Keycloak resource protection recommendations - spring-boot

I'm writing web services in Spring Boot and I use Keycloak to protect the application. The app will expose API to manage restaurants.
In Keycloak I have two roles: admin and manager.
A user with admin role can CRUD restaurants. The same company has multiple restaurants and each restaurant has a manager. I want users with manager role to be able to edit only their restaurant (the restaurant they manage).
According to my understanding of Keycloak's documentation I have to use Resource with Permission but they stated that:
[] you can also have a different resource named Alice’s Banking Account, which represents a single resource owned by a single customer, which can have its own set of authorization policies.
To do that I have to create a resource like this /api/restaurants/12345 but the thing is that I can't hardcode an ID like this.
For now I protected my endpoint like this in spring boot:
http
.authorizeRequests()
.mvcMatchers(HttpMethod.PUT, "/api/restaurants/*").hasAnyRole("ADMIN", "MANAGER")
.anyRequest().permitAll();
This means that any manager from any restaurant can edit another restaurant. I want to limit that to their restaurant only (the restaurant they manage). How can I do that in Keycloak if at all possible?

What you are looking for is User managed access (UMA). It allows to manage the access permission for each resource.
The permissions can be managed with the user's authentication. So if a user enters a new restaurant you can automatically grant access permissions to him without involving a process with elevated privileges.
The best introduction is probably the Photoz example. Instead of restaurants, it's about photo albums.

Related

Where is the best place to keep authorization server in microservices?

I am designing a set of microservices for user management, api gateway, cart & checkout, promotions etc (ecommerce services). Planning to manage authentication and authorization using jwt token. Which service would be the best place to keep the authorization server?
I have refered a few designs where its found on the api gateway, but I need a separate user management service and users table is maintained here (other services like cart checkout etc would be resource servers) Grant types: client_credentials and password are required.
Are there any existing open source projects I can refer? Any documentation available for best practives?
If you are maintaining user data alongwith with the Authorization server, I woud suggest you to register this as a separate micro-service as AuthService in your RegistryService.
Best practice should be to use a JDBCTokenStore so that user is authenticated even if service instance get stopped or disrupted.
You shall include a dedicated DB for this service that shall include tables for User details, grant authorities, access tokens and refresh tokens.

Spring Boot OAuth2 linking internal users with Facebook/Google login

I have implemented a Spring Boot application with AngularJS frontend. Have also setup users along with their permissions. Right now I am able to login with any of these users and is working well with Spring security. I would like to turn this traditional login flow into a Facebook/Google OAuth login flow, where in I want the users to use their Facebook/Google account to log in and they will be mapped to their internal users automatically. This will help me in getting rid of maintaining passwords of these users.
I found many articles talking about setting up OAuth with Spring Boot and how can Facebook/Google login be integrated with a Spring Boot application. But I am having difficulty in finding an article which talks about linking a Facebook/Google user with internal users.
How should I go about this?
Look for a user with the associated facebook/google userID.
If that user does not exist you request an email address and try to match it with an existing legacy account.
If you do not get a email adress for any reason (not acceping the authorization request for example) you could show a popup box asking for the email adress explaining why you need it.
You then locate the legacy user and merge it adding the facebook/google ID to look it up in the future.
If no user is found with the email adress you either refuse the user or create a new account.
you should be able to do all of this by implementing your own AuthenticationProvider
Before you can fetch a user’s data from Facebook, you must specify your application’s ID and secret by setting the spring.social.facebook.appId and spring.social.facebook.appSecret properties. You can set these via any means supported by Spring Boot, including setting them in an application.properties file:
spring.social.facebook.appId=233668646673605
spring.social.facebook.appSecret=33b17e044ee6a4fa383f46ec6e28ea1d
For reference you can follow this article: https://spring.io/guides/gs/accessing-facebook/

Grails - Spring Security - Many dynamic roles

I'm developing an application using Grails and Spring Security.
My wish is, when the user creates his account informing his company name, the app creates an entry in the company, role and user tables and relates that role and user with the company entry.
The role created will be like an administrator which has permission for do every thing. This user with that role can creates new roles specifying the permissions but all roles created should be only in the company scope, so those roles should not be available for users of others companies.
I've seen that the Spring Security has a feature called Requestmap which for each URL, the application can specify the roles which will have access.
I don't know if this is the best solution, because in my app the number of roles will increase at least as many as the number of user.
Do you guys have some advice of how to solve this problem?
Thank you for all.
You should have a look on Spring Security ACL plugin.
With this plugin you would be able to add permissions (like write or read permission) to certain users on certain domain models.
Have a look on example taken from documentation:
#Transactional
#PreAuthorize("hasPermission(#report, write) or " +
"hasPermission(#report, admin)")
Report updateReport(Report report, params) {
report.properties = params
report.save()
report
}
By using PreAuthorize annotation it is checked if user has write (or admin) permission on this certain Report entity.

ServiceNow - What are the security roles user needs to have to add/delete sys_users via the Rest api?

I am working with the ServiceNow Rest Api. When a user provides username and password to connect to the rest api I need to validate whether the user can add/remove (Manage users) users in sys_user table. How can I do that check?
I was referring to following Get table Rest api request, to check user whether he has nessasary roles,
https://.service-now.com/api/now/table/sys_user_has_role?sysparm_fields=role%2Crole.name%2Cuser%2Cuser.name%2Cuser.sys_id%2Cuser.department&
sysparm_query=role%3D3d43716d0f6002003a2d47bce1050e0d%5EORrole%3Dac73b52d0f6002003a2d47bce1050eec&sysparm_display_value=true
What roles do I need to check? or is there an easier/better way to perform this (look for table permissions)?
Assuming an OOB configuration, your API User would need the user_admin role in addition to any soap / web services roles.
See these OOB ACLs on sys_user:
Create:
https://YOURINSTANCE.service-now.com/sys_security_acl.do?sys_id=f802c1d44f230200712553418110c752
Delete:
https://YOURINSTANCE.service-now.com/sys_security_acl.do?sys_id=93c234f1072200000ca55720e1021e5f

Restructuring existing Web API - should I use OAuth?

Most articles on MVC WebAPI OAuth assume there is some resource owner (like a person) who will authorize the release of data. In our case the data is public, like product for sale, or name of departments etc. The API just hides unnecessary/malicious access to things like date created, activity user etc. - and of course saves the front end developer from learning database schema.
Does OAuth fit in this scenario where no particular owner exists?
Does OAuth fit in this scenario where no particular owner exists?
Yes it does.
Sure, the primary focus of the OAuth specification is to protect resoures owned by the resource owner, but it can of course protect other resources too. Take Facebook for example: it protects not only your data, but also the data of your friends, which is accessible by you.
In your case, you need to protect those fields, and OAuth is a good mechanism for users with the necessary rights to authorize an application to access those fields. Users without the necessary rights (if those are registered users at all) would of course not be able to do so.
In addition, there usually is one resource that is owned by the user: the user's profile data.
OAuth 2.0 is the best protocol available today to secure a web API.
If you allow anyone (= any client application) to access your APIs without any restriction, you don't have to care about OAuth.
On the other hand, if you want to allow accesses only from client applications that have been registered in advance, "Client Credentials Flow" in RFC 6749 (OAuth 2.0) is probably the best for you. The flow does not associate an access token with any specific resource owner. An access token is issued based on only the client credentials (= client ID and client secret) of a client application.

Resources