In this article we will share understanding UMA policy enforcers with KeyCloak.

1) UMA User resource query

A client is accessing a resource from a resource server

In return, the user will get return of error 401 and the as_uri of the the resource server (where the resource is registered) and a permission ticket

2) Permission ticket

The permission ticket is as signed jwt which contains the URL and scopes that the user can query/use on this resource.

The permission ticket is issued by the keycloak authorization server, through the keycloak PEP (Policy enforcement point). The PEP is teh piece of magic which makes that upon a user call on specific resource is returned as_uri and permission ticket.

3) Policy Enforcement Point

The policy enforcement point act as an inteceptor between the user asking for a resource and the keycloak server.

The Policy enforcer point definition is described in a file keycloak.json, where is indicated for each URL, the default scope that are issued for each HTTP request.

Like this, it is possible to define scopes for HTTP GET, HTTP DELETE …

Those scopes will be retrieved later in the permission ticket and also RPT token.

Uma policy enforcers with KeyCloak

4) Pointers

Olivier Rivat

Senior Software Engineer with over 25 years of experience doing Software Development, Support and Consulting in Identity and Access Management Solutions.
Specialised in IAM (security, access control, identity management) and Open Source integration, settled in 2004 by IAM industry veteran, JANUA offers high value-added products and services to businesses and governements with a concern for Identity Management and Open Source components.
JANUA provides better security, build relationships, and enable new cloud, mobile, and IoT offerings from any device or connected thing.
Olivier Rivat

Les derniers articles par Olivier Rivat (tout voir)