Keycloak Auhtorization fuer .NET Entwickler

Keycloak Authorization for .NET Developers Boris Wilhelms @boriswilhelms Consultant

Boris Wilhelms • Consultant and Architect at Thinktecture AG •
Focus on • Identity- & Access-Management solutions • Web-based, cloud nativ application architectures • .NET Core • Email: [email protected] • Twitter: @boriswilhelms Keycloak Authorization for .NET Developers Who am I?

Authorization != Authentication Keycloak Authorization for .NET Developers

Authentication Confirms users are who they say they are. Authorization
Gives users permission to access a resource Keycloak Authorization for .NET Developers Authorization

• Roll your own • Resource Server has code to
check if a user has access to a resource • Use User-Managed Access (UMA) protocol with Keycloak • Use Requesting Party Token (RPT) • Client uses a special acess token containing the permissions to access the Resource Server • Use User-Managed Access (UMA) protocol extensions with Keycloak • Use permission request • Client can retrieve a list of all permission from Keycloak • Use decision request • Resource Server makes a special UMA request to Keycloak to check if user have permission Keycloak Authorization for .NET Developers Ways to do authorization with Keycloak

• Resource Server has code to check if a user
has access to a resource • For ASP.NET Core we can use Authorization policies to protect • Endpoints • Data (use IAuthorizationService) • Use database to limit access to data (where clauses, views, etc.) Keycloak Authorization for .NET Developers Roll your own

• Authorization Services lets you move authorization decisions to Keycloak
• Authorizations consist of • Resources • Authorization Scopes • Policies • Permissions (combines Resources, Authorization Scopes and Policies) • Client must be confidential client • Authorization must be enabled on the client • Keycloak needs all relevant data to check the authorization • Either must be part of resources (attributes) • Or must be part of the RPT/decision request Keycloak Authorization for .NET Developers Authorization with Keycloak

Requesting Party Token 1. Authorization is configured in Keycloak 2.
Client requests RPT using current access token 3. Keycloak checks permissions and returns RPT 4. Client uses RPT as access token to access resource server 5. Resource server checks permission in RPT • Poor library support. Needs custom code in client. • No library support ASP.NET Core. Needs custom code in resource server. • RPT is a normal JWT • Client can send additional data when requesting RPT Keycloak Authorization for .NET Developers Use User-Managed Access protocol with Keycloak

Client 1. Authorization is configured in Keycloak 2. Client requests
all permissions for a resource server using current access token 3. Keycloak checks permissions and returns array of permission 4. Client can use permissions to guard actions (hide buttons, guard routes, etc.) • No library support. Needs custom code in client. • Client can send additional data when requesting permissions Keycloak Authorization for .NET Developers Use User-Managed Access protocol extensions with Keycloak

Resource Server 1. Authorization is configured in Keycloak 2. Client
uses normal access token to access resource server 3. Resource server makes a „decision“ request to Keycloak 4. Keycloak checks permission and return Ok or Forbidden • No library support ASP.NET Core. Needs custom code in resource server. • Resource server can send additional data when requesting permissions Keycloak Authorization for .NET Developers Use User-Managed Access protocol extensions with Keycloak

Keycloak Authorization for .NET Developers Comparison Roll your own UMA
Requesting Party Token UMA Decision Request Most flexible Limited flexibility Limited flexibility Resource server usually has all data to check permission Data might be replicated to Keycloak and/or client to check permission Data might be replicated to Keycloak to check permission No defined way to get permissions into the client Permissions request can be used to get permission into the client Permissions request can be used to get permission into the client No library support No library support No library support Needs code in client and/or server Needs code in client and server No code in client needed. Server needs code Permission change might need deployment Permissions can be changed at runtime Permissions can be changed at runtime • Roll your own when you want the most flexibility and do not want to replicate data to Keycloak. • Use UMA when you want to centralize authorization and not much data for authorization is needed.

Keycloak Authorization for .NET Developers Boris Wilhelms [email protected] @boriswilhelms Thank
you! https://github.com/thinktecture-labs/webinar-keycloak-authorization

Keycloak Auhtorization fuer .NET Entwickler

Keycloak Auhtorization fuer .NET Entwickler

Boris Wilhelms

More Decks by Boris Wilhelms

Other Decks in Programming

Featured

Transcript

Keycloak Authorization for .NET Developers Boris Wilhelms @boriswilhelms Consultant

Boris Wilhelms • Consultant and Architect at Thinktecture AG •

Authorization != Authentication Keycloak Authorization for .NET Developers

Authentication Confirms users are who they say they are. Authorization

• Roll your own • Resource Server has code to

• Resource Server has code to check if a user

• Authorization Services lets you move authorization decisions to Keycloak

Requesting Party Token 1. Authorization is configured in Keycloak 2.

Client 1. Authorization is configured in Keycloak 2. Client requests

Resource Server 1. Authorization is configured in Keycloak 2. Client

Keycloak Authorization for .NET Developers Comparison Roll your own UMA

Keycloak Authorization for .NET Developers Boris Wilhelms [email protected] @boriswilhelms Thank