Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for checking entitlements #305

Open
Y00sh00 opened this issue Nov 2, 2020 · 2 comments
Open

Support for checking entitlements #305

Y00sh00 opened this issue Nov 2, 2020 · 2 comments
Labels
enhancement This issue/PR is an enhancement or new feature. need-information More information is needed

Comments

@Y00sh00
Copy link

Y00sh00 commented Nov 2, 2020

Bug Report or Feature Request (mark with an x)

- [ ] bug report -> please search for issues before submitting
- [x] feature request

Desired functionality.

I would like to contribute the ability to check entitlements through keycloak-angular. I already have a proof of concept working on a branch. But it would probably be smart to discuss implementation specifics first.

For now, the interface looks something like:

keycloakService.isUserEntitled('resource-server-id', {
        permissions: [
          {
            id: 'news',
            scopes: ['news:create']
          }
        ]
      });

Which will either fail with a 403 or return a rpt token. This rpt token (basically a JWT) can then be decoded and used in guards to determine if a user has access or not.

In my opinion, it would be best if the user sorts out what to do with the rpt token themselves considering you can request multiple resources and scopes and the token just holds the ones you have access to. Only if none are present will keycloak present you with a 403.

To get these basics working it's a rather small change

this._keycloakAuthorizationInstance = new KeycloakAuthorization(this._instance);
await this._keycloakAuthorizationInstance.init();

You can then call the entitlement function on _keycloakAuthorizationInstance

Would this be a feature that would be useful in angular-keycloak?
@jonkoops jonkoops added enhancement This issue/PR is an enhancement or new feature. need-information More information is needed labels Nov 3, 2020
@jonkoops
Copy link
Collaborator

jonkoops commented Nov 3, 2020

Hi @Y00sh00, we're trying to make Keycloak Angular a lightweight wrapper around keycloak-js. We might even deprecate the KeycloakService in future versions and create several smaller services for assorted fuctionalities such as events around the authentication state, etc.

Before considering adding this functionality to to Keycloak Angular I would like to ask if this functionality is already present in keycloak-js itself. Is the KeycloakAuthorization class you are showing part of keycloak-js?

@Y00sh00
Copy link
Author

Y00sh00 commented Nov 3, 2020

Before considering adding this functionality to to Keycloak Angular I would like to ask if this functionality is already present in keycloak-js itself. Is the KeycloakAuthorization class you are showing part of keycloak-js?

In the keycloak NPM dependency are two files keycloak.js this is the keycloak functionality that keycloak angular currently mostly wraps. There is also a keycloak-authz.js which is Keycloaks Authz client intended for resource-based access control as documented here: https://www.keycloak.org/docs/latest/authorization_services/#_service_protection_resources_api

The Javascript portion of it is documented specifically here: https://www.keycloak.org/docs/latest/authorization_services/#_enforcer_js_adapter

The KeycloakAuthorization class is part of that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement This issue/PR is an enhancement or new feature. need-information More information is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Y00sh00 @jonkoops