Keycloak as an Authorization Service

Hi,
I would like to use Keycloak as an Authorization black-box (PDP in ABAC terms) for authorization on API GW.

What I am looking for:

• Keycloak has the rules
• Authorized client passes request in structure subject-action-object
• Keycloak responds yes/no

Note that “subject” can be offline user.

The question is: Is Keycloak suitable for such task? How achieve do this?

PS: While reading the documentation, I found that the requests are dependant on OpenID user’s token. What I am looking for is some sort of LDAP uid to pass, like “xuser - view - address”.
In this scenario, authentication for end users will be done via different Access Manager.

I’m not a Keycloak expert, but this doc might help you: https://www.keycloak.org/docs/latest/authorization_services/index.html

Keycloak does have authorization features, and it looks like the “Protection API” might fit your use case?

Thank you, @bjmc. I learned something about OAuth 2.0 and OIDC. It looks like it solves access to user’s data.
What if I want to guard business data in general?

To reiterate my question:

• Can I forge authorization request for any user (not just the authenticated one) ?

Based on documentation, the policies are evaluated by Policy Enforcer, and permissions are bound to bearer token.

What if I want to guard business data in general?

This is an extremely broad question. The only thing I can really say is that OAuth2/OIDC don’t have anything to do directly with securing data. It’s the responsibility of the application holding the data to store it securely and restrict access so that unauthorized parties cannot read it.

OAuth2 is authorization protocol and OIDC is an authentication protocol. Together, they can be used by an application to help determine who is making a request and what the caller is allowed to do.

Trying to answer your second question, the assumption of OAuth2 is that a request is being made by a client authorized by an “access token” - the “scope” of that token can be used to determine what powers the token grants. If you control both the authorization server (that issues the tokens) and the resource server (that receives the tokens and enforces access) then you can issue tokens for any principal (i.e. user, system, etc) with any scopes you choose.

Be aware of the token generation. We didn’t find a way how to generate token externally to Keycloak. My understanding that you have to create a token using Keycloak, Keycloak should be aware of the user(subject), so you probably need to integrate it with you users management. If Keycloak isn’t an authN, then to perform PDP, on behalf of the user you need to obtaining access_token (from the service) (use “grant_type=urn:ietf:params:oauth:grant-type:token-exchange”) and then call /auth/realms/<my_realm>/protocol/openid-connect/token with “grant_type=urn:ietf:params:oauth:grant-type:uma-ticket” (look for it in the documentation to get more options).
You’ll need to think whether or not you keep resource registration in Keycloak. One way is passing object info as part of the extra claims on each permissions evaluation, then you can extract this info in your policies (rules) and perform the logic. But for me it looks like more workaround and adds some extra work on your service, it has to retrieve the resource attributes prior to calling PDP. Another drawback in this approach that you can’t support “user can manage its own resources” (think a gDoc sharing use-cases). On the other hand, if don’t need the resource duplication - try doing that.
Also, check OPA, if you can pass the triplet and just interested in policies evaluation (stateless approach) OPA might satisfy your requirements

Thank you bmjc for your thoughts!
Thank you dginzbourg for technical insight!

We decided not to try to make PDP from Keycloak. After some evaluation, the limiting factors were the fact, that Keycloak can only decide yes/no on policy request, but further auditing of policies is something that had to be implemented.

So we switched to products that does “External Authorization Service” or “Dynamic Authorization Management”, like PlainID, NextLabs, Axiomatics (paid proprietary software). If you have a tip for opensource that implements XACML or NGAC, I would be grateful.

Have a nice day, Petr

Hi, i am also interested in this subject. The documentation mainly describes the usage of keycloaks authz service as the PDP/PIP… BUT is there a way to use an external AuthZ PDP/PIP (such as axiomatics etc) with keycloak acting as a PEP.

So Keycloak is the PEP creating xacml authorization decision requests and sending those to an external autorization service where the policy is verified against the provided attributes returning a permit/deny (in xacml authorization decision response) back to the PEP/Keycloak and keycloak enforcing the decision ?

thx reg koen

AN. IDP. IS. NEVER. THE. PEP!
We had this several time here in various threads. Last time not a week ago here: Role Policy configuration - #4 by dasniko

thanks but you dont understand my question –topic should actually be called keycloak as client from an external authorization service…

again: can keycloak (technically) act as a PEP externalizing its autorization decisions towards a real abac based authz engine ? Like axiomatics or an ngac based engine.

I would rather see this being invoked from the SP not the IdP. So can a the Keycloack SP act as PEP , generate xacml auth decison requests (2 or 3 , json or xml) , consume the reply and enforce within the SP (letting the user pass or not..)?

And also on IdP same scenario potentially.

There are situations where a customer has a central abac authorization service that you want to make use of.

thx

diagram below … the pdp/pip being an external abac based authorization solution like axiomatics etc and the SP being keycloak in front of some app

IMG_15721920×2560 781 KB

When reporting an issue, it is important to explain which standard you are implementing. A diagram on paper that only shows PEP, PIP, and PDP does not say much by itself. Technically, almost anything is possible, but we usually recommend following open standards, or at least proposed standards.

I recommend reviewing the latest standards, since no one is really talking about XACML anymore. Nowadays, if you want to use Keycloak as an Authorization Server, you must implement UMA (User-Managed Access). You can review that standard to better understand and clarify the concepts, but that’s when you end up relying on Keycloak policies, resources, permissions, and so on. That said, my two cents are that the standard has very limited adoption, so I generally do not recommend it.

If you want to expose an API protected by OAuth , acting as a Resource Server (RS) and using scopes or identity claims in your authz policies, the API can act as both PDP and PEP, or you can use an API Gateway or an authorization sidecar that acts as the PEP.

If you want to externalize and standardize authorization, I recommend reading the OpenID AuthZEN specifications [1].
Nowadays, it is hard to find a single PEP, since you usually have multiple PEPs for coarse-grained (CGA) and fine-grained (FGA) authorization. At the same time, you can have multiple authorization models, PBAC, ReBAC, ABAC, RBAC, etc. It all depends on the authorization and business requirements.

Finally, I also recommend reading Dasniko’s post. I am oversimplifying my answer here, since authorization is a hard problem to solve (I’ve written a couple of articles on these topics as well, if you want to review them [2]).

[1] AuthZEN Working Group - OpenID Foundation
[2] https://embesozzi.medium.com/

thanks, my question was just if keycloack (technically) can act as pep (mainly sp or idp in case of saml), sending xacml formatted (or whatever other format) , as json or xml , to an external authorization abac service who understands that format (axiomatics xacml or NGAC tbd but that does not really matter) and consuming and enforcing the reply.

As you said anything is possible so i guess answer is yes.

Will have a look at the AuthZEN docu (a quick look already also showed XACML ADRQ/ADREs)