This is a Keycloak extension that implements an Event Listener Provider to detect Identity events and publish them to the OpenFGA server over HTTP, thanks to theOpenFGA Java SDK.This extension allows for direct integration betweenKeycloakandOpenFGA.
OpenFGA is an open source solution for Fine-Grained Authorization that applies the concept of ReBAC (created by the Auth0 inspired by Zanzibar).
The extension follows these steps:
Listens to the following Keycloak events based on his own Identity, Role and Group model (e.g., User Role Assignment, Role to Role Assignment, etc)
Converts these event into an OpenFGA Tuple key based on theOpenFGA Authorization Schema:
This extension improves the Authorization Architecture described in the articleKeycloak integration with OpenFGA (based on Zanzibar) for Fine-Grained Authorization at Scale (ReBAC)by enabling direct event synchronization between the Access Manager Platform and the OpenFGA Server.
A brief introduction of the new simplified Authorization Architecture is as follows:
The main purpose of this SPI is to listen to the Keycloak events and publish these events to an OpenFGA solution.
Here is a high level overview of the extension:
In this case, the extension listens to the Admin Events related to operation in Keycloak Identity, Role and Group model.
So far, the extension proceeds with the following steps:
These are all the OpenFGA events handled by the providedkeycloak-openfga-authorization-model.
You can edit the authorization model to handle the desired events.
Publishes theClientWriteRequestobject to the OpenFGA server over an HTTP requestfgaClient.write(request)with theOpenFGA SDK client.
Download a release (*.jar file) that works with your Keycloak version from thelist of releases.
Or you can build withbash mvn clean package
Follow the below instructions depending on your distribution and runtime environment.
Copy the jar to theprovidersfolder and execute the following command:
For Docker-based setups mount or copy the jar to
With the release of Keycloak 17 the Quarkus-based distribution is now fully supported by the Keycloak team.
Therefore,I have not tested this extension in Wildfly-based distro❗ ️
The following properties can be set via environment variables following the Keycloak specs, thus each variable MUST use the prefixKC_SPI_EVENTS_LISTENER_OPENFGA_EVENTS_PUBLISHER.
KC_SPI_EVENTS_LISTENER_OPENFGA_EVENTS_PUBLISHER_API_URL: TheopenfgaApiUrlis the URI of the OpenFGA Server.
If this variable is empty, the extension will use the default valuehttp://openfga:8080for demo purposes only.
OptionalKC_SPI_EVENTS_LISTENER_OPENFGA_EVENTS_PUBLISHER__STORE_IDandKC_SPI_EVENTS_LISTENER_OPENFGA_EVENTS_PUBLISHER_AUTHORIZATION_MODEL_ID: TheopenfgaStoreIdand theopenfgaAuthorizationModelIdare the store and authorization model identifiers in the OpenFGA server.
If not provided, the extension will attempt to discovery them.
You may want to checkdocker-compose.ymlas an example.
Enable the Keycloak OpenFGA Event Listener extension in Keycloak:
The test cases are available in the workshop:
Related Stories
Source: This article was originally published by Hacker News
Read Full Original Article →
Comments (0)
No comments yet. Be the first to comment!
Leave a Comment