Keycloak + granular permissions

waymirec · June 13, 2023, 6:59pm

Hello All,

I am having a hard time figuring out how to setup Keycloak to do what I need it to do and, as I have not found any resources online that have been of help on this subject, I am hoping someone in here might be able to steer me in the right direction. It might just be my limited understanding of how resources, policies, permissions, scopes, etc., all work together.

The short version is that I need to be able to programmatically/dynamically create resources, of a pre-defined type, and then assign permissions to a user such that they have one set of permissions on one of those resources and a different set of permissions on a different resource (both of the same type). For example they may have “read” permissions to ResourceA and read/write on ResourceB. I’m not understanding how I can do this with roles, without also dynamically creating roles that mirror the resource, or perhaps assigning the permission directly to the user which seems heavy-handed.

Hopefully that makes sense…

Thank You,

– Chris

embesozzi · June 14, 2023, 7:49pm

Hello,
In the API Authorization scenario, there are different approaches for protecting an API. Here are some high-level examples:

Use Keycloak as IdP with OAuth 2.0 and Scopes:
In this case, the API relies on the scopes defined in the Access Token to determine access control. For example, you can use scopes like “read:document” or “write:document” to specify the level of access. However, keep in mind that these scopes represent the permissions of the application on behalf of the user.
Use Keycloak as IdP with OAuth 2.0 and Identity Claims:
You can include the user’s Keycloak roles in the JWT (JSON Web Token) or as part of the user info endpoint call to avoid overloading the JWT. Then the API, could use it for doing the policy enforcement. Here is an example demonstrating this approach:

GitHub - embesozzi/oauth-demoapi-jwt-rbac-spring: API protection based identity claims

Use Keycloak As Authorization Server with User-Managed Access (UMA):
In this case, Keycloak acts as the Policy Decision Point (PDP) where you define authorization rules, policies, and resources. Here are some helpful links regarding this approach:

Here are a lot of demo available:

GitHub - keycloak/keycloak-quickstarts

Regards,

Topic		Replies	Views
Fine grained resource-based authorization Getting advice	1	712	November 29, 2021
Keycloak Authorization APIs to create Policies, Permissions and Resources Getting advice	6	2391	May 31, 2025
RBAC is impossible to set up	3	2491	December 15, 2020
Creation of Keycloak protection resources - protection or admin API? Getting advice	0	670	December 3, 2020
Understanding the keycloak authorization over a Resource Getting advice	2	1100	March 6, 2023

Keycloak + granular permissions

Related topics