ABAC with keycloak - Using Resource attributes in policy

Asked 24/10, 2016 at 12:42 Answered 15/10, 2018 at 14:15

What I am trying to achieve

Protect a resource in Keycloak with policy like:

if (resource.status == 'draft') $evaluation.grant(); 
else $evaluation.deny();

Going by their official documents and mailing list responses, it seems attribute based access control is possible, however, I could not find a way of getting it to work.

What I have tried

Using Authorization Services: I was unable to figure out where and how I can inject the attributes from the resource instance.
Using Authorization Context: I was hoping to get the policies associated with a resource and a scope so that I could evaluate them my self.

So far, I have managed to get no where with both approaches. To be honest, I have been overwhelmed by the terminology used in the Authorization services.

Question How can I use attributes of a resource instance while defining a policy in keycloak?

Fiesole answered 24/10, 2016 at 12:42 Comment(2)

It looks like this is coming in Keycloak version 4. Already available in 4.0.0.Beta1 (see issues.jboss.org/browse/KEYCLOAK-6529). I did not try it out myself though – Romanov 19/4, 2018 at 21:47

Hey, it is an 18 version is up there, but I still don't see the attribute based policy, am I missing something? – Zebedee 11/6, 2022 at 9:59

I solved this problem in Keycloak 4.3 by creating a JavaScript policy because Attribute policies don't exist (yet). Here is an example of the code I got working (note that the attribute values are a list, so you have to compare against the first item in the list):

var permission = $evaluation.getPermission();
var resource = permission.getResource();
var attributes = resource.getAttributes();

if (attributes.status !== null && attributes.status[0] == "draft") {
    $evaluation.grant();
} else {
    $evaluation.deny();
}

Stenson answered 15/10, 2018 at 14:15 Comment(3)

Could you please clarify where does the status attribute value come from? Is it an attribute that is somehow set by the client or backend that requests access to it? If so, how can you forward this kind of information from the client / backend as a resource attribute? – Noumenon 4/4, 2019 at 14:15

Hi Dave, I knows it is old but I am also facing the same question. How did you get the status attribute? – Sherrilsherrill 20/6, 2020 at 18:47

The resource attribute could be defined during resource definition, either done manually or through the resource API by the resource owner. In this approach the resource should actually represent an instance of your business object rather than its type (and probably use the keycloak's resource type attribute for generic type-level permissions if required), of course you'll need also to keep any custom resource attributes in-sync with any changes from their source of truth (i.e. resource owner). See keycloak.org/docs/latest/authorization_services/… – Clementius 30/8, 2021 at 13:6

Currently there is no way to do what you are looking to do. ResourceRepresentation class only has (id, name, uri, type, iconUri, owner) fields. So you can use owner to determine ownership per Keycloak example. I've seen a thread that talks about adding additional resource attributes, but haven't seen a Keycloak JIRA for it.

Perhaps you could use Contextual Attributes in some way by setting what you need at runtime and writing a Policy around it.

var context = $evaluation.getContext();
var attributes = context.getAttributes();
var fooValue = attributes.getValue("fooAttribute");

if (fooValue.equals("something")) 
{
   $evaluation.grant();
}

Illuviation answered 26/6, 2017 at 17:54 Comment(1)

Could you detail how to set Contextual Attributes at runtime? I don't find a parameter to set it at keycloak.org/docs/latest/authorization_services/… – Literacy 14/10, 2019 at 8:6

Recommended topics

Hot tags