Additional Authorization
In addition to the Keycloak OAuth policy, you can use the Authorization policy to add a list of fine-grained authorization rules which allows you to control precisely who is allowed to access the API.
Make sure that you configure the Authorization policy after the standard authentication.
An authentication policy is responsible for extracting the authenticated user’s roles - and this is data, that is required for the Authorization policy to do its work. It is also mandatory, that you enable option Forwarding Roles in the used authentication policy to make sure you can use the roles in the configuration of the Authorization policy.
Adding the Authorization Policy
A wizard supports you during policy configuration. Refer to Attaching Policies for a step-by-step guide.
The configuration of this policy consists of a number of rules that are applied to any inbound request to the API. Each rule consists of a regular expression pattern, an HTTP verb and the role that an authenticated user must possess in order for access to be granted.
It is also possible to apply the rules for all requests by using a wildcard regular expression.
Example:
Additional role authorization with the Authorization policy:
Only users with role support-admin are allowed to delete support cases.
Only users with role support-manager are allowed to get support cases.
Refer to Authorization for a detailed overview on all settings of this policy.
Related Pages: