Topics In Demand
Cloud Computing | Cyber Security & Privacy | Data Science & AI | Digital Transformation | Diversity And Inclusion | Engineering Research & Design | ESG & Sustainability | Future Of Work | Product/Startups |
Notification
New
See all

No notification found.

RBAC for frontend and backend using Keycloak
RBAC for frontend and backend using Keycloak
images
Opcito
@Opcito Technologies

September 2, 2022

Cyber Security & Privacy Data Privacy Data Privacy

262

0

User authentication is necessary to safeguard your organization's data and systems. Granting system/data access to a person that he is not supposed to access can be disastrous. Our study suggests that 82% of breaches are caused due to human elements such as misuse, errors, and social attacks. Organizations have seen a growth of 13% in ransomware breaches – more than the last five years combined. In a world where data security tops the list of priorities for any organization, you must take measures to confirm the authenticity of the user before they gain access to your network and systems.

Keycloak is a fantastic identity and access management solution that helps organizations safeguard their networks by providing RBAC. Let's dive deeper into Keycloak, look at how it supports RBAC, and learn how to set it up.

What is RBAC?

Role-based access control (RBAC) helps restrict users' network access based on their organisational role and clearance level. Not all employees have access to all company-wide information. RBAC manages information access, ensuring employees can access only the information that they are supposed to.

With RBAC, organizations can easily add or change roles across operating systems, platforms, and applications without the need for paperwork. Roles can be either assigned, or access can be taken off, especially to keep a tab on external third-party users. Factors like responsibility, authorization, and job competency play a significant role in deciding who gets access to what. RBAC is vital to organizations with many employees, those who employ third-party vendors, contractors, and external consultants.

In a day-to-day scenario, every system has an admin and users. Both have set roles and accesses. For this example, lets consider admin and employees. Users who log in as an admin should be able to add, edit or delete users. But for an employee, they won’t be able to update or delete other users. To make sure these roles and access stay functional you need RBAC.

Keycloak provides easy authentication mechanism for services and applications. It follows industry-specified protocols and supports SAML 2.0, OpenID Connect (OAuth 2.0 + Authentication Layer) & OAuth 2.0. It uses its user database but can also be integrated with existing user directories like LDAP servers and Active Directory.

Let's look at the steps to incorporate Keycloak for RBAC for frontend and backend.

Install & setup Keycloak 15.0.2

To start configuring the Keycloak settings for RBAC, install and set up Keycloak. This can be done either from the zip file or by using Docker.

Create Realm

Create a new Realm to start the RBAC configuration. A master Realm exists by default. You can add your test Realm by clicking on ‘add Realm.’ Add the Realm name and hit save.

Graphical user interface, text, application, email Description automatically generated

Create user role

Create a role "admin" inside the roles. Set this role as the default role for all employees. Now, click on the role, and select the default role tab. You will see the employee role inside the available roles. Click on the role and hit the add-selected button. Your role will be selected as the default role for registered employees.

Graphical user interface, application Description automatically generated

Create client

To handle the complete authorization, you will need two different clients. Let’s consider the first as a frontend client and the other as a backend client.

Setup frontend client

For this client, you must set a mapper to get user roles in the user info API after logging in. Select the client, go to the mappers tab, and then click on create.

Graphical user interface, application, email Description automatically generated

Select mappers type as user Realm role and make sure that your “Add to user info” option is enabled. All other settings like the main URL and logout URL will be the same.

Setup backend client

Create the new backend client by clicking on clients and then on create. Go inside the settings of that client and configure the below settings:

  • Client protocol must be OpenID-connect
  • Select access type as confidential
  • Enable the authorization tab

Graphical user interface, text, application, email Description automatically generated

A picture containing background pattern Description automatically generated

Save these settings, and a new authorization tab will appear on top.

Create scope

In the authorization tab, select the authorization scope and create some new scopes by clicking on create button. Example: scopes:list, scope:create

Graphical user interface, application Description automatically generated with medium confidence

Create resource

In the resource tab, create new resource res: employee by clicking on create. Add the resource name and then select the scopes you want to assign this resource with. Hit save to save changes.

Graphical user interface, application Description automatically generated

Create policies

Inside the authorization tab, select policies and click on create a new policy. Then select a role in the dropdown. Add the policy name as admin and select the realm role as admin. Hit save to save changes.

Graphical user interface, application Description automatically generated

Create permission

Go to the authorization tab and select permission. Click on the create permission dropdown and select the scope-based permission. Add a new permission with the name employee-create and set resource as res: employee. In scope, select scope: create. Make this change to set all the other permissions like list, update, and delete for employees. Now your backend client is ready to use.

Graphical user interface, text, application, email Description automatically generated

Handle permission in the web app

The Keycloak part is completed. You have configured permission for multiple actions. Now you need to use these permissions to enable and disable the action depending on permission. For example, if the user is an admin, they can do all CRUD operations of employees, but if they are not the admin, they can only list the employee. You need to check the user role and permission to achieve this. If it's not right, disable that particular action. You will need to disable the " add employee " button if there is no employee-create permission.

getUserPermissions() {return axios.get(http://localhost:8080/auth/admin/realms/{realmName}/clients/${backendCLIENTID}/authz/resource-server/policy/role/${policyRoleID}/dependentPolicies`); 
},

In the user info API call, you will get the user role, and with this above API call, you will get the permissions associated with that user role.

backendCLIENTID - Id of backend client that we created beforepolicyRoleID -"backendclient->authorization->policies->roles->admin"

On this path you will get the id of admin role policy.

The output of this API will be an array of objects which contain all the permissions. Now you can use those permissions to enable and disable the actions on your UI side. To enable and disable the actions, you can directly use the IF directive and check if the action is present in response or not.

This is it! You have successfully configured your web application's RBAC from the front-end and back-end. You can customize user roles, resources, and permissions as per the use case.


That the contents of third-party articles/blogs published here on the website, and the interpretation of all information in the article/blogs such as data, maps, numbers, opinions etc. displayed in the article/blogs and views or the opinions expressed within the content are solely of the author's; and do not reflect the opinions and beliefs of NASSCOM or its affiliates in any manner. NASSCOM does not take any liability w.r.t. content in any manner and will not be liable in any manner whatsoever for any kind of liability arising out of any act, error or omission. The contents of third-party article/blogs published, are provided solely as convenience; and the presence of these articles/blogs should not, under any circumstances, be considered as an endorsement of the contents by NASSCOM in any manner; and if you chose to access these articles/blogs , you do so at your own risk.


images
Opcito

Related blogs
See all
images

Exploring the Five Stages of a Succ...

Sneha Sharma

25

Cyber Security ..
27 May 2024
images

Navigating Change: Leadership Trans...

prajwal

18

IT Services
24 May 2024
images

How Data Loss Prevention (DLP) Solu...

GRAMAX Cybersec

7

Data Privacy
21 May 2024
images

Understanding SEO: A Comprehensive ...

technoprofiles

33

IT Services
20 May 2024
images

Continuous Integration in Software ...

Kovair Software

4

IT Services
20 May 2024
images

Secure Coding Techniques: Building ...

NeST Digital

5

Cyber Security ..
17 May 2024
images

VMware NSX Migration services: What...

calsoftinc

28

IT Services
17 May 2024
images

How Has Telemedicine Impacted Healt...

Larisa Albanians

7

Application
16 May 2024
images

WHY LLMS MAY (YET) FALL SHORT OF SA...

L&T Technology S..

8

Emerging Tech
16 May 2024
images

The Role of Data Consulting in Achi...

Tanya Gupta

5

Big Data Analyt..
15 May 2024
images

Cloud Cost Optimization: Maximizing...

Cyfuture

26

Cloud Computing
15 May 2024
images

How AI Supercharges End-to-End Proj...

QServices IT Solutio..

12

Project Managem..
15 May 2024
images
Exploring the Five Stages of a Successful CTEM Program
images
Sneha Sharma
@snsharma

27 May 2024

Cyber Security & Privacy Threat Intelligence

  The Continuous Threat Exposure Management or CTEM is a five-stage approach to continuously expose an organization's networks, systems, and assets to simulated attacks to identify vulnerabilities and weaknesses. This allows shifts from point-in-…

Read More

images
Secure Coding Techniques: Building Robust and Resilient Software
images
NeST Digital
@nestdigital

17 May 2024

Cyber Security & Privacy

Article Contents: Input Validation Parameterized Queries Authentication and Authorization Session Management Error Handling Secure Configuration Regular Updates and Patch Management Here’s a brief overview of the importance of secure coding…

Read More

images
WHY LLMS MAY (YET) FALL SHORT OF SAVING THE WORLD
images
L&T Techn..
@L&T Technology Services

16 May 2024

Emerging Tech Data Privacy Engineering Research & Design

Large Language Models (LLMs) took the world by storm after OpenAI launched its generative pretraining transformer (GPT) engine and debuted ChatGPT in November 2022. In just two months, ChatGPT achieved a significant milestone of 100 million weekly…

Read More

images
The Role of Data Consulting in Achieving Regulatory Compliance
images
Tanya Gupta
@tanyagupta

15 May 2024

Big Data Analytics Analytics Data Privacy Data Science & AI Community

Laws affect business processes, but serving customers in multiple geographies makes mitigating legal risks more challenging. However, a comprehensive examination of applicable frameworks and your enterprise’s exposure to non-compliance penalties…

Read More

images
Mission-critical embedded systems: High reliability for improved security (Part-2)
images
NeST Digital
@nestdigital

14 May 2024

Cyber Security & Privacy

  As we saw in part-1 of this article, high availability of mission critical systems translates to improved security and redundant boot mechanisms ensures high availability of embedded systems. Redundant boot mechanism – alternatives Once a…

Read More

images
AISecOps: The future of security operations is intelligent
images
Opcito Techno..
@Opcito Technologies

14 May 2024

AI Cyber Security & Privacy Data Privacy Data Privacy DevOps

The digital landscape is constantly evolving, and so are the threats we face. Traditional security operations, reliant on manual analysis and limited resources, need help to keep up with the ever-growing volume and sophistication of cyberattacks.…

Read More

About Us
Knowledge Center
In the News

© Copyright nasscom. All Rights Reserved.