Here is a Custom Event Listener Extension known as Service Provider Interfaces (SPI) which helps to integrate Keycloak and OpenFGA. OpenFGA is an open source solution for Fine-Grained Authorization that applies the concept of ReBAC (created by the Auth0 inspired by Zanzibar).
The SPI implements these steps:
-
listens to the following Keycloak events based on his own Identity, Role and Group model (e.g., User Role Assignment, Role to Role Assignment, etc)
-
converts this event into an OpenFGA tuple based on the following OpenFGA Authorization Schema:
- publishes the event to Kafka. Kafka is a messaging system that safely moves data between systems. When an event has published an OpenFGA Kafka consumer sends the event to the OpenFGA solution.
This custom Keycloak OpenFGA Event Listener [Diagram Point B] is one of the components described in following links:
🖖 Workshop https://github.com/embesozzi/keycloak-openfga-workshop
A brief introduction is described here:
- Core:
- Keycloak [A] is responsible for handling the authentication with the standard OpenID Connect and is managing the user access with his Role Model
- Keycloak is configured with a custom extension 🚀 [B] keycloak-openfga-event-listener which listens to the Keycloak events (User Role Assignment, Role to Role Assignment, etc), parses this event into an OpenFGA tuple based on the Keycloak Authz Schema and publishes the event to Kafka Cluster [C]
- Kafka OpenFGA Consumer [D] that using the OpenFGA SDK will publish the tuples to the OpenFGA Solution
- OpenFGA [E] is responsible for applying fine-grained access control. The OpenFGA service answers authorization checks by determining whether a relationship exists between an object and a user
- Other components
- Store Web Application is integrated with Keycloak by OpenID Connect
- Store API is protected by OAuth 2.0 and it utilizes the OpenFGA SDK for FGA
The main purpose of this SPI is to listen to the Keycloak events and publish these events to an OpenFGA solution.
Here is a high level overview of the extension:
In this case, the extension listens to the Admin Events related to operation in Keycloak Identity, Role and Group model. So far, the extension proceeds with the following steps:
- Parse and enrich the default Keycloak events in the following cases:
Keycloak Event (Friendly Name) | Description |
---|---|
User Role Assignment | User is assigned to a Keycloak Role |
Role To Role Assignment | Role is assigned to a parent Keycloak Role |
Group To Role Assignment | Group is assigned to a Keycloak Role |
User Group Membership | User is assigned to a Group |
- Transform the Keycloak event into a OpenFGA tuple and check if that is handled by keycloak-openfga-authorization-model:
Keycloak Event (Friendly Name) | OpenFGA Tuple Event |
---|---|
User Role Assignment | User related to the object Role as assignee |
Role To Role Assignment | Role related to the object Role as parent |
Group To Role Assignment | Group related to the object Role as parent group |
User Group Membership | User related to a Group as assignee |
This is all the OpenFGA events handled by the provided keycloak-openfga-authorization-model. You can edit the authorization model to handle the desired events.
- Publish the event to the Kafka Cluster
So far we don’t have an official Java SDK OpenFGA client to publish the authorization tuples to the OpenFGA. The extension is prepared for the future to use a http client for publishing the events. I will add the feature to the extension as soon as Auth0 releases a Java OpenFGA SDK.
Download a release (*.jar file) that works with your Keycloak version from the list of releases.
Or you can build with bash mvn clean package
Follow the below instructions depending on your distribution and runtime environment.
Copy the jar to the providers
folder and execute the following command:
${kc.home.dir}/bin/kc.sh build
For Docker-based setups mount or copy the jar to
/opt/keycloak/providers
for Keycloak.X from version15.1.0
Warning:
With the release of Keycloak 17 the Quarkus-based distribution is now fully supported by the Keycloak team. Therefore, I have not tested this extension in Wildfly-based distro ❗ ️
The following properties can be set via environment variables following the Keycloak specs, thus each variable MUST use the prefix KC_SPI_EVENTS_LISTENER_OPENFGA_EVENTS
.
-
KC_SPI_EVENTS_LISTENER_OPENFGA_EVENTS_AUTHORIZATION_MODEL
: TheauthorizationModel
handled by this module. See keycloak-openfga-authorization-model -
KC_SPI_EVENTS_LISTENER_OPENFGA_EVENTS_SERVICE_HANDLER_NAME
: TheserviceHandlerName
is the name of the service for publishing the events. This version only supports the value:KAFKA
-
KC_SPI_EVENTS_LISTENER_OPENFGA_EVENTS_ADMIN_TOPIC
: TheadminTopic
is the name of the kafka topic to where the OpenFGA tuple events will be produced to. -
KC_SPI_EVENTS_LISTENER_OPENFGA_EVENTS_CLIENT_ID
: TheclientId
used to identify the client in Kafka. -
KC_SPI_EVENTS_LISTENER_OPENFGA_EVENTS_BOOTSTRAP_SERVERS
: ThebootstrapServers
is a comma separated list of available brokers.
You may want to check docker-compose.yml as an example.
Enable the Keycloak OpenFGA Event Listener extension in Keycloak:
- Open administration console
- Choose realm
- Realm settings
- Select
Events
tab and addopenfga-events
to Event Listeners.
The test cases are available in the workshop: