[KEYCLOAK-4902] - Response_mode parameter and release notes for authorization services
This commit is contained in:
Pedro Igor
Stian Thorgersen
parent
549e95f02f
commit
2a6c449f3c
3 changed files with 71 additions and 1 deletions
|
|
@ -57,6 +57,40 @@ This parameter is *optional*. An integer N that defines a limit for the amount o
|
||||||
+
|
+
|
||||||
This parameter is *optional*. A boolean value indicating whether the server should create permission requests to the resources and scopes referenced by a permission ticket.
|
This parameter is *optional*. A boolean value indicating whether the server should create permission requests to the resources and scopes referenced by a permission ticket.
|
||||||
This parameter only have effect if used together with the `ticket` parameter as part of a UMA authorization process.
|
This parameter only have effect if used together with the `ticket` parameter as part of a UMA authorization process.
|
||||||
|
+
|
||||||
|
* **response_mode**
|
||||||
|
+
|
||||||
|
This parameter is *optional*. A string value indicating how the server should respond to authorization requests. This parameter is specially useful when
|
||||||
|
you are mainly interested in either the overall decision or the permissions granted by the server, instead of an standard OAuth2 response. Possible values are:
|
||||||
|
+
|
||||||
|
*** `decision`
|
||||||
|
+
|
||||||
|
Indicates that responses from the server should only represent the overall decision by returning a JSON with the following format:
|
||||||
|
+
|
||||||
|
```json
|
||||||
|
{
|
||||||
|
'result': true
|
||||||
|
}
|
||||||
|
```
|
||||||
|
+
|
||||||
|
If the authorization request does not map to any permission, a `403` HTTP status code is returned instead.
|
||||||
|
+
|
||||||
|
*** `permissions`
|
||||||
|
+
|
||||||
|
Indicates that responses from the server should contain any permission granted by the server by returning a JSON with the following format:
|
||||||
|
+
|
||||||
|
```json
|
||||||
|
[
|
||||||
|
{
|
||||||
|
'rsid': 'My Resource'
|
||||||
|
'scopes': ['view', 'update']
|
||||||
|
},
|
||||||
|
|
||||||
|
...
|
||||||
|
]
|
||||||
|
```
|
||||||
|
+
|
||||||
|
If the authorization request does not map to any permission, a `403` HTTP status code is returned instead.
|
||||||
|
|
||||||
Example of a authorization request when a client is seeking access to two resources protected by a resource server.
|
Example of a authorization request when a client is seeking access to two resources protected by a resource server.
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1,4 +1,7 @@
|
||||||
ifeval::[{project_community}==true]
|
ifeval::[{project_community}==true]
|
||||||
|
== {project_name_full} 4.3.0.Final
|
||||||
|
include::topics/4_3_0_final.adoc[leveloffset=2]
|
||||||
|
|
||||||
== {project_name_full} 4.2.0.Final
|
== {project_name_full} 4.2.0.Final
|
||||||
include::topics/4_2_0_final.adoc[leveloffset=2]
|
include::topics/4_2_0_final.adoc[leveloffset=2]
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -11,3 +11,36 @@ For more details refer to the threat mitigation section in the link:{adminguide_
|
||||||
|
|
||||||
The newly added Client Authenticator uses X509 Client Certificates and Mutual TLS to secure a connection from the client. In addition to that
|
The newly added Client Authenticator uses X509 Client Certificates and Mutual TLS to secure a connection from the client. In addition to that
|
||||||
the Keycloak Server validates Subject DN field of the client's certificate.
|
the Keycloak Server validates Subject DN field of the client's certificate.
|
||||||
|
|
||||||
|
= Performance improvements to Authorization Services
|
||||||
|
|
||||||
|
For this release, we improved policy evaluation performance across the board, increasing reliability and throughput. The main
|
||||||
|
changes we did were related with trying to optimize the policy evaluation path by avoiding unnecessary flows and collect decisions
|
||||||
|
as soon as they happen. We also introduced a policy decision cache on a per request basis, avoiding redundant decisions from policies
|
||||||
|
previously evaluated.
|
||||||
|
|
||||||
|
We are also working on other layers of cache which should give a much better experience. See https://issues.jboss.org/browse/KEYCLOAK-7952[KEYCLOAK-7952].
|
||||||
|
|
||||||
|
= Choosing the response mode when obtaining permissions from the server
|
||||||
|
|
||||||
|
In previous versions, permissions were always returned from the server using standard OAuth2 response, containing the access and refresh tokens. In this release,
|
||||||
|
clients can use a `response_mode` parameter to specify how the server should respond to an authorization request. This parameter accepts two values:
|
||||||
|
|
||||||
|
* `decision`
|
||||||
|
+
|
||||||
|
Indicating that responses should only contain a flag indicating whether or not permissions were granted by the server. Otherwise a `403` HTTP status code is returned.
|
||||||
|
+
|
||||||
|
* `permissions`
|
||||||
|
+
|
||||||
|
Indicating that a response should contain every single permission granted by the server using a JSON format.
|
||||||
|
|
||||||
|
= NodeJS Policy Enforcer
|
||||||
|
|
||||||
|
The https://github.com/keycloak/keycloak-nodejs-connect[keycloak-nodejs-connect], an adapter for NodeJS, now supports constructs to protect
|
||||||
|
resources based on decisions taken from the server. The new construct allows users to protect their resources using fine-grained permissions as follows:
|
||||||
|
|
||||||
|
```js
|
||||||
|
app.get('/protected/resource', keycloak.enforcer('resource:view'), function (req, res) {
|
||||||
|
res.json({message: 'access granted'});
|
||||||
|
});
|
||||||
|
```
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue