graphback icon indicating copy to clipboard operation
graphback copied to clipboard

Published 20 hours ago verified publisher icon aerogear

Keycloak Relationship Authorization requires config to be applied on M:1 (opposite) side

Open craicoverflow opened this issue 4 years ago • 7 comments

  • Module: @graphback/keycloak-authz
  • Version: 1.0.0-beta*

According to the Keycloak-Authz Relationship Authorization documentation I can apply authorization restrictions on one-to-many fields, like the example below:

const authConfig = {
  Task: {
    relations: {
      taskUsers: { roles: ['admin'] }
      allTasksComments: { roles: ['commenter'] }
    },
},

Take a look at my auth config below. Note.comments is a one-to-many field.

const authConfig: CrudServicesAuthConfig = {
  Note: {
    ...,
    relations: {
      // Note.comments oneToMany field
      comments: { roles: ['super_admin'] }
    }
  }
}

Datamodel:

""" @model """
type Note {
  """ @id """
  _id: ID!
  title: String!
  description: String
  """
  @oneToMany(field: 'note')
  """
  comments: [Comment]!
}

""" @model """
type Comment {
  """ @id """
  _id: ID!
  text: String
  description: String
}

However I am able to retrieve the comments relation data without any user privileges.

Upon inspection of the KeycloakCrudService, it is comparing the relationField parameter to comments, but this parameter is noteId (as it is in CRUDService), so the auth check is never executed.

https://github.com/aerogear/graphback/blob/315bce80131d3838604acb952450f36d0c1bd40c/packages/graphback-keycloak-authz/src/KeycloakCrudService.ts#L160-L162

To get it to work I would need to do:

Comment: {
  relations: {
    noteId: { roles: ['super_admin'] }
  }
}

Is this a bug or a docs issue?

craicoverflow avatar Sep 22 '20 08:09 craicoverflow

Automatically generated comment to notify maintainers /cc @machi1990, @wtrocki

machi1990 avatar Sep 22 '20 08:09 machi1990

@craicoverflow update docs

craicoverflow avatar Sep 22 '20 09:09 craicoverflow

Temporary fix added in #2101

craicoverflow avatar Sep 22 '20 13:09 craicoverflow

@craicoverflow thanks. Looks like the fix just landed in master. What I see here:

  • Either close the issue as now everything works as designed
  • Change issue title to what would be desirable way of doing things.

/cc @wtrocki

machi1990 avatar Sep 22 '20 14:09 machi1990

I would love to get back to it once 1.0 dust will settle.

wtrocki avatar Sep 22 '20 14:09 wtrocki

Has this issue been fixed as mentioned by @craicoverflow in #2101? If not then what more needs to be done?

RinkiyaKeDad avatar Oct 19 '20 14:10 RinkiyaKeDad

Hi @RinkiyaKeDad - this is not fixed yet. The description already covers what is required to do this, and to be honest it is not an easy fix at all, as yet we are unsure how it can be fixed. You can give it a go, but there are probably better issues to take for now.

craicoverflow avatar Oct 19 '20 14:10 craicoverflow