Politiques d'autorisation avancees 35 min de lecture

Authorization Services et politiques fines

Authorization Services de Keycloak

Keycloak fournit un systeme complet de gestion des autorisations au-dela des simples roles. Il supporte les politiques fines (fine-grained), le standard UMA 2.0 et le policy enforcement centralize.

Concepts cles

  • Resource — Ce que vous protegez (API, page, fichier)
  • Scope — Les actions possibles sur une ressource (read, write, delete)
  • Policy — Regle qui determine l'acces (role-based, user-based, time-based, JavaScript)
  • Permission — Association d'une ressource + scope + policy

Activer Authorization Services

# Dans la configuration du client
Client > Settings > Authorization Enabled: ON

# Cela active l'onglet "Authorization" avec :
# - Resources
# - Scopes
# - Policies
# - Permissions

Definir des ressources

# Via l'API Admin
POST /admin/realms/{realm}/clients/{id}/authz/resource-server/resource
{
  "name": "Document Confidentiel",
  "type": "document",
  "uris": ["/api/documents/*"],
  "scopes": [
    {"name": "read"},
    {"name": "write"},
    {"name": "delete"}
  ],
  "ownerManagedAccess": true
}

Types de politiques

# Role-based policy
{
  "type": "role",
  "name": "admin-only",
  "roles": [{"id": "admin", "required": true}]
}

# Time-based policy
{
  "type": "time",
  "name": "business-hours",
  "notBefore": "09:00",
  "notOnOrAfter": "18:00",
  "dayMonth": "1-31",
  "month": "1-12"
}

# Aggregated policy (AND/OR)
{
  "type": "aggregate",
  "name": "admin-in-business-hours",
  "decisionStrategy": "UNANIMOUS",
  "policies": ["admin-only", "business-hours"]
}

UMA 2.0 (User-Managed Access)

UMA permet aux utilisateurs de gerer eux-memes le partage de leurs ressources.

# 1. Le proprietaire cree une ressource
POST /realms/{realm}/authz/protection/resource_set
Authorization: Bearer {owner_token}
{
  "name": "Mon Document",
  "scopes": ["read", "write"]
}

# 2. Un autre utilisateur demande l'acces
POST /realms/{realm}/authz/protection/permission
{
  "resource_id": "...",
  "resource_scopes": ["read"],
  "requester": "bob"
}

# 3. Le proprietaire approuve ou refuse
# Via la console Account de Keycloak

Policy Enforcement avec un adaptateur

# Configuration Spring Boot
keycloak:
  policy-enforcer-config:
    enforcement-mode: ENFORCING
    paths:
      - path: /api/documents/*
        methods:
          - method: GET
            scopes: [read]
          - method: POST
            scopes: [write]
          - method: DELETE
            scopes: [delete]
Best practice : Combinez les politiques avec la strategie UNANIMOUS (toutes doivent valider) pour un maximum de securite, ou AFFIRMATIVE (une seule suffit) pour plus de flexibilite.
Connectez-vous pour suivre votre progression Atelier : Configurer les autorisations fines