Safe HaskellNone



This module helps you manage resources authorization with Keycloak.

In Keycloak, in the client, activate "Authorization Enabled" and set "Valid Redirect URIs" as "*". You then need to create your scopes, policies and permissions in the authorization tab. If you are unsure, set the "Policy Enforcement Mode" as permissive, so that a positive permission will be given with resources without policy.

The example below shows how to retrieve a token from Keycloak, and then retrieve the permissions of a user on a specific resource.

-- Let's get a token for a specific user login/password
userToken <- getJWT "demo" "demo"

-- Can I access this resource?
isAuth <- isAuthorized resId (ScopeName "view") userToken

liftIO $ putStrLn $ "User demo can access resource demo: " ++ (show isAuth)

-- We can also retrieve all the permissions for our user.
perms <- getPermissions [PermReq Nothing [ScopeName "view"]] userToken

liftIO $ putStrLn $ "All permissions: " ++ (show perms)


isAuthorized :: ResourceId -> ScopeName -> JWT -> Keycloak Bool Source #

Returns true if the resource is authorized under the given scope.

getPermissions :: [PermReq] -> JWT -> Keycloak [Permission] Source #

Return the permissions for the permission requests.

checkPermission :: ResourceId -> ScopeName -> JWT -> Keycloak () Source #

Checks if a scope is permitted on a resource. An HTTP Exception 403 will be thrown if not.


createResource :: Resource -> JWT -> Keycloak ResourceId Source #

Create an authorization resource in Keycloak, under the configured client.

deleteResource :: ResourceId -> JWT -> Keycloak () Source #

Delete the resource

deleteAllResources :: JWT -> Keycloak () Source #

Delete all resources in Keycloak

getResource :: ResourceId -> JWT -> Keycloak Resource Source #

get a single resource

getAllResourceIds :: Keycloak [ResourceId] Source #

get all resources IDs