[KEYCLOAK-4902] - Response_mode parameter and release notes for authorization services

This commit is contained in:
Pedro Igor 2018-08-10 09:42:53 -03:00 committed by Stian Thorgersen
parent 549e95f02f
commit 2a6c449f3c
3 changed files with 71 additions and 1 deletions

View file

@ -57,6 +57,40 @@ This parameter is *optional*. An integer N that defines a limit for the amount o
+ +
This parameter is *optional*. A boolean value indicating whether the server should create permission requests to the resources and scopes referenced by a permission ticket. This parameter is *optional*. A boolean value indicating whether the server should create permission requests to the resources and scopes referenced by a permission ticket.
This parameter only have effect if used together with the `ticket` parameter as part of a UMA authorization process. This parameter only have effect if used together with the `ticket` parameter as part of a UMA authorization process.
+
* **response_mode**
+
This parameter is *optional*. A string value indicating how the server should respond to authorization requests. This parameter is specially useful when
you are mainly interested in either the overall decision or the permissions granted by the server, instead of an standard OAuth2 response. Possible values are:
+
*** `decision`
+
Indicates that responses from the server should only represent the overall decision by returning a JSON with the following format:
+
```json
{
'result': true
}
```
+
If the authorization request does not map to any permission, a `403` HTTP status code is returned instead.
+
*** `permissions`
+
Indicates that responses from the server should contain any permission granted by the server by returning a JSON with the following format:
+
```json
[
{
'rsid': 'My Resource'
'scopes': ['view', 'update']
},
...
]
```
+
If the authorization request does not map to any permission, a `403` HTTP status code is returned instead.
Example of a authorization request when a client is seeking access to two resources protected by a resource server. Example of a authorization request when a client is seeking access to two resources protected by a resource server.

View file

@ -1,4 +1,7 @@
ifeval::[{project_community}==true] ifeval::[{project_community}==true]
== {project_name_full} 4.3.0.Final
include::topics/4_3_0_final.adoc[leveloffset=2]
== {project_name_full} 4.2.0.Final == {project_name_full} 4.2.0.Final
include::topics/4_2_0_final.adoc[leveloffset=2] include::topics/4_2_0_final.adoc[leveloffset=2]

View file

@ -10,4 +10,37 @@ For more details refer to the threat mitigation section in the link:{adminguide_
= X509 Client Authenticator = X509 Client Authenticator
The newly added Client Authenticator uses X509 Client Certificates and Mutual TLS to secure a connection from the client. In addition to that The newly added Client Authenticator uses X509 Client Certificates and Mutual TLS to secure a connection from the client. In addition to that
the Keycloak Server validates Subject DN field of the client's certificate. the Keycloak Server validates Subject DN field of the client's certificate.
= Performance improvements to Authorization Services
For this release, we improved policy evaluation performance across the board, increasing reliability and throughput. The main
changes we did were related with trying to optimize the policy evaluation path by avoiding unnecessary flows and collect decisions
as soon as they happen. We also introduced a policy decision cache on a per request basis, avoiding redundant decisions from policies
previously evaluated.
We are also working on other layers of cache which should give a much better experience. See https://issues.jboss.org/browse/KEYCLOAK-7952[KEYCLOAK-7952].
= Choosing the response mode when obtaining permissions from the server
In previous versions, permissions were always returned from the server using standard OAuth2 response, containing the access and refresh tokens. In this release,
clients can use a `response_mode` parameter to specify how the server should respond to an authorization request. This parameter accepts two values:
* `decision`
+
Indicating that responses should only contain a flag indicating whether or not permissions were granted by the server. Otherwise a `403` HTTP status code is returned.
+
* `permissions`
+
Indicating that a response should contain every single permission granted by the server using a JSON format.
= NodeJS Policy Enforcer
The https://github.com/keycloak/keycloak-nodejs-connect[keycloak-nodejs-connect], an adapter for NodeJS, now supports constructs to protect
resources based on decisions taken from the server. The new construct allows users to protect their resources using fine-grained permissions as follows:
```js
app.get('/protected/resource', keycloak.enforcer('resource:view'), function (req, res) {
res.json({message: 'access granted'});
});
```