Keycloak多资源授权肯定决策策略
问题描述 投票:0回答:1
我正在使用 Keycloak 来管理我的 Spring Boot 应用程序的授权。
我配置了一些只能由某些用户访问的资源。
这太棒了!
现在我想允许管理员访问所有资源。
这是我的 Keycloak 配置的概述。
** Authorization - Settings **
Decision strategy: Affirmative
**Authorization - Resources**
name: all comments
URIs: /api/comments/*
Authorization scopes: GET
name: first comment
URIs: /api/comments/1
Authorization scopes: GET
**Authorization - Scopes**
name: GET
**Authorization - Policies**
[role policy]
Name: admin
Roles: admin
[user policy]
Name: fubar
Users: fubar
**Authorization - Permissions**
[Scope based]
Name: admin_can_read_all_comments
Resources: all comments
Authorization scopes: GET
Policies: admin
[Scope based]
Name: fubar_can_read_first_comment
Resources: first comments
Authorization scopes: GET
Policies: fubar
我希望 fubar 和 admin 都可以 GET /api/comments/1
但实际上,当管理员尝试 GET /api/comments/1 时,他得到的是 403
这是预期的行为吗?
1个回答
0
投票
投票
这个
fubar_policymy-clientmy-client
此
admin_policymy-client
客户角色
为用户分配角色
资源设置
范围和权限设置
映射政策和许可
结果
管理员允许这两种资源
fubar 只允许
first_comment
评估API
{Keycloak URL}/admin/realms/my-realm/clients/{cileint id}/authz/resource-server/policy/evaluate
有效负载
{
"roleIds": [],
"userId": "{user uuid}",
"resources": [
{
"name": "first_comment",
"owner": {
"id": "{client id}",
"name": "{client name}"
},
"ownerManagedAccess": false,
"displayName": "{display resource name}",
"attributes": {},
"_id": "{resource id}",
"uris": ["/api/comments/1"],
"scopes": [
{
"id": "{scope id}",
"name": "GET",
"iconUri": ""
}
],
"icon_uri": ""
}
],
"entitlements": false,
"context": { "attributes": {} }
}
响应示例
{
"results": [
{
"resource": {
"name": "first_comment with scopes [GET]",
"_id": "d8d416f3-c4eb-4157-a038-2828f279ae90"
},
"scopes": [
{
"id": "97406598-494a-47c4-bcdb-ff763d18717a",
"name": "GET"
}
],
"policies": [
{
"policy": {
"id": "33b2fe31-293f-4029-8e7d-25d4dd15f853",
"name": "fubar_can_read_first_comment",
"description": "",
"type": "scope",
"resources": [
"first_comment"
],
"scopes": [
"GET"
],
"logic": "POSITIVE",
"decisionStrategy": "AFFIRMATIVE",
"config": {}
},
"status": "PERMIT",
"associatedPolicies": [
{
"policy": {
"id": "90413ad9-6db7-49fa-889f-c408d3f6db63",
"name": "fubar_policy",
"description": "",
"type": "role",
"resources": [],
"scopes": [],
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {}
},
"status": "PERMIT",
"associatedPolicies": [],
"scopes": []
}
],
"scopes": []
}
],
"status": "PERMIT",
"allowedScopes": [
{
"id": "97406598-494a-47c4-bcdb-ff763d18717a",
"name": "GET"
}
]
}
],
"entitlements": false,
"status": "PERMIT",
"rpt": {
"exp": 1710303168,
"iat": 1710302868,
"jti": "5c9dd6b4-2adc-42e4-bf91-00268a25a369",
"aud": "my-client",
"sub": "fe955869-c533-4433-b947-e9d91f00217a",
"typ": "Bearer",
"azp": "my-client",
"session_state": "31e60b44-3c4b-4b6c-b06c-c8d215040ec3",
"acr": "1",
"allowed-origins": [
"http://localhost:8180/api/*"
],
"realm_access": {
"roles": [
"offline_access",
"uma_authorization",
"default-roles-my-realm"
]
},
"resource_access": {
"my-client": {
"roles": [
"fubar"
]
},
"account": {
"roles": [
"manage-account",
"manage-account-links",
"view-profile"
]
}
},
"authorization": {
"permissions": [
{
"scopes": [
"GET"
],
"rsid": "d8d416f3-c4eb-4157-a038-2828f279ae90",
"rsname": "first_comment"
}
]
},
"scope": "email profile",
"sid": "31e60b44-3c4b-4b6c-b06c-c8d215040ec3",
"email_verified": true,
"preferred_username": "fubar",
"email": "[email protected]"
}
}
最新问题
- ASP.NET NormalizedUsername 在更新用户数据时发生变化
- 如何让超链接出现在页面右侧?
- 如何在 Windows 上使用 ffmpeg 从网络摄像头录制视频和音频?
- 没有名为 ipykernel_launcher 的模块
- 避免参数内传入查询中的 SQL 注入
- 使用python生成一个显示好友数量的字典
- 堆栈处于 UPDATE_COMPLETE_CLEANUP_IN_PROGRESS 状态且无法更新
- 使用 jQuery 在引导网格中添加/删除元素并防止删除第一个元素
- Python Pandas – 如何抑制 PerformanceWarning?
- 尝试通过powershell操纵输出
- 通过 Codeigniter 的活动记录方法从带有 LIMIT 的 suquery 中选择 SUM()
- 相当于 JavaScript 的 addEventListener 方法的 jQuery
- 艾美特的新线路
- “/”应用程序中服务器错误,找不到资源
- 如何比较两个共享相同内容的StructType?
- Terraform aws_lambda_function 需要 ECR 中的 Docker 映像
- VSCode 无法设置 Java 运行时(尝试了一些设置 json 方法)
- 如何在 Plotly 的子图中添加堆积条形图?
- 为什么与闭包一起使用时不会发生重借?
- Node.js - 使用 NVM 配置 $NODE_PATH
© www.soinside.com 2019 - 2024. All rights reserved.