我正在使用 Keycloak 来管理我的 Spring Boot 应用程序的授权。
我配置了一些只能由某些用户访问的资源。
这太棒了!
现在我想允许管理员访问所有资源。
这是我的 Keycloak 配置的概述。
** Authorization - Settings **
Decision strategy: Affirmative
**Authorization - Resources**
name: all comments
URIs: /api/comments/*
Authorization scopes: GET
name: first comment
URIs: /api/comments/1
Authorization scopes: GET
**Authorization - Scopes**
name: GET
**Authorization - Policies**
[role policy]
Name: admin
Roles: admin
[user policy]
Name: fubar
Users: fubar
**Authorization - Permissions**
[Scope based]
Name: admin_can_read_all_comments
Resources: all comments
Authorization scopes: GET
Policies: admin
[Scope based]
Name: fubar_can_read_first_comment
Resources: first comments
Authorization scopes: GET
Policies: fubar
我希望 fubar 和 admin 都可以 GET /api/comments/1
但实际上,当管理员尝试 GET /api/comments/1 时,他得到的是 403
这是预期的行为吗?
这个
fubar_policy
可以做到
为 my-client
admin 和 my-client
fubar 角色 分配角色
此
admin_policy
仅为my-client
管理员角色分配角色
管理员允许这两种资源
fubar 只允许
first_comment
{Keycloak URL}/admin/realms/my-realm/clients/{cileint id}/authz/resource-server/policy/evaluate
有效负载
{
"roleIds": [],
"userId": "{user uuid}",
"resources": [
{
"name": "first_comment",
"owner": {
"id": "{client id}",
"name": "{client name}"
},
"ownerManagedAccess": false,
"displayName": "{display resource name}",
"attributes": {},
"_id": "{resource id}",
"uris": ["/api/comments/1"],
"scopes": [
{
"id": "{scope id}",
"name": "GET",
"iconUri": ""
}
],
"icon_uri": ""
}
],
"entitlements": false,
"context": { "attributes": {} }
}
响应示例
{
"results": [
{
"resource": {
"name": "first_comment with scopes [GET]",
"_id": "d8d416f3-c4eb-4157-a038-2828f279ae90"
},
"scopes": [
{
"id": "97406598-494a-47c4-bcdb-ff763d18717a",
"name": "GET"
}
],
"policies": [
{
"policy": {
"id": "33b2fe31-293f-4029-8e7d-25d4dd15f853",
"name": "fubar_can_read_first_comment",
"description": "",
"type": "scope",
"resources": [
"first_comment"
],
"scopes": [
"GET"
],
"logic": "POSITIVE",
"decisionStrategy": "AFFIRMATIVE",
"config": {}
},
"status": "PERMIT",
"associatedPolicies": [
{
"policy": {
"id": "90413ad9-6db7-49fa-889f-c408d3f6db63",
"name": "fubar_policy",
"description": "",
"type": "role",
"resources": [],
"scopes": [],
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {}
},
"status": "PERMIT",
"associatedPolicies": [],
"scopes": []
}
],
"scopes": []
}
],
"status": "PERMIT",
"allowedScopes": [
{
"id": "97406598-494a-47c4-bcdb-ff763d18717a",
"name": "GET"
}
]
}
],
"entitlements": false,
"status": "PERMIT",
"rpt": {
"exp": 1710303168,
"iat": 1710302868,
"jti": "5c9dd6b4-2adc-42e4-bf91-00268a25a369",
"aud": "my-client",
"sub": "fe955869-c533-4433-b947-e9d91f00217a",
"typ": "Bearer",
"azp": "my-client",
"session_state": "31e60b44-3c4b-4b6c-b06c-c8d215040ec3",
"acr": "1",
"allowed-origins": [
"http://localhost:8180/api/*"
],
"realm_access": {
"roles": [
"offline_access",
"uma_authorization",
"default-roles-my-realm"
]
},
"resource_access": {
"my-client": {
"roles": [
"fubar"
]
},
"account": {
"roles": [
"manage-account",
"manage-account-links",
"view-profile"
]
}
},
"authorization": {
"permissions": [
{
"scopes": [
"GET"
],
"rsid": "d8d416f3-c4eb-4157-a038-2828f279ae90",
"rsname": "first_comment"
}
]
},
"scope": "email profile",
"sid": "31e60b44-3c4b-4b6c-b06c-c8d215040ec3",
"email_verified": true,
"preferred_username": "fubar",
"email": "[email protected]"
}
}