[KEYCLOAK-4902] - Response_mode parameter and release notes for authorization services
This commit is contained in:
Pedro Igor
Stian Thorgersen
parent
549e95f02f
commit
2a6c449f3c
3 changed files with 71 additions and 1 deletions
|
|
@ -57,6 +57,40 @@ This parameter is *optional*. An integer N that defines a limit for the amount o
|
|||
+
|
||||
This parameter is *optional*. A boolean value indicating whether the server should create permission requests to the resources and scopes referenced by a permission ticket.
|
||||
This parameter only have effect if used together with the `ticket` parameter as part of a UMA authorization process.
|
||||
+
|
||||
* **response_mode**
|
||||
+
|
||||
This parameter is *optional*. A string value indicating how the server should respond to authorization requests. This parameter is specially useful when
|
||||
you are mainly interested in either the overall decision or the permissions granted by the server, instead of an standard OAuth2 response. Possible values are:
|
||||
+
|
||||
*** `decision`
|
||||
+
|
||||
Indicates that responses from the server should only represent the overall decision by returning a JSON with the following format:
|
||||
+
|
||||
```json
|
||||
{
|
||||
'result': true
|
||||
}
|
||||
```
|
||||
+
|
||||
If the authorization request does not map to any permission, a `403` HTTP status code is returned instead.
|
||||
+
|
||||
*** `permissions`
|
||||
+
|
||||
Indicates that responses from the server should contain any permission granted by the server by returning a JSON with the following format:
|
||||
+
|
||||
```json
|
||||
[
|
||||
{
|
||||
'rsid': 'My Resource'
|
||||
'scopes': ['view', 'update']
|
||||
},
|
||||
|
||||
...
|
||||
]
|
||||
```
|
||||
+
|
||||
If the authorization request does not map to any permission, a `403` HTTP status code is returned instead.
|
||||
|
||||
Example of a authorization request when a client is seeking access to two resources protected by a resource server.
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +1,7 @@
|
|||
ifeval::[{project_community}==true]
|
||||
== {project_name_full} 4.3.0.Final
|
||||
include::topics/4_3_0_final.adoc[leveloffset=2]
|
||||
|
||||
== {project_name_full} 4.2.0.Final
|
||||
include::topics/4_2_0_final.adoc[leveloffset=2]
|
||||
|
||||
|
|
|
|||
|
|
@ -10,4 +10,37 @@ For more details refer to the threat mitigation section in the link:{adminguide_
|
|||
= X509 Client Authenticator
|
||||
|
||||
The newly added Client Authenticator uses X509 Client Certificates and Mutual TLS to secure a connection from the client. In addition to that
|
||||
the Keycloak Server validates Subject DN field of the client's certificate.
|
||||
the Keycloak Server validates Subject DN field of the client's certificate.
|
||||
|
||||
= Performance improvements to Authorization Services
|
||||
|
||||
For this release, we improved policy evaluation performance across the board, increasing reliability and throughput. The main
|
||||
changes we did were related with trying to optimize the policy evaluation path by avoiding unnecessary flows and collect decisions
|
||||
as soon as they happen. We also introduced a policy decision cache on a per request basis, avoiding redundant decisions from policies
|
||||
previously evaluated.
|
||||
|
||||
We are also working on other layers of cache which should give a much better experience. See https://issues.jboss.org/browse/KEYCLOAK-7952[KEYCLOAK-7952].
|
||||
|
||||
= Choosing the response mode when obtaining permissions from the server
|
||||
|
||||
In previous versions, permissions were always returned from the server using standard OAuth2 response, containing the access and refresh tokens. In this release,
|
||||
clients can use a `response_mode` parameter to specify how the server should respond to an authorization request. This parameter accepts two values:
|
||||
|
||||
* `decision`
|
||||
+
|
||||
Indicating that responses should only contain a flag indicating whether or not permissions were granted by the server. Otherwise a `403` HTTP status code is returned.
|
||||
+
|
||||
* `permissions`
|
||||
+
|
||||
Indicating that a response should contain every single permission granted by the server using a JSON format.
|
||||
|
||||
= NodeJS Policy Enforcer
|
||||
|
||||
The https://github.com/keycloak/keycloak-nodejs-connect[keycloak-nodejs-connect], an adapter for NodeJS, now supports constructs to protect
|
||||
resources based on decisions taken from the server. The new construct allows users to protect their resources using fine-grained permissions as follows:
|
||||
|
||||
```js
|
||||
app.get('/protected/resource', keycloak.enforcer('resource:view'), function (req, res) {
|
||||
res.json({message: 'access granted'});
|
||||
});
|
||||
```
|
||||
|
|
|
|||
Loading…
Reference in a new issue