Google now has Incremental Authorization similar to Facebook
https://developers.google.com/accounts/docs/OAuth2WebServer#incrementalAuth
So one can incrementally authorize resources (Calendar/Contacts)
However while revoking access, there doesn't seem to be a way for user to remove access for selected resource (e.g. revoke access only for Calendar)
As per https://developers.google.com/accounts/docs/OAuth2WebServer#tokenrevoke, revoke removes access to all resources.
Is there a way to selectively revoke access? I see that Incremental Authorization support was added in Dec 2013. Is there a plan to support selective revoke ?
At this point there is no way to revoke access to a subset of scopes.
If a user feels the need to revoke some scopes, the best is to revoke the whole application and then grant again limited scopes (if the user still trusts the application/developer).
No comment on the plan.
Related
I'm quite new to the entire auth design and am still trying to understand how to use keycloak for authentication and authorisation.
Currently from what I understand in order to have authorisation enabled for a client you will need to have it in confidential.
After which I am kind of stuck in terms of how to set which policy for which permission.
I have a few types resources but currently placing them all under a single client for simplicity sake.
For my use case I have a workspace for users. So each workspace can have multiple users with different roles of owner,editor,viewer. And within the workspace there are artifacts. So it is some what like designing an authorisation for Google drive.
Would like some advice on how best to design it.
One way I have thought of is using groups and each workspace is a group. Using it to assign users to each group as a way to use the group policy for permission.
The other is really by creating multiple policy and permission for each artifact/resource and adding user to each policy for each workspace.
Would like any advice on authorisation design or even where to begin reading.
After some research I have come to these conclusion.
Yes these can be done by keycloak though most likely shouldn't be done in keycloak itself for its design.
Keycloak itself will most likely be more suitable in terms of authenticating/authorising on services or infra level. So this use case of having user be able to access workspaces or artifacts will be better done in application level having a separated service to handle the permission itself.
That being said if it really needs to be done in keycloak the design that I thought of that is not so scalable is as follow.
Create a policy/user and each workspace/artifact as a single resource. Depending on how many types of access/fine grain control is needed for each type of resource create the scope for each (e.g workspace:view, workspace:edit...). Then create a permission for each resource&scope. This allows fine grain access of basically assigning user to permission of each resource through the user policy.
But of course this design has its flaws of the need of too many policies, permissions and resources so it is better to have keycloak just handle the authentication part and authorisation is just giving users the role to be able to access a service and through the service check if the user is authorised for a certain action.
Let's say I'm using one realm mycomp in Keycloak to handle all users (+ master realm for Keycloak superadmin).
I'm have role of Customer Support (CS) that should be able to view users and manage their basic data like names, email, password reset etc.
I'm able to grant realm-management permissions like manage-users or view-users to any user in 3 ways:
assign directly
by creating composite role for CS
by creating group with and adding there CS
The problem is that giving manage-users rights CS end up being able to manage roles and groups so it is able to grant other users management permissions. Thats not valid for my config - it is a role of some higher level admin.
How to grant some users permissions to view and manage basic user data without allowing them to manage roles?
So in the end of the day I finally managed to find an working solution.
Problem was that Role manage-users cant be overriten by Policy.
With help of Pedro Igor Silva from Keycloak (https://issues.redhat.com/browse/KEYCLOAK-18151) I managed to setup configuration that fullfills the usecase.
With Keycloak preview feature admin_fine_grained_authz enabled I created global composite Role user-managers and granted it query-users Role from realm-management client. Then I created Policy that grants manage permission on Users resource when user has user-manager role.
That works perfectly
I have generated (manually through the web UI) multiple access tokens during testing, and all seem valid. I have probably also generated some and not actually noted them down anywhere.
How do I:
a) list access tokens
b) remove/revoke unneeded access tokens
I have looked here: www.dropbox.com/account/security and I can see my app listed, but there is no mention of access tokens. I do not want to remove the entire app, just some of the access tokens for it.
The app in question has "App folder" access, which means that it can only access one particular folder (and children).
Note: When I say "all seem valid" - I mean that each token can successfully be used to perform actions on the specific app folder at play.
As per the Dropbox forum:
a) The Dropbox web site/API don't offer a way to list individual
access tokens.
b) There are several ways to revoke access tokens.
The user can revoke all access tokens for an app via the account
security page by clicking the 'x' at the right of the app's row. This
will revoke all access tokens for that app-user pair though, and
doesn't offer a way to revoke specific/individual ones.
If the app
uses the "app folder" permission, the user can delete the app folder
itself, which will cause any further API calls for that app-user pair
to fail.
The app can revoke individual access tokens using the
/2/auth/token/revoke API endpoint. That will revoke only the
individual access token used to make the call itself. You can use it
multiple times to revoke any/all access tokens you have.
https://www.dropboxforum.com/t5/API-support/How-to-revoke-an-access-token-Other-answers-suggest-security/m-p/218788/highlight/false#M11497
I am trying to build a pure JavaScript rest-client application that must support anonymous retrieval of information from a REST server that already supports JWT for authentication/authorization for external applications. The server is already being used by other client applications supporting multi-tenancy. Actually embedding the tenant information in the JWT.
Besides that the application needs to support users(human beings) that will want to mark(or select) some resources as favorites so a mechanism is needed for users/role creation and further authentication/authorization for the users. But these users can't be isolated to a single tenant, they will want to use across tenant resources.
So, right now I found that I need to use a JWT value for the anonymous data retrieval that of course should be tenant-agnostic. This means that I have to create an user with a special role that just have permissions for read only resources, except for the permissions for user creation (when the clients do sign up) again this should be tenant-agnostic. And when the user log-in into the system the JWT should be replaced for the one that have the user credentials again tenant agnostic. I am not sure if this is entirely correct, so how should we handle a situation like this ?
My other concern is, that we have the same back-end supporting authentication and credentials storage for human clients (tenant-agnostic) and application clients (tenant-aware), so there is logic that is a little bit more complicated in order to handle the privileges and tenant restrictions here. This could be just my impression but I feel that there should be a separation between application users and human users in the logic and/or data store.
But I am not completely sure and I want to know if some of you have previous experience or could have some ideas about this topic ?
Can you try the following approach, Create the users, assign the users with a read-only role for the tenants to which they need access to.
The data would be like
User1 - tenant1 - administrative role
User1 - tenant2 - data reader role
User1 - tenant 3 - user role
In the jwt, we ensure that the user is authorized. Then we get the list of accessible tenants and see if he has access to the requested tenant data w.r.to the above data and then complete the authorization.
HTH
I would like users of my application to be able to create Roles dynamically and assign permissions to this roles.
Therefor Roles model is not going to be hardcoded.
Though, Permissions, as far as I understand do have to be hard-coded (because I'm going to hardcode theirs checks in application logic)
The best way I see is to keep Roles in database and create them on the fly and assign \ un-assign permissions.
And Permissions should be kept in an array (or hash, or associative array) and should be changed only by developer and require server restart.
Everything seems to be fine, but I would like to read about some best practices of permission based authorization (I can find a lot about Rolebased authorization, not Permission based) and about any possible disadvantages.
Also, I can't yet find the best way to manage "levels" of permissions.
For example, I have permissions called: "Act As Admin", "Manage Users", "Create/Read/Update/Delete User"
I would like to let Role with permission of "Act As Admin" to do everything (manager users, CRUD users etc).
Role with permission of "Manage Users" - automatically can CRUD users.
This approach is better because it won't require one to check a lot of "OR" conditions (can act as adminm, or can manage users, or can CRUD user...)
But how should I keep Permissions hash (array etc) in memory for this purposes?
I suppose, this question is language / framework / etc agnostic so I won't add such tags