Authorization != Authentication
    Keycloak Authorization for .NET Developers

    View Slide

  4. Authentication
    Confirms users are who they say they are.
    Authorization
    Gives users permission to access a resource
    Keycloak Authorization for .NET Developers
    Authorization

    View Slide

  5. • Roll your own
    • Resource Server has code to check if a user has access to a resource
    • Use User-Managed Access (UMA) protocol with Keycloak
    • Use Requesting Party Token (RPT)
    • Client uses a special acess token containing the permissions to access the Resource Server
    • Use User-Managed Access (UMA) protocol extensions with Keycloak
    • Use permission request
    • Client can retrieve a list of all permission from Keycloak
    • Use decision request
    • Resource Server makes a special UMA request to Keycloak to check if user have permission
    Keycloak Authorization for .NET Developers
    Ways to do authorization with Keycloak

    View Slide

  6. • Resource Server has code to check if a user has access to a resource
    • For ASP.NET Core we can use Authorization policies to protect
    • Endpoints
    • Data (use IAuthorizationService)
    • Use database to limit access to data (where clauses, views, etc.)
    Keycloak Authorization for .NET Developers
    Roll your own

    View Slide

  7. • Authorization Services lets you move authorization decisions to Keycloak
    • Authorizations consist of
    • Resources
    • Authorization Scopes
    • Policies
    • Permissions (combines Resources, Authorization Scopes and Policies)
    • Client must be confidential client
    • Authorization must be enabled on the client
    • Keycloak needs all relevant data to check the authorization
    • Either must be part of resources (attributes)
    • Or must be part of the RPT/decision request
    Keycloak Authorization for .NET Developers
    Authorization with Keycloak

    View Slide

  8. Requesting Party Token
    1. Authorization is configured in Keycloak
    2. Client requests RPT using current access token
    3. Keycloak checks permissions and returns RPT
    4. Client uses RPT as access token to access resource
    server
    5. Resource server checks permission in RPT
    • Poor library support. Needs custom code in client.
    • No library support ASP.NET Core. Needs custom code in
    resource server.
    • RPT is a normal JWT
    • Client can send additional data when requesting RPT
    Keycloak Authorization for .NET Developers
    Use User-Managed Access protocol with Keycloak

    View Slide

  9. Client
    1. Authorization is configured in Keycloak
    2. Client requests all permissions for a resource
    server using current access token
    3. Keycloak checks permissions and returns array of
    permission
    4. Client can use permissions to guard actions (hide
    buttons, guard routes, etc.)
    • No library support. Needs custom code in client.
    • Client can send additional data when requesting
    permissions
    Keycloak Authorization for .NET Developers
    Use User-Managed Access protocol extensions with Keycloak

    View Slide

  10. Resource Server
    1. Authorization is configured in Keycloak
    2. Client uses normal access token to access resource server
    3. Resource server makes a „decision“ request to Keycloak
    4. Keycloak checks permission and return Ok or Forbidden
    • No library support ASP.NET Core. Needs custom code in resource server.
    • Resource server can send additional data when requesting permissions
    Keycloak Authorization for .NET Developers
    Use User-Managed Access protocol extensions with Keycloak

    View Slide

  11. Keycloak Authorization for .NET Developers
    Comparison
    Roll your own UMA Requesting Party Token UMA Decision Request
    Most flexible Limited flexibility Limited flexibility
    Resource server usually has all data to
    check permission
    Data might be replicated to Keycloak
    and/or client to check permission
    Data might be replicated to Keycloak to
    check permission
    No defined way to get permissions into
    the client
    Permissions request can be used to get
    permission into the client
    Permissions request can be used to get
    permission into the client
    No library support No library support No library support
    Needs code in client and/or server Needs code in client and server No code in client needed. Server needs
    code
    Permission change might need
    deployment
    Permissions can be changed at runtime Permissions can be changed at runtime
    • Roll your own when you want the most flexibility and do not want to replicate data to Keycloak.
    • Use UMA when you want to centralize authorization and not much data for authorization is needed.

    View Slide

  12. Keycloak Authorization for .NET Developers
    Boris Wilhelms
    [email protected]
    @boriswilhelms
    Thank you!
    https://github.com/thinktecture-labs/webinar-keycloak-authorization

    View Slide