search

mauriciovigolo / keycloak-angular

Easy Keycloak setup for Angular applications.
MIT License
729 stars 280 forks source link

Support for checking entitlements #305

Open Y00sh00 opened 4 years ago

Y00sh00 commented 4 years ago

Bug Report or Feature Request (mark with an x)

- [ ] bug report -> please search for issues before submitting
- [x] feature request

Desired functionality.

I would like to contribute the ability to check entitlements through keycloak-angular. I already have a proof of concept working on a branch. But it would probably be smart to discuss implementation specifics first.

For now, the interface looks something like:

keycloakService.isUserEntitled('resource-server-id', {
        permissions: [
          {
            id: 'news',
            scopes: ['news:create']
          }
        ]
      });

Which will either fail with a 403 or return a rpt token. This rpt token (basically a JWT) can then be decoded and used in guards to determine if a user has access or not.

In my opinion, it would be best if the user sorts out what to do with the rpt token themselves considering you can request multiple resources and scopes and the token just holds the ones you have access to. Only if none are present will keycloak present you with a 403.

To get these basics working it's a rather small change

this._keycloakAuthorizationInstance = new KeycloakAuthorization(this._instance);
await this._keycloakAuthorizationInstance.init();

You can then call the entitlement function on _keycloakAuthorizationInstance

Would this be a feature that would be useful in angular-keycloak?

jonkoops commented 4 years ago

Hi @Y00sh00, we're trying to make Keycloak Angular a lightweight wrapper around keycloak-js. We might even deprecate the KeycloakService in future versions and create several smaller services for assorted fuctionalities such as events around the authentication state, etc.

Before considering adding this functionality to to Keycloak Angular I would like to ask if this functionality is already present in keycloak-js itself. Is the KeycloakAuthorization class you are showing part of keycloak-js?

Y00sh00 commented 4 years ago

Before considering adding this functionality to to Keycloak Angular I would like to ask if this functionality is already present in keycloak-js itself. Is the KeycloakAuthorization class you are showing part of keycloak-js?

In the keycloak NPM dependency are two files keycloak.js this is the keycloak functionality that keycloak angular currently mostly wraps. There is also a keycloak-authz.js which is Keycloaks Authz client intended for resource-based access control as documented here: https://www.keycloak.org/docs/latest/authorization_services/#_service_protection_resources_api

The Javascript portion of it is documented specifically here: https://www.keycloak.org/docs/latest/authorization_services/#_enforcer_js_adapter

The KeycloakAuthorization class is part of that.