From 2a6c449f3c1bb3114e00df8ea7931ee2045a53a0 Mon Sep 17 00:00:00 2001 From: Pedro Igor Date: Fri, 10 Aug 2018 09:42:53 -0300 Subject: [PATCH] [KEYCLOAK-4902] - Response_mode parameter and release notes for authorization services --- ...ce-authorization-obtaining-permission.adoc | 34 ++++++++++++++++++ release_notes/topics.adoc | 3 ++ release_notes/topics/4_3_0_final.adoc | 35 ++++++++++++++++++- 3 files changed, 71 insertions(+), 1 deletion(-) diff --git a/authorization_services/topics/service-authorization-obtaining-permission.adoc b/authorization_services/topics/service-authorization-obtaining-permission.adoc index ee008592a6..0802e2a290 100644 --- a/authorization_services/topics/service-authorization-obtaining-permission.adoc +++ b/authorization_services/topics/service-authorization-obtaining-permission.adoc @@ -57,6 +57,40 @@ This parameter is *optional*. An integer N that defines a limit for the amount o + This parameter is *optional*. A boolean value indicating whether the server should create permission requests to the resources and scopes referenced by a permission ticket. This parameter only have effect if used together with the `ticket` parameter as part of a UMA authorization process. ++ +* **response_mode** ++ +This parameter is *optional*. A string value indicating how the server should respond to authorization requests. This parameter is specially useful when +you are mainly interested in either the overall decision or the permissions granted by the server, instead of an standard OAuth2 response. Possible values are: ++ +*** `decision` ++ +Indicates that responses from the server should only represent the overall decision by returning a JSON with the following format: ++ +```json +{ + 'result': true +} +``` ++ +If the authorization request does not map to any permission, a `403` HTTP status code is returned instead. ++ +*** `permissions` ++ +Indicates that responses from the server should contain any permission granted by the server by returning a JSON with the following format: ++ +```json +[ + { + 'rsid': 'My Resource' + 'scopes': ['view', 'update'] + }, + + ... +] +``` ++ +If the authorization request does not map to any permission, a `403` HTTP status code is returned instead. Example of a authorization request when a client is seeking access to two resources protected by a resource server. diff --git a/release_notes/topics.adoc b/release_notes/topics.adoc index d9f5c07041..0cbf4adb59 100644 --- a/release_notes/topics.adoc +++ b/release_notes/topics.adoc @@ -1,4 +1,7 @@ ifeval::[{project_community}==true] +== {project_name_full} 4.3.0.Final +include::topics/4_3_0_final.adoc[leveloffset=2] + == {project_name_full} 4.2.0.Final include::topics/4_2_0_final.adoc[leveloffset=2] diff --git a/release_notes/topics/4_3_0_final.adoc b/release_notes/topics/4_3_0_final.adoc index 3a173f3ac8..8cdf6da952 100644 --- a/release_notes/topics/4_3_0_final.adoc +++ b/release_notes/topics/4_3_0_final.adoc @@ -10,4 +10,37 @@ For more details refer to the threat mitigation section in the link:{adminguide_ = X509 Client Authenticator The newly added Client Authenticator uses X509 Client Certificates and Mutual TLS to secure a connection from the client. In addition to that -the Keycloak Server validates Subject DN field of the client's certificate. \ No newline at end of file +the Keycloak Server validates Subject DN field of the client's certificate. + += Performance improvements to Authorization Services + +For this release, we improved policy evaluation performance across the board, increasing reliability and throughput. The main +changes we did were related with trying to optimize the policy evaluation path by avoiding unnecessary flows and collect decisions +as soon as they happen. We also introduced a policy decision cache on a per request basis, avoiding redundant decisions from policies +previously evaluated. + +We are also working on other layers of cache which should give a much better experience. See https://issues.jboss.org/browse/KEYCLOAK-7952[KEYCLOAK-7952]. + += Choosing the response mode when obtaining permissions from the server + +In previous versions, permissions were always returned from the server using standard OAuth2 response, containing the access and refresh tokens. In this release, +clients can use a `response_mode` parameter to specify how the server should respond to an authorization request. This parameter accepts two values: + +* `decision` ++ +Indicating that responses should only contain a flag indicating whether or not permissions were granted by the server. Otherwise a `403` HTTP status code is returned. ++ +* `permissions` ++ +Indicating that a response should contain every single permission granted by the server using a JSON format. + += NodeJS Policy Enforcer + +The https://github.com/keycloak/keycloak-nodejs-connect[keycloak-nodejs-connect], an adapter for NodeJS, now supports constructs to protect +resources based on decisions taken from the server. The new construct allows users to protect their resources using fine-grained permissions as follows: + +```js +app.get('/protected/resource', keycloak.enforcer('resource:view'), function (req, res) { + res.json({message: 'access granted'}); +}); +```