Keycloak authorization on behalf of another user

Question

I'm currently working on a spring boot application with Keycloak, in which users can reserve an office space or piece of hardware. I want to add the functionality for users to authorize other users to make a reservation on their behalf.

Scenario: Someone has a secretary who occasionally does their reservations for them. The secretary wants to make a reservation on behalf of her boss. The boss grants his/her secretary the rights to do so.

Is it possible with Keycloak to grant access to a user and allow them to do things on another user's behalf? If so, is there any documentation for this? (I have not been able to find any, just resource access sharing) Or how do i go about implementing this?

Thanks in advance.

Answer 1

I think this is pretty much what you are looking for: https://github.com/ch4mpy/user-proxies

You might have a look at these tutorials first: https://github.com/ch4mpy/spring-addons/tree/master/samples/tutorials

When thinking UAA (User Authentication & authorization), resource access authorization on the authorization server sucks. I know, names can make things confusing. Still, the authorization server should be used for user authentication and resource access authorization should be made on the resource server using Spring Security.

In the solution above:

• Keycloak issues tokens containing user identity and proxies (what they were granted to do on behalf of whom). The solution I used there is based on a REST call during token issuance (a Keycloak "mapper" calls a web service to fetch the proxies for the user and add it a token private claim). A more efficient solution would be writing a plugin (with Keycloak SPI) to store these user proxies directly in Keycloak's database and save network calls.
• Spring Security reads the token private claim and decides if the user can access the requested resource based on the user identity, the user proxies, and the accessed resource.