Slide 1

Slide 1 text

Keycloak Authorization for .NET Developers Boris Wilhelms @boriswilhelms Consultant

Slide 2

Slide 2 text

Boris Wilhelms • Consultant and Architect at Thinktecture AG • Focus on • Identity- & Access-Management solutions • Web-based, cloud nativ application architectures • .NET Core • Email: [email protected] • Twitter: @boriswilhelms Keycloak Authorization for .NET Developers Who am I?

Slide 3

Slide 3 text

Authorization != Authentication Keycloak Authorization for .NET Developers

Slide 4

Slide 4 text

Authentication Confirms users are who they say they are. Authorization Gives users permission to access a resource Keycloak Authorization for .NET Developers Authorization

Slide 5

Slide 5 text

• Roll your own • Resource Server has code to check if a user has access to a resource • Use User-Managed Access (UMA) protocol with Keycloak • Use Requesting Party Token (RPT) • Client uses a special acess token containing the permissions to access the Resource Server • Use User-Managed Access (UMA) protocol extensions with Keycloak • Use permission request • Client can retrieve a list of all permission from Keycloak • Use decision request • Resource Server makes a special UMA request to Keycloak to check if user have permission Keycloak Authorization for .NET Developers Ways to do authorization with Keycloak

Slide 6

Slide 6 text

• Resource Server has code to check if a user has access to a resource • For ASP.NET Core we can use Authorization policies to protect • Endpoints • Data (use IAuthorizationService) • Use database to limit access to data (where clauses, views, etc.) Keycloak Authorization for .NET Developers Roll your own

Slide 7

Slide 7 text

• Authorization Services lets you move authorization decisions to Keycloak • Authorizations consist of • Resources • Authorization Scopes • Policies • Permissions (combines Resources, Authorization Scopes and Policies) • Client must be confidential client • Authorization must be enabled on the client • Keycloak needs all relevant data to check the authorization • Either must be part of resources (attributes) • Or must be part of the RPT/decision request Keycloak Authorization for .NET Developers Authorization with Keycloak

Slide 8

Slide 8 text

Requesting Party Token 1. Authorization is configured in Keycloak 2. Client requests RPT using current access token 3. Keycloak checks permissions and returns RPT 4. Client uses RPT as access token to access resource server 5. Resource server checks permission in RPT • Poor library support. Needs custom code in client. • No library support ASP.NET Core. Needs custom code in resource server. • RPT is a normal JWT • Client can send additional data when requesting RPT Keycloak Authorization for .NET Developers Use User-Managed Access protocol with Keycloak

Slide 9

Slide 9 text

Client 1. Authorization is configured in Keycloak 2. Client requests all permissions for a resource server using current access token 3. Keycloak checks permissions and returns array of permission 4. Client can use permissions to guard actions (hide buttons, guard routes, etc.) • No library support. Needs custom code in client. • Client can send additional data when requesting permissions Keycloak Authorization for .NET Developers Use User-Managed Access protocol extensions with Keycloak

Slide 10

Slide 10 text

Resource Server 1. Authorization is configured in Keycloak 2. Client uses normal access token to access resource server 3. Resource server makes a „decision“ request to Keycloak 4. Keycloak checks permission and return Ok or Forbidden • No library support ASP.NET Core. Needs custom code in resource server. • Resource server can send additional data when requesting permissions Keycloak Authorization for .NET Developers Use User-Managed Access protocol extensions with Keycloak

Slide 11

Slide 11 text

Keycloak Authorization for .NET Developers Comparison Roll your own UMA Requesting Party Token UMA Decision Request Most flexible Limited flexibility Limited flexibility Resource server usually has all data to check permission Data might be replicated to Keycloak and/or client to check permission Data might be replicated to Keycloak to check permission No defined way to get permissions into the client Permissions request can be used to get permission into the client Permissions request can be used to get permission into the client No library support No library support No library support Needs code in client and/or server Needs code in client and server No code in client needed. Server needs code Permission change might need deployment Permissions can be changed at runtime Permissions can be changed at runtime • Roll your own when you want the most flexibility and do not want to replicate data to Keycloak. • Use UMA when you want to centralize authorization and not much data for authorization is needed.

Slide 12

Slide 12 text

Keycloak Authorization for .NET Developers Boris Wilhelms [email protected] @boriswilhelms Thank you! https://github.com/thinktecture-labs/webinar-keycloak-authorization