Roles et autorisations 22 min de lecture

Realm roles, client roles et roles composites

Types de roles dans Keycloak

Realm Roles

Les Realm roles sont globaux a l'ensemble du Realm. Ils sont visibles par tous les clients.

# Creer un realm role via l'API
curl -s -X POST "http://localhost:8080/admin/realms/mon-application/roles" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"name": "admin", "description": "Administrateur de l'application"}'

curl -s -X POST "http://localhost:8080/admin/realms/mon-application/roles" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"name": "user", "description": "Utilisateur standard"}'

# Lister les realm roles
curl -s -H "Authorization: Bearer $TOKEN" \
  "http://localhost:8080/admin/realms/mon-application/roles" | jq .[].name

Client Roles

Les Client roles sont specifiques a un client (application). Ils permettent un controle d'acces fin par application.

# Creer un client role (necessite l'UUID du client)
# Recuperer l'UUID du client
CLIENT_UUID=$(curl -s -H "Authorization: Bearer $TOKEN" \
  "http://localhost:8080/admin/realms/mon-application/clients?clientId=mon-backend" | jq -r .[0].id)

# Creer des roles pour ce client
curl -s -X POST "http://localhost:8080/admin/realms/mon-application/clients/$CLIENT_UUID/roles" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"name": "read", "description": "Lecture seule"}'

curl -s -X POST "http://localhost:8080/admin/realms/mon-application/clients/$CLIENT_UUID/roles" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"name": "write", "description": "Lecture et ecriture"}'

Roles composites

Un role composite regroupe plusieurs roles. Attribuer un role composite attribue automatiquement tous les roles qu'il contient.

# Creer un role composite "manager" qui inclut "user" et "read"
curl -s -X POST "http://localhost:8080/admin/realms/mon-application/roles" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"name": "manager", "composite": true}'

# Ajouter des roles au composite
curl -s -X POST "http://localhost:8080/admin/realms/mon-application/roles/manager/composites" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '[
    {"name": "user", "clientRole": false},
    {"name": "read", "clientRole": true, "containerId": "'$CLIENT_UUID'"}
  ]'

Attribuer des roles a un utilisateur

# Attribuer un realm role a un utilisateur
ROLE_OBJ=$(curl -s -H "Authorization: Bearer $TOKEN" \
  "http://localhost:8080/admin/realms/mon-application/roles/admin")

curl -s -X POST "http://localhost:8080/admin/realms/mon-application/users/$USER_ID/role-mappings/realm" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d "[$ROLE_OBJ]"

# Voir les roles d'un utilisateur
curl -s -H "Authorization: Bearer $TOKEN" \
  "http://localhost:8080/admin/realms/mon-application/users/$USER_ID/role-mappings" | jq .
Connectez-vous pour suivre votre progression